Digital Security for Organizations and Activists:
Assess Your Risks and Make a Plan
This information is written to accompany a training of the same name. To determine which category applies to your organization, attend the training.
Ragtag is here to help! If you need assistance doing any of the things listed below, submit a request on Ragtag Helpdesk.
If you calculated a Low Risk:
Use a password manager.
This is a very important, and very effective step. Once it’s set up, it makes life easier! For help choosing a password manager, read the Guide to Choosing a Password Manager.
Use two-factor authentication (2FA) on your accounts.
Use Stethoscope for your Windows or Mac security.
Keep your smartphone’s operating system and apps up-to-date.
Take precautions when using WiFi.
We all need (and love!) to use free WiFi when we’re on the go, but it comes with risks. Find out why, and how to protect yourself, by starting with What’s Wrong with Free Wifi? Click Next to read What Steps Should You Always Take When Using Any WiFi Network?.
Know the signs of phishing, and what you can do if you think you’ve been phished.
If you have an account that is managed by multiple people, delegate it, instead of sharing usernames and passwords among different people.
For instructions for setting this up with your email, see Delegating Email Accounts to Others on ragtaghelpdesk.org.
For instructions for setting this up with social media accounts, see Delegating Social Media Accounts to Others on ragtaghelpdesk.org.
If you have a website, protect people who visit your site by using HTTPS.
Let’s Encrypt is a service that will implement this for you for free! Visit their Getting Started page to set it up.
If you have a website, use a service that keeps your website updated automatically, such as Squarespace or NationBuilder.
If you have a self-hosted website, keep the software updated and install a security plug-in. For WordPress, Wordfence or Sucuri are good options; for Drupal, we recommend Seckit.
Did you do all of the things on this list? Congratulations! Pat yourself on the back, because together, these steps will go a long way in protecting you from random or automated attacks, when the malicious actor is just looking for an easy target.
If you’ve calculated a Moderate Risk, you should also pat yourself on the back! And then, (maybe after taking a break, or having a snack) you should roll up your sleeves, because a moderately elevated risk means you should take a few more steps to protect yourself, and your community.
If you determined that you’re a Moderate Risk in response to any question:
Complete each of the action items under "Low Risk," plus:
Use a cloud service to store documents and data.
Microsoft office 365 and GSuite are whole office suites that are cloud-based and built for teams. An administrative account can create individual email accounts for team members, and control individual accounts’ access to shared drives where documents are stored. You can also collaborate with your team on documents in real time.
Free document storage comes with Gmail as Google Drive, and Outlook as One Drive. Dropbox and Box are cloud document storage options that are independent of email service, and also have a free tier.
Use your cloud service to share your documents. Don’t attach them to emails.
Creating a culture where attachments aren’t sent by email will help protect you and your community against phishing.
There’s no way to take back an attachment once its sent, and no way to prevent it from being forwarded. But access to a document that’s been shared via a cloud service can be revoked by the owner.
Use something other than email for your team’s interactions.
When you reduce your team’s reliance on email for communication, you also reduce their risk of being phished. Slack is a popular new tool for team collaboration. Learn more by reading What is Slack, and Should We Use It?.
Use an encrypted app for your sensitive communications.
It’s as simple as downloading and using a free app, and similar to sending texts. Signal and Wickr are both free for individual users, and Wickr has a fee-based version for teams. Read Apps for Encrypted Communications on ragtaghelpdesk.org for details.
Create a Code of Conduct for your community spaces.
Codes of conduct govern community spaces (those in which membership is optional and voluntary) and protect members from harm in those spaces, by defining community norms and boundaries for member behavior. A Code of Conduct can cover how members are to treat information about each other or communications within the group. For more information and resources, see How to Respond to Code of Conduct Reports by Valerie Aurora and Mary Gardiner.
Audit and limit who has access to what.
Access to data and documents should only be granted to those who need it in order to do their jobs. Scheduling and committing to a periodic review of who has access to what can help you ensure that you’re adhering to this standard.
Remember to revoke access to your network and documents when people leave your organization. Change passwords to any shared accounts.
Set retention limits for your data.
Most email and messaging services will have options for auto-deleting messages after a specified amount of time. This reduces the risk that old conversations can be stolen, in the event that your account is hacked.
Periodically reviewing and discarding old data that you don’t need anymore is an important part of limiting your data.
Back up your data.
The use of ransomware, a type of malware that makes your computer or data unusable until you pay the attacker a ransom, is on the rise. Backing up your data can protect against this type of attack, because you can continue to work uninterrupted, and have the option of not paying the ransom. For recommendations, check Wirecutter’s Best Online Cloud Backup Service.
Online backups are recommended in addition to cloud storage. There are a couple of reasons why: Ransomware that encrypts your desktop could infect your cloud service if you’re continuously syncing your data. Also, if you lose access to your cloud account because you get locked out, or because your account was compromised, the backup can prevent you from losing access to all of your data.
You can choose to back up your data to a local device, instead of an online service, like a USB or external hard drive.
Practice your response to a data breach.
Create a plan for who you will call for legal and technical help, who on your team will make decisions, and how your team will communicate (an encrypted app is a good idea). Create a communications plan, identify who your key stakeholders are that you may need to reach out to and create some standard language you can use in case you need to communicate quickly in response to a breach.
Limit your data collection to lower your risk.
What you don’t have can’t get lost, stolen or subpoenaed. If you don’t need it to achieve your mission, it's safer for your and your community if you don’t have it at all.
If you need certain data, but only temporarily, create a retention protocol that will ensure you delete it once it’s no longer needed.
Consider, when choosing what data you are collecting, the reputation the platforms you’re using have, both in terms of their own digital security practices, and their history of cooperation with law enforcement. For more information about how to evaluate the tools you use, see the Choosing Your Tools guide from the Electronic Frontier Foundation (EFF).
Have you done all of the things on this list? Many of them? One of them? Give yourself a hand! Each step you take will improve the digital security of your organization.
At this level, these steps may take a bit more time to complete, or require a shift in organizational behavior or individual habits, which can be a challenge. Some, like auditing access to data, need to be repeated periodically. It’s a good idea to have someone in your group or organization who is enthusiastic or curious about digital security be the steward of this process.
If you’ve calculated a High Risk, please read on to learn about how you can get more support.
Complete each of the action items under "Low Risk" and "Moderate Risk," plus:
Everyone should use 2FA. The most secure form of 2FA is a security key, which is a physical key that you put into your computer or hold up to your phone. Because you have to have the physical device to log into your account, it is exceedingly difficult for a hacker to take over your accounts when you’re using a security key.
For help setting this up, attend a training.
If you use G Suite or Gmail, enroll in Google’s Advanced Protection Program. This puts additional protections in place for your data, and to prevent account compromise.
Build a relationship with whomever you will call if your security is compromised.
If you trust them, reach out to your service providers to let them know you could be targeted. Ask them to add additional validation steps or security to your account.
If you feel comfortable and safe doing so, reach out to your local law enforcement to inform them that you have reason to believe you could be targeted.
Seek help from a professional digital security service.
The Digital Security Helpline by Access Now provides 24-hour help for civil society organizations around the world, free of charge. They can help you improve your security practices, and respond rapidly to help you if you’re under attack. Their vetting process takes time, so it is best to reach out to them now, and make sure a few contact people in your organization have been introduced to them, so they are able to respond quickly to you, should you need urgent help.
It’s worth repeating: Limit your data to lower your risk.