Digital Security For Humans

From DevSummit
Jump to navigation Jump to search

Project: Weathering The Storm

“Security Checklists” on github

Includes:

  1. Readiness checklist
  2. Email safety
  3. Authentication checklist
  4. Public wireless

Weakness of these checklists: making assumptions about audience's threat models, context, etc accept the common threat-model across our orgs (described below)

Use case profile: Movement building org operating domestic in the US Threat: generalized non targeted attacks (phishing, malware on websites)

READINESS CHECKLIST

It's really important that orgs have some basic pieces in place.Here's a list.

  • baseline IT support is a security necessity, and funders need to know this so that can provide some support to these orgs
  • How do orgs get the tech support they need? In-house versus an outside org working with them on an ongoing basis.
    • there are orgs who provide this kind of support. Is there a list of these kinds of orgs? What are the entry requirements for these resources?
      • Palante
      • civicactions
      • matchmaking can be really helpful in this space
      • “tech underground” in the bay area
      • list of trusted service providers
  • Needs regarding basic tech support for orgs in this space:
    • questions to ask tech service providers
    • list of trusted tech service support providers to ask for help
  • Physical security of offices:
    • How do you balance openess w/ protecting data?
      • One approach is framing security as solidarity – the data we hold represents the people we are working with and for so the reasons we protect our office is because of solidarity with those people.

Additional advice regarding readiness:

  • Is there trust? Are they ready to communicate about this stuff within the org? (grievances and reporting challenges)
  • Have a champion within the org that can help support the process.
  • Should challenges go to the internal champion or go to the outside expert?

How do orgs enforce these practices/policies?

  • If your team isn't following the practices, that's a sign that the training didn't work. Teams need to commit to their team that they will use these practices.
  • Buy-in is super important and takes time.
  • Do you worry about security? WE want to help you feel better about ….accessing the internet using wifi so we want to empower you all to use VPN.
  • Make it personal – these practices are in-line with their values! You want to protect these the data and people you're working with/for!!

But how do you know if your staff is actually using the tools?

  • You could control their comps, but that's kinda icky.