This is a cross-posted blog from Internews' USABLE.tools project which is advancing usable organizational security tools, including SAFETAG. Read more about this effort on the Global Technology Blog
RightsCon, the world’s leading event on human rights in the digital age, was held online this year during the month of July 2020. Digital Security Lab Ukraine, Media Diversity Institute Armenia, and Internews led a session entitled “What happens between SAFETAG-based audits and NGOs? Long-term tech support.” This session explored how audit findings and risk reduction plans can be converted into post-audit change; how long-term support and engagement with organizations can significantly boost both accuracy of security modeling and adoption of the best and context-relevant security practices; and the successes and failures they have experienced in practicing long-term organizational security. Lessons and best practices shared during the session can be found below.
The panel was comprised of the following individuals:
- Maksym Lunochkin, Security Auditor and Tech Support Specialist for Digital Security Lab Ukraine
- Anton Koushnir, Security Auditor and Trainer, Digital Security Lab Ukraine
- Vadym Gudyma, Security Auditor and Trainer, Digital Security Lab Ukraine
- Iryna Chulivska, Executive Director, Digital Security Lab Ukraine
- Mykola Kostynyan, Community Engagement Manager, Internews
- Artur Papyan, Director, Media Diversity Institute Armenia
What is SAFETAG?
SAFETAG is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to smaller non-profit organizations based or operating in the developing world. SAFETAG audits serve small scale civil society organizations and independent media houses who have digital security concerns by working with them to identify the risks they face and providing capacity-aware, pragmatic next steps to address them.
How can your team prepare to provide long-term support?
All trainers and auditors have their own opinions on best practices, but it is critical to maintain humility and work with the organization to make sure that as an auditor, you are meeting them where they are and giving them what will be most useful for them - not what is most comfortable for you.
One way to prepare your team to provide support is to build a high-level checklist to think through prior to engagements. This checklist can include questions to consider prior to an audit, such as:
- How many people will provide support?
- Who will coordinate the team and serve as the main point of contact for the organization?
- How will the team securely communicate with each other?
- Which organizations are we willing to support? Which are we not?
- How much time are we willing to dedicate to support?
- How will we measure the success of our support?
- How and what will we document?
- How can we as a team create interchangeable roles and back each other up?
What approaches should we consider when implementing long-term support?
It is important to emphasize that organizations MUST own their own approach to risk and safety. As an auditor, you cannot push an organization to do one thing or another. You must explain, teach, support, and guide. Help implement as needed. If the organization cannot adopt and implement their own choices, their safety will not improve. If you are conducting an audit or monitoring incidents of digital security attacks, which are common against journalists and human rights defenders, your job is not only to respond to the attack - it is also to make sure the organization understands what has happened and what risks they are facing.
It is also important to avoid fear mongering. Too many digital security experts approach organizations by lecturing them on the risks they are facing and try to scare or pressure them into taking security measures. That is a really bad approach. Those facing risk are the best suited to understand it, navigate it, and mitigate it. You cannot force safety. You need to listen, provide guidance, and work with them to develop a plan and approach that makes sense for them. Threat models vary, and one is not like the other. Digital security is not a one size fits all approach, and one organization’s approach to safety will not be the same as the other. When providing support, your job is to make sure that both you and the organization have the information and support needed to make informed choices.
Can we provide support remotely?
Oftentimes, organizations’ websites are poorly maintained and no one within an organization takes on the role of maintaining security updates and recommendations. Through a project in Eastern Europe, Internews helps support the web development and digital security needs of media outlets and CSOs across the region. A particular dynamic of supporting websites is that, if an organization gives you login credentials, you can provide remote support. This is different from providing infrastructural support to the organization, which may require physical access to servers, machines, etc. However, providing remote support also means that you must establish clear ethical lines - with credentials and remote access, you need to be very clear with the organization on roles and rules throughout the process.
How has Digital Security Lab Ukraine contextualized SAFETAG to the needs of their specific region?
SAFETAG is an incredibly flexible framework and the similar technical infrastructure in many media outlets and CSOs means that some approaches to infrastructure can be streamlined. Additionally, DSLU pays a lot of attention to social media accounts and messaging apps, and often teaches on topics such as phishing because that is where they see a lot of risk being generated. They also focus on secure passwords, two-factor authentication (2fa), and developing best practices for how accounts are used. Additionally, DSLU hosts parties at their office to build community and will often join events where organizations who may need help will gather.
What does long-term support look like in practice?
When talking about long term support - it’s not three months; it’s not six months; it's not even a year. Long-term support requires years of commitment to support in auditing, providing guidance, and helping with necessary fixes. DSLU points out that while this requires an additional level of support and funding, it is important and effective when supporting organizations after an audit.
The panelists shared the following tips for providing long-term support to organizations after they have received a SAFETAG security audit:
- Consistent follow-up is key. Periodically ask how things are going in the organizations you support.
- Build internal processes within your team in order to improve your own capacity to provide support.
- Maintain flexibility. In the long-term, organizations and people in them may change. Be flexible and willing to support them through those changes.
- Make the process of getting, receiving, and finding help as simple and easy as possible for the organization.
- From the beginning of the process, explain your role clearly and let the organization know what support you can offer now and in the long-term.