Deep Dive: cybersecurity and encryption
Imagine everything you think and say may one day be known. I don’t remember the modern day philosopher who wrote what I’m paraphrasing, but I read something along those lines almost 30 years ago. It’s truer than ever before. Everything you write, share, and say is more accessible, or findable, than ever before. On the personal side of things, we all know the stories of lives crushed, careers and relationships ended, stock prices plummeting, etc.
On the organizational side, you work with your clients’ personal identifiable information. You know that it should be kept under lock and key in your office, but what does that mean online?
Too many organizations are not quite sure. It’s time you need to be. You need to know it at the infrastructure/administrative, service and client information level, as well as how to ensure that your clients understand it as well.
Here’s some reading to get you literate and aware, from TechSoup Canada:
Protect Yourself: Preparing Your Nonprofit’s Workplace For Cybersecurity
Nonprofits are coming to realize the importance of cybersecurity. But not quickly enough. In 2016, the number of nonprofits with a cybersecurity breach response plan was 31%. By 2017, the number had risen to 52%. This is still only just over half of nonprofits. That’s not enough.
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy
This is a two-part webinar series (yeah, it’s big enough and important enough of an issue for 2 webinars!) on cybersecurity and nonprofits. In this webinar, Imran Ahmad of Miller Thomson, LLP provides an overview of how to create your own cybersecurity plan and implement best practices. Ahmad also explains the upcoming mandatory breach notification requirements in case of a breach.
Investing in privacy and security
“Good companies talk about privacy and security; great ones back their words up with third-party audits. At the most basic level, audits establish trust. Submitting to a privacy and security audit is not something that should be done lightly. It involves countless hours of work and resources, not to mention a significant capital investment to execute. Note that I describe it as an investment, not an expense.”
This reading and viewing will keep you busy, and will give you practical steps to take in your organization.
There’s more. In 2017, Microsoft, in partnership with TechSoup, published Nonprofit Guidelines for Cybersecurity and Privacy: “It describes areas where nonprofits are struggling and solutions in the cloud that every charity can use.” You should definitely download it.
And, here are 5 Ways to Protect Your Nonprofit’s Data: “Odds are your nonprofit has amassed valuable data as a result of regular day-to-day activities like processing online donations; managing virtual staff or volunteers; or capturing details of those who subscribe to your nonprofit’s newsletter.
“This type of data is both an asset and a risk for nonprofits. It seems cyberattacks, ransomware and hackers make the headlines on a regular basis. As nonprofit professionals, we understand the importance of protecting our organizational data and the privacy of those in our community. But what are we doing to prepare, and what is stopping us from a higher level of protection?”
For your workers, here’s a great starting point to all things digital, from the Scottish Social Services Council: 23 Digital capabilities to support practice and learning in social and health services. “Thing 6” focuses on digital security: “Completing this thing will give you the opportunity to consider digital security which is relevant for both your personal and professional life.” Useful.
Workers should also become very familiar with the 2017 NASW, ASWB, CSWE ,& CSWA Standards for Technology in Social Work Practice (PDF): “The following standards are divided into four main sections and address social workers’ use of electronic technology to(1) provide information to the public; (2) design and deliver services; (3) gather, manage, store,and access information about clients; and (4)educate and supervise social workers. These standards are designed to guide social workers’use of technology; enhance social workers’awareness of their ethical responsibilities when using technology; and inform social workers, employers, and the public about practice standards pertaining to social workers’ use of technology.”
You communicate sensitive information with clients, partners, consultants, and other stakeholders (heck, just the other day I was emailed a form to fill out that included asking me to add my SIN and email it back. No, No, NO…). It’s time to learn about encryption. Here’s a primer: End-to-End Encryption and Confidentiality in Social Work Communication: “‘Encryption’ is a broad term that’s often applied liberally to describe processes or steps to protect electronic communication. I’ve seen the term used to describe the scrambling of data shared between specific users, or the simple use of passwords to log in and out of private email. Usually, if passwords are used in the process of encryption, that action of logging in with a password involves converting the protected information into an unreadable code. This scrambling of data prevents unwitting or nefarious outsiders from interpreting what they’re seeing, should they access the information.”
