Computer Security for NGOs

Who’s afraid of the big bad wolf?

In an era when government spying, corporate hacking scandals, major security flaws, online stalking and social media shaming are rarely out of the headlines, it can seem like the internet has grown up into a deep dark forest, with wolves lurking behind every tree.

At the same time we’re more dependent than ever on our computers, phones and tablets to manage our work and personal lives. It’s a scary situation: On the one hand it seems almost impossible to protect our privacy and safety online, and on the other, we simply can’t get by without our devices.

I think it’s this tension that makes many people feel that improving their computer security is just too hard.

Luckily, there are small and easy steps that can help keep you and your organisation safe and private online. This article helps you assess risks to your computer security and introduces some practical tools for addressing them. You won’t need any specific technical expertise to understand any of this information. I’ll also touch briefly on the legal framework that applies within Germany.

Why is Understanding Computer Security Important for NGOs?

I believe all individuals and private organisations have a fundamental right to data privacy and security. There is a strong legal framework in the EU and in Germany to protect this right, and understanding and complying with it is important for all organisations. However, there are specific additional reasons why computer security is important to the non-profit sector.

Non-profit organisations often work with vulnerable or highly politicized people who may be of special interest to governments, corporations or criminals. This could include groups such as refugees, activists, or the homeless. Other organisations work with people who need to keep certain facts about their identity secret, such as their sexual orientation or medical history.

Couple this with the fact that we are living in the age of “big data”, and non-profits are hardly immune. Organisations likely collect more data than they did in the past, and that data is more likely to be digital. Data doesn’t just mean names and addresses, or information stored in a spreadsheet. It includes research, surveys, mailing lists, meeting records such as agendas, minutes and attendance lists, audio and video recordings, emails and social media conversations. As we collect more data, in more forms, and in more locations, it becomes increasingly hard to safely manage.

All of this data adds up and can be used to build up an effective profile of an individual or group. If you are working with activists from countries with repressive regimes, this could lead to serious consequences for your collaborators. Even in countries with a high standard of human rights protections, a carelessly revealed personal fact could have social, economic and legal ramifications for many individuals.

We have a responsibility to protect the privacy, safety and dignity of the groups we are seeking to serve, and we therefore have a responsibility to take every precaution with the data entrusted to us. As Jillian York of the Electronic Frontier Foundation puts it, “like getting vaccinated, using privacy-enhancing tools and encryption isn’t just about keeping yourself safe: It’s also about protecting the people and organizations that you communicate with. Think of it as herd immunity from surveillance.”

We also have a responsibility to help those we work with to better protect themselves online and in using their mobile devices, especially when they may not be technologically literate, as with children, the elderly, or people with cognitive disabilities.

Working in the non-profit sector we encounter many people driven by passion and the desire to make the world a better place. Often individuals have hard-won knowledge of the communities, environment, scientific research and legal frameworks that pertain to their field. However, resources are often also scarce, and administrative tasks tend to be shared or undertaken partly by volunteers. This opens up additional risks and potential for security breaches. For this reason it’s important for all workers in the non-profit sector to improve their computer security knowledge and skills, and to help build a strong security culture. It’s simply too important a task to delegate to technical staff alone. All members of an organisation must do their bit. If somebody has access to sensitive data they are a risk. They pose a greater risk if they do not follow good security procedures.

With that in mind, let’s get started!

First Steps: Laying the Foundation with Good Habits

I have a confession to make.

I don’t floss very often. In fact, practically never. I haven’t been to the dentist in about two years either, not even for a checkup. Sorry if that grosses you out. But you know what? I do brush my teeth every day, without fail.

Computer security is a little like oral hygiene. Just because I don’t floss, it doesn’t mean I should just give up brushing my teeth too. In the same sense, just because you don’t encrypt every email and have all your data backed up daily in triplicate, it doesn’t mean you should go around using “admin/admin” as your username and password and tweeting your private email address and mother’s maiden name.

Better security practices should become a regular part of your routine. We all know it takes time to get into new habits. Make small improvements to begin with, and when they are as unthinking as brushing your teeth before bed, look at how you can improve still further.

A few security improvements, performed regularly, are absolutely better than none. Don’t let yourself be daunted by how much there is to learn. No one can protect against all risks; but a few changes might significantly improve your chances of beating common threats.

