During the second day of Internews’ virtual Organizational Security Village we continued exploring OrgSec tools and resources, while also beginning to look at diverse approaches to OrgSec adopted by practitioners in the community. Highlights from Day 2 of the OrgSec Village included:
- An interactive session aimed at deconstructing resistance to change in organizations adopting digital security improvements.
- An in-depth introduction on how to use Open Source Intelligence (OSINT) tools and techniques to protect yourself from risk.
- The sharing of lessons learned from conducting SAFETAG trainings of auditors on and offline.
- An exploration of the ecosystem of tools and resources available to OrgSec practitioners.
- An overview of the processes and required resources for launching a non-profit organization that provides digital security support to civil society organizations.
Key takeaways from the discussions included:
By mapping narratives of resistance from organizations adopting digital security and sharing best practices, practitioners will be better prepared to offer creative responses to help motivate organizations to prioritize safety. From working with the organization to identify what is important to them (their resources, their networks, etc.), making clear the risk, and outlining the possible security interventions, it’s essential to empower the organization and tailor your approach. Often there is not one single strategy, but rather a combination of mitigations which will help keep the organization safe as they continue their work.
Be aware of your digital footprint and understand how OSINT may assist you in your own investigations. OSINT investigations are often the first step in a targeted attack campaign against an individual or company. Attackers can use this publicly available, legally accessible information (often gathered from social media) against targets. Once you know your digital footprint, you can understand the risks and threats that this information presents to you and your network. Armed with this information you can develop defensive strategies to mitigate physical or online attacks.
When conducting a training for new SAFETAG auditors, it’s important to make it a gradual process instead of a one-off training. Be sure to allow space for new auditors to roleplay various scenarios, conduct their first audits alongside a more experienced auditor, and receive ongoing mentorship throughout the process. This requires experienced auditors who are embedded in communities and have the time and resources to provide long-term support.
There are MANY tools and resources specifically focused on organizational security. Rather than searching for the universal tool that will be relevant for every situation or organization, consider these resources and tools as part of your “toolkit” or “tool box”. The tool you select will depend entirely on the organization with which you are working and the specific context. In some cases, the tools are meant to complement one another, or can be seen as building blocks as the organization’s security capacity increases.
From lawyers specializing in digital rights to accountants to technologists, each position plays a critical role in creating and maintaining a successful organization offering digital rights and digital security support. When designing your organization, prioritize long-term support for your partners and think beyond individual training sessions. This will allow you to track progress over time, provide more holistic support (such as ongoing incident response and threat analysis), and ensure that beneficiaries are implementing the practices and tools you share with them.
The sessions continue throughout the week focusing on OrgSec in Practice, Advanced Threats, and more. Check back here for the daily recap!