Back to TechSoup Canada for some useful starting points, and a reality check. Think encryption is some new fad you should learn about? No. This article is from 2011: Working Safely Online (Anytime, Anyplace, Anywhere).
This article is also useful Online Security Measures For Nonprofit Organizations and leads to this useful site – Be Encrypted’s Ultimate Encryption Guide.
Then, spend some time with Tactical Tech’s Security in-a-box project. “Security In-a-box is a guide to digital security for activists and human rights defenders. The toolkit ranges from the basic principles of digital security, including advice on how to use social media and mobile phones more safely, to more specific regional advice for activists working in higher risk environments.” You don’t work in a high-risk region, you say? Sure, OK, maybe. But you work with highly private information on vulnerable clients, some of whom do come from higher risk environments (or are in one today, via domestic violence, etc.) and continue to have risks associated with their source countries. Isn’t it better to be more secure than less? Yes, yes it is.
There’s so, so much more you could read and start doing. I think these are some useful starting points. Let me know if you find them useful in your work.
Existential technology thinking: privacy writing
OK, it’s not really existential, but where the info above is the practical side of cybersecurity, you should also listen to and read what experts have to say on the topic, in-depth, in conversation, and in warning.
I offer three sources who are prolific on the topic.
The first is Canadian Michael Geist – a law professor at the University of Ottawa where he holds the Canada Research Chair in Internet and E-commerce Law and is a member of the Centre for Law, Technology and Society. Here’s his column archive, you can also find a podcast and more writing on this site. One title that shoudl jump out at you, given our current use of social media and other digital tools from other countries and companies: “Does Canadian Privacy Law Matter if it Can’t be Enforced?” /
Second is U of T’s Citizen Lab. “The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research and development at the intersection of information and communication technologies, human rights, and global security.” A mouthful. But, some recent research reports and what they found are essential reading:
Bots at the Gate: A Human Rights Analysis of Automated Decision Making in Canada’s Immigration and Refugee System
The report finds that use of automated decision-making technologies to augment or replace human judgment threatens to violate domestic and international human rights law, with alarming implications for the fundamental human rights of those subjected to these technologies.
An Analysis of WeChat’s Realtime Image Filtering in Chats.
In this work, we study how Tencent implements image filtering on WeChat. We found that Tencent implements realtime, automatic censorship of chat images on WeChat based on what text is in an image and based on an image’s visual similarity to those on a blacklist. Tencent facilitates this realtime filtering by maintaining a hash index of MD5 hashes of sensitive image files.
The Predator in Your Pocket: A Multidisciplinary Assessment of the Stalkerware Application Industry
This report was collaboratively written by researchers from computer science, political science, criminology, law, and journalism studies. As befits their expertise, the report is divided into several parts, with each focusing on specific aspects of the consumer spyware ecosystem, which includes: technical elements associated stalkerware applications, stalkerware companies’ marketing activities and public policies, and these companies’ compliance with Canadian federal commercial privacy legislation.
And, finally, expert public-interest technologist Bruce Schneier’s Crypto-Gram is very much worth your time, and important to read. You should also subscribe. It’s “A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.” Just look at this month’s newsletter, with sections like Identity Theft on the Job Market, Brazilian Cell Phone Hack, More on Backdooring (or Not) WhatsApp, Zoom Vulnerability, and more.
Learn, Learn, Learn
Digital Security and Human Rights – Claim your rights and protect yourself online Hey, this starts today, great timing!
“Malware. Phishing. Data retention. Mass surveillance. We know there are real risks in the digital world, but we don’t always know what to do about them. How do these threats work? How important is digital security? Where do we even start? This course is a starting place for learning more about digital threats and how to strengthen your security online. You don’t need to have any technical expertise—the course will guide you through some of the important terms and concepts you should know.”