Spread the Word: Building a Security Conscious Culture

Everything’s more fun with a friend, and security is no exception. Just as a jogging buddy can help you maintain your exercise routine, building a better security culture in your organisation can help keep everyone safer.

Make time to discuss computer security with your team. Work through the threat models outlined below and come up with a strategy to improve your current security practices. This doesn’t need to be a massive corporate-style document – a concrete action plan for the next two weeks is probably more useful. Review the plan and add or remove items as necessary. An example plan might be:

  • Check which apps on staff phones have access to the phone’s calendar, contacts or location
  • Add password protection to all personal devices
  • Purchase an additional hard drive for backups

Spend time as a team exploring new tools and techniques – for example set aside an hour or so on a Friday afternoon for everyone to install a password manager, or an encrypted SMS application. The team that secures together, stays together!

Foster a culture where your team are on the lookout for security risks and feel free to speak up about them. Educate your team with regular group and individual training sessions – there are links to organisations that provide these services for free or at low cost at the bottom of this article.

Diagnosing the Problem: Threat Models

We want to keep our data private, secure, and protected. That is, only appropriate people can access it, it is very difficult to steal or corrupt, and if it is lost through hardware failure, we can replace it from a backup.

Depending on the work that your organisation does, there will be varying risks to this ideal scenario. Identifying the most significant threats that apply to your situation will help you develop a computer security strategy, determine where to allocate resources, and drive your outreach agenda.

This section outlines four key threat models for you to consider.

Government Spying

Government intelligence organisations all around the world collect data from the internet. They may deliberately attempt to gather data on known individuals, but many also collect mass data indiscriminately in the form of metadata. Metadata is sometimes described as “data about data” – for example, the metadata from an email might include the subject line, sender, recipient and date and time it was sent. Government agencies also monitor social media, and regularly request and receive data about specific people from tech companies such as Google and Facebook.

Government spying might be your most significant threat model if you work with undocumented migrants or with activists from countries with poor human rights records. It’s also a concern if you plan direct action campaigns such as banner drops or protests.

Also keep in mind that even democracies considered relatively progressive have shared intercepted communications with private corporations. Government agencies have also broadened their surveillance targets to include people considered “politically dangerous”. You do not necessarily have to be doing anything illegal to have your data intercepted and monitored by government agencies.

Corporate Data Collection

This primarily refers to the mass collection of data by services such as Facebook, Google and Amazon. These companies collect many pieces of data and metadata about you and generally use it to deliver more personalized advertising. It’s not always easy to find out who holds data about you and what information they have. They may also pass your data on to third parties.

Corporate data collection could be problematic for people who would like an aspect of their identity to remain secret, such as medical history or sexual orientation. There have certainly been cases where people have been inadvertently outed to family and friends after joining an LGBTQ support group on Facebook.

An additional and more serious form of surveillance is that which occurs by large corporations against activists that threaten their interests. We’ve personally worked with environmental activists who have been spied on by large oil and gas companies. After a Subject Access Request, Jess Worth (previously from the UK Tar Sands organisation) received a thick dossier filled with redacted names detailing meetings she attended, her social media posts, and even information as innocuous as social events she attended unrelated to activism.

Malicious Attacks

Malicious attacks refer to attempts to hack into your website, email or social media accounts. These may be simply random attacks by “script kiddies” trying to cause havoc, or they could be motivated by criminal intent, for example to steal credit cards. Revenge is also a frightening motivation for many hacking crimes. Malicious attacks are a particular risk on unsecured public networks, such as the WiFi connection at the airports or cafes.

These threats apply to everyone but might be of particular concern to you if you hold sensitive financial information or other data that could represent a financial reward to a would-be hacker.

Physical Security Risks

Physical security risks are an important and often overlooked threat model. A classic example is leaving complex passwords written on sticky notes next to your screen. Anyone who enters your office has instant access.

This might be of particular concern to you if you work in a shared office building or co-working space where it is hard to monitor people’s access rights. In other cases, you might work with individuals whose living situation means they have heightened physical security risks. Another organisation we have worked with, Papatya, works with girls and young women at risk of forced marriage. They teach girls to use the internet anonymously so that they can access help in secret on a shared computer.

Your Rights and Responsibilities: Understanding the Legal Framework

Germany is a world leader in legislation to protect data privacy of individuals. This means that if you operate here you may have additional legal obligations over and above that required in the United States or the United Kingdom. In addition, the EU is in the process of developing a new directive related to data protection; this directive will be enacted into law in EU member states in the next few years.

