Digital security for organizations

From DevSummit
Jump to navigation Jump to search

How does an org navigate digital security? The anatomy and roles of that process

Why does an org start?

- fear

- motivation

- justice

Remember the CIA:

- Confidentiality - keep the private stuff private

- Integrity - has it been changed? hacked? corrupted?

- Availability - keep it available to people who need it when they need it - stop the DDoSing

1. Grounding - Before starting, you must foment motivation to create digital security.

- takes the longest period of time

- convincing leaders to prioritize security is the hardest and most important thing

- lead by facilitators; role needs no special training

Why does an org start?

 - fear
 - motivation
 - justice

harm reduction - many groups, especially marginalized groups, are already sensitive to this

 - not about eliminating threats, rather, about minimizing risk
 - best practices
 - reduce risk without compromizing values or overcommitting

- holistic security

 - digital security, border crossings, secure communication, protected archives, protection from physical threats
 - cataloguing all threats to a population and thinking about ways to reduce them
 - Holistic Security Manual
 - digital, physical, mental / emotional wellness

- everyone in the community and org are involved

 - when you lack full buy-in,
   - if at leadership level, you are stumped
   - if below leadership level, work with leaders to bring everyone in 
   - work with everyone to build awareness and buy-in around why security is important

- facilitators can start and hold process

- what does safety and security mean to you?

- data is at risk, not only from bad actors, but from natural disasters

- frame it as collaborative, rather than brought in by external experts

2a. digital assessment - can happen concurrently with 2b

- how do you use tech?

 - email
 - dropbox
 - slack
 - where is your data kept?
 - who has access?

- includes data privacy, but is not limited to

 - security is vs an external attack 
 - privacy is a function of internal workflow

2b. risk assessment

- also called threat modelling

- surveillance

- doxxing

- how likely is it that a bad actor will try?

- how likely is it that a bad actor will succeed?

- if a bad actor succeeds, what will the consequences be?

3. analysis and recommendations

- hardening - tighten all the security screws

- anti-doxxing training

- remediation plans

4. implementation and training

- digital security trainings at this step

5. and repeat

- think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice.

- build towards sustainability

- think of it as data hygiene

- sometimes security changes, and you have to re-train

- build security and privacy into the culture, so it doesn’t feel like a strain

- gamify

- levelup.cc

Practices:

- [1]

- readiness assessment tool

 - consistent tech support
 - build comfort around tech
 - build a culture of training and learning

- email safety checklist

 - encryption
 - ethical providers

- wireless safety checklist

- password and authentication best practices checklist

- endpoint security checklist - devices

- GSuite checklist

- keep yr software and websites up to date

- little documentation reminders

- encourage orgs to allot more general operating funds

- most breaches are human, not technical

 - like password conventions
 - or someone calling up, claiming to be a temp, and asking for a password reminder
 - or leaving your passwords written on post-its

- Twillio or GVoice to protect private phone numbers

- just don’t use private phones! you want to own and control all data in your ecosystem, to wipe data from devices if they get lost or stolen