Germany’s Federal Data Protection Act is known as the Bundesdatenschutzgesetz or BDSG. The law covers a range of data protection-related issues, including the following requirements:

  • Organisations cannot collect any personally identifiable information without express permission from an individual (this includes obvious things like name and date of birth, as well as less obvious things like phone number, address, and computer IP address).
  • The permission that an individual grants must specify how, where, how long, and for what purposes the data may be used.
  • The individual can revoke the permission at any time.
  • Organisations must have policies, procedures, and controls in place to protect all data types and categories that fall under the BDSG umbrella.
  • On request, individuals must be given information on:
    1. recorded data relating to them, including information relating to the source of the data;
    2. the recipients or categories of recipients to which the data is transferred; and
    3. the purpose of recording the data.

It’s important to note that these requirements are fundamentally incompatible with some US legislation, such as the Patriot Act, which allows the US government to request a broad range of data from private companies. Using an American cloud provider to store sensitive data could mean that data ends up in the hands of the NSA or other US government agencies. This topic is covered in more detail below.

It’s a good idea to include a page on your website that outlines your organisation’s data privacy policy, and how and for what purposes you use data that you collect. Link to this page from any forms you use to gather data.

If you use website traffic analysis tools such as Google Analytics or Piwik, you should also have a page on your site that explains to your users how they can opt out of tracking. You can find information about this process for Analytics here and here, and for Piwik here.

Finally, if your website makes use of cookies, you have a legal obligation to inform your website visitors if your site is owned in the EU or primarily targeted at European citizens. Cookies are small bits of information that are stored in your browser to help websites remember who you are between pages and visits – for example, they record if you are logged into a website, or if there are items in your shopping cart. If you use Google Analytics, Google Adwords, or Piwik, or your site allows people to log in or purchase products, then it will certainly make use of cookies. The Cookie Collective has clearly explained resources on this topic and tools to help you achieve legal compliance.

The following links contain further information about German data protection laws (in English).

Safer Practices: User and Password Management

Password Management

Strong passwords are an absolute must. If you use a password that is a regular dictionary word, or a couple of words together, you may as well not have a password at all. Brute force hacking attempts will try to find out your password simply by trying every word in the dictionary in turn, including c0mm0n a7t3rnatives (that’s leetspeak for “common alternatives”).

A strong password is at least 12 characters long, includes letters, numbers and special characters such as ! $ % ( ) and /. These are a nightmare to remember, so a widely used technique is to think of a sentence that you can remember:

“The first house I ever lived in was 613 Fake Street. The rent was $400 per month.”

Then use the first letters of each word to create your password, but include all special characters (except spaces) and all numbers:

TfhIeliw613FS.Trw$400pm.

If you want to use the widely known XKCD method of combining multiple words to make a long, strong password, such as “correcthorsebatterystaple” you should use at least six words, insert at least one non-alphabetical symbol, and use a tool such as Diceware to help you select genuinely random words.

To be honest, remembering passwords is a pain. I can’t recommend enough that you install a password manager such as LastPass, 1Password or KeePass. These services store all of your passwords in an encrypted vault. You only need to remember a single password to gain access to them, and then when you visit a website the password manager will fill in your username and password for you. However, it is a good idea to keep any important passwords, such as banking and sensitive email accounts, separate for extra security.

Remember to have the password manager log itself out when you close the browser or are inactive for a long period of time. Additionally, some password managers let you set up team accounts, so you can easily and safely share passwords for organisational accounts with your team (goodbye lists of passwords in spreadsheets).

If you do need to send a username and password combination via email, consider splitting the communication up over two emails, or over two methods, such as email and Skype, or better yet involve an SMS or spoken phone conversation. If you send the username and the first half of the password via email and the second half of the password via SMS, then someone would have to gain access to both your computer and phone to acquire the entire password. You can also take a screenshot of the password and send it as an image – this makes it a little more difficult to intercept.

Make a time at your organisation when everyone reviews their current passwords, replaces insecure ones, and installs a password manager.

User Access Management

Controlling user access to your data includes controlling who physically has access to your workspace and devices. It also includes defining a set of user roles within your organisation. Different user roles will need access to different kinds of data. Examples of user roles in a homeless support network organisation might include:

  • Case workers
  • Administrative staff
  • Senior administrative staff
  • Marketing and outreach

In this scenario, your case workers will need access to specific information on individuals in contact with the organisation. Marketing and outreach staff definitely don’t, nor do administrative staff, unless perhaps a specific case is under review. Only senior administrators should have access to sensitive financial documents.

Make a time to think about the user roles that apply to your organisation. Try to think about this separately from what the staff currently do – in small or understaffed organisations people will generally juggle many roles. Imagine your organisation had 50 or more staff – what user roles would you need then? In this way you’ll be prepared for growth, and in the meantime you can easily assign your staff to multiple user roles. Document your decisions and review once or twice a year.

Once you’ve decided on the user roles you will use, you can use these to determine who ought to have access to various documents and data sets you have. If you use Google Apps for Work, or other intranet style software, you can set up these user roles and assign your staff to them. When you grant permissions to a document, you can then grant permissions to the user role, rather than to individual users. This means that if someone leaves or changes role, you can just remove their account from the user role, rather than removing their account from every single document they’ve had access too.

It’s important to use individual email accounts for your staff. Don’t have multiple people sharing a single account with a name like “assistant@” or “intern@”. This makes it a nightmare to revoke user access rights when someone leaves – you need to update the password for that account at the very least, inconveniencing everyone else in that role. Remember, many security breaches are the direct result of inside knowledge held by disgruntled former staff. No one wants to part company with team members on bad terms, but security is about planning for the worst. It is also possible that former or current workers inadvertently let a password fall into the hands of untrusted third parties.

Practical Tips: Work Smarter and Safer with Common Tools

Computers

Personal computer security practices are key to developing good organisational security. Make sure you and your team do the following:

  • Keep the operating system and applications regularly updated.
  • Use antivirus and firewall software.
  • Password protect access to your computer – this is especially important if you work in a shared office or co-working space.
  • Check that your email provider uses SSL (that’s the little green lock icon you can see in the browser URL bar when you log in to your webmail).
  • Don’t put USB drives into your computer if you don’t know whose they are or where they came from.
  • Beware of phishing emails and avoid clicking links in emails and keep an eye on the URL.
  • Be careful about what software you install – a quick Google for “software name virus” could save you many tears later.
  • Avoid cracked or pirated software.
  • Use a password manager with different, strong passwords for all your accounts.
  • Be thoughtful about what information you share on social media sites.

Phones

Smartphones represent a significant security risk for a number of reasons. We have a tendency to use them for many tasks, both personal and work related, often mixed in together. At the same time, they are easier to steal, we’re more likely to use them on unsecured public networks, and we tend to be less security conscious when using them than we are with computers. Geraldine de Bastion and Sandra Mamitzsch from the Tactical Technology Collective have put together this excellent checklist for improving your phone’s security:

  • Keep the phone’s operating system updated.
  • Make regular encrypted backups.
  • Use strong passwords with a password manager. In iOS you can enable “complex” passwords which are better than the default 4 digits.
  • Review the access permissions you’ve given different apps – which have access to your calendar or location, for example?
  • Disable ad tracking.
  • Enable SSL for your email accounts.
  • Protect yourself with OpenVPN when using public networks.
  • Don’t use untrusted power plugs.
  • Consider secure texting alternatives that encrypt your messages in transit: Chatsecure, Threema or Textsecure.

WordPress

I’m willing to bet that nearly everyone reading this article works for an organisation that uses WordPress in some form or another. After all, the open source software powers a quarter of all websites on the internet. That’s good news and bad from a security perspective. The bad news first: Security exploits are actively searched for by a large community of hackers, and there are a lot of known and automated hacks that can affect poorly maintained sites. The good news: There’s also a thriving community of developers keeping WordPress updated against security flaws, and also developing additional security features in the form of plugins. If you use WordPress (or any other content management system) to power your website, it’s vitally important that you keep the WordPress core software and all your plugins updated. There are a lot of managed hosting services now that can take care of this for you automatically.

You can also improve on the default protection offered by WordPress with the use of additional plugins. I personally use and recommend UpdraftPlus for backups, Wordfence for antivirus and malware scanning, and iThemes Security to guard against hacking attempts on your login form and database. All of these plugins can be easily installed and set up without much technical expertise – just follow the on screen instructions. You should also set and enforce a policy of strong passwords for your WordPress administrator or content manager users – iThemes Security can help with this.

Gmail, Google Docs, and Google Apps for Work

Google’s suite of productivity tools are a boon for many small organisations. It’s quick and easy to get up and running with a system that offers many of the features previously only available through expensive company intranet software. However, the ease of use means that sometimes you dive right into to using Docs and Gmail before doing some important planning for who should have access to your sensitive documents. Here are some tips to help you stay in control:

  • Be aware who has access to your Google documents and spreadsheets, and especially who has the power to grant access.
  • Revoke access rights on old projects, for departing staff, and for external collaborators once their contribution is finished.
  • If you use Google Apps for Work, as well as having access to Gmail and a company Drive account, you also have the ability to define user roles. You can assign users to different roles, ensuring that your graphic design freelancer doesn’t have access to your financial data, and your bookkeeper can’t find out sensitive information about your clients.

You may or may not choose to use Google’s productivity tools – for some the invasion of privacy in the form of Google scanning your mails to deliver targeted advertising is simply too much to bear; for many the gains in workflow efficiency make Google’s tools a necessary evil.

Cloud Storage

When it comes to cloud storage you need to read the fine print and make sure you’re happy with the terms and conditions being offered.

You may want to consider a European cloud storage provider that keeps your data within the EU rather than sending it to large data farms in North America. Sending data halfway around the world practically guarantees it will be scooped up by government spying agencies. Britain’s GCHQ taps directly into the massive transatlantic connection between the UK and the US. To get an understanding of how this affects you check out this excellent visualisation of who’s snooping on your internet traffic from Berlin-based OpenDataCity.

At the very least you should check that your cloud storage provider is acting in accordance with EU data privacy law by either processing your data within the EU or participating in the EU-US Safe Harbor Framework. Google, Apple and Dropbox have released statements on this issue. Note that Safe Harbor doesn’t necessarily protect your data from US government requests, even if the data is stored on European soil. This means that you could be in breach of your legal obligations to protect the data you gather from individuals, although it’s unlikely you would face legal action on this score.

Beyond that, stick to the general principles outlined above for strong passwords and user permissions: Only give access to people who really need it, don’t allow people to give access to others by default, don’t give email accounts such as sales@ or assistant@ access to your cloud storage, and remove access rights when they are no longer necessary. Encrypting sensitive data before uploading it is also an excellent idea.

Backups

This is one of those annoying jobs that you know you have to do and never quite get around to. Make it more fun with a backup software installation party! Or make Friday backup day! Give out stickers! Do whatever you need to get your team into good backup habits. If you’re a small organisation, your team might all be using their own computers, so it’s more challenging to monitor and enforce a backup policy, but it has to be done.

For optimal security keep at least two copies of your backups. Have one on a password protected external hard drive, ideally in a secure offsite location, so that in the case of theft or fire you won’t lose everything. An ideal set up would involve two hard drives, one in your office and one in a bank deposit box or similar, that you alternate weekly or monthly. Remember hard drives don’t last forever – 20% of hard drives fail in the first four years.

Keep another copy in the cloud. Bear in mind that it can take a while to perform the initial upload of all your data (and if you work with very large files this may not be feasible at all).

It’s also important to remember that a backup is also a massive security risk, so it is a good idea to encrypt backups. This can be as easy as adding a password to a RAR file (WinRAR is more secure from v3.0 onwards), or using the fabulous VeraCrypt tool from French cryptography experts IDRIX, which works on Mac, Windows or Linux. Eric Carrell from Cloudwards also sent us this great list of TrueCrypt alternatives.

Taking it Further: Where to Learn More

Germany has a thriving culture of people and organisations committed to protecting data privacy rights and people’s safety online, and there are many resources to help you learn more. Two organisations doing excellent work are the Electronic Frontier Foundation (EFF) and the Tactical Technology Collective, both of whom run regular training sessions. The EFF’s Surveillance Self-Defense and Tactical Tech’s Security in a Box are practical how-to guides for communicating safely online and improving your digital security.

** Edit: As Jan points out below, the Chaos Computer Club are another great resource. They have been doing excellent work in this area in Germany and Europe for thirty years, and if you want some practical help you could try dropping into one of their many hackerspaces or attending a Cryptoparty to learn the basics of email and SMS encryption. **

When it comes to computer security, I’m far from an expert, so I hope you found the information and advice in this article helpful – I certainly learned a lot from researching it. If you think I’ve got something wrong or you have some useful advice to share, get me on Twitter at @littlewebgiants or leave a comment below.