Posts

Talking about threats and protection (Part 5)

This is the fifth in a series of blogs sharing lessons learned from a collaboration between DataShift and the SPEAK! campaign and the resulting conversations about data management practices among diverse organisations working to overcome social divisions around the world. The series aims to show that sound data management is built on common sense and available to everyone, no matter their level of technical expertise; to get readers thinking and talking about data; and to encourage conscious decisions about its creation, use, protection and disposal. Click here to read the earlier blog posts.

During SPEAK! 2018, campaign partners organised dialogue events to overcome division around the world. We used a loose script of questions designed to get them talking about how they work with data and to help us design support that would meet their needs. The following questions from the script deal with assessing the risks we expose our data to and taking appropriate measures to protect it.

Where is the real threat?

It is very common to exaggerate rare risks and downplay common ones. We overestimate risks outside of our control, such as having webcams hacked while underestimating those within our control, such as forgetting our passwords. Human rights organisations working in repressive contexts with powerful adversaries need to take advanced security, but for many organisations, the main risks are in their own policies and practices, and thus within their own control.

What happens if a device breaks or is lost, stolen, or seized?

Is the data on the device protected, by a password, encryption, or other means? Do you have a high risk of device seizure or theft? Knowing in advance what steps to take if a device is compromised (such as withdrawing its permissions to access email accounts, changing passwords, or blocking the device) will reduce the harm caused and give intruders less time to try access your data.

If you are at high risk of device seizure or another attack, please get in touch with our digital security experts at datashift@civicus.org for more tailored advice.

What about back-ups?

Is the data backed up somewhere else? Automatically or manually? Where are the backups stored? Has anyone checked that they are working lately? As a general rule, manual back-ups tend not to function well because of human error and forgetfulness. Backed up data is often forgotten about until it is needed, so corrupted files or non-functioning back-ups aren’t discovered until it is too late.  Setting a reminder to check back-ups at regular intervals is wise.

Whose devices are used?

Are staff and volunteers using their own laptops or mobile phones to collect or work with data? It is increasingly common for personal devices to be used for work purposes, but this means organisations have less control over the security of these devices. Organisations may want to consider a Bring Your Own Device (BYOD) policy – an agreed set of rules regarding how personal devices can be used for work purposes and what support is available for them. 

Just talking about back-ups can be enough to prompt action. One organisation in Syria made daily backups, but stored the backup flash drive in the same place as its only laptop – so if the computer were lost or stolen, both would be lost. By taking the time to reflect on how they used and stored data, the organisation was able to identify this concern and make immediate improvements with minimal effort, simply by storing the laptop and the backup separately. Similarly, being asked about back-ups and data storage made several partners in Africa and Latin America realise that they had none. This meant that they could start to address this issue now, rather than waiting for disaster to strike.

Do you have tech support or IT person?

Most of our partners did not have any dedicated IT support and were working with varying levels of computer proficiency. Knowing how much technical expertise is available in the organisation will help you to work out what kind of solutions or changes are feasible.

Dealing with apathy

Not all of our partners wanted to talk to us about data. Some were too busy, saw it as a low priority, or were comfortable with taking data-related risks. Any ‘solution’ seen as being imposed from outside is anyway unlikely to work, but a useful tactic for those who are less than enthusiastic about change is to make them aware of the risks in their practices, especially those that could expose third parties to harm, and ask if they are comfortable with those risks.

The next blog in the series will look at the final stage of the data lifecycle: disposal and archiving.

These blogs are based on the publication How to talk about data? Learnings on responsible data for social change from the SPEAK! campaign, and this work was made possible through a Digital Impact Grant by the Stanford Center on Philanthropy and Civil Society.

 

SPEAK! event in Albania uses art and social media to break down prejudice against Roma communities. Photo credit: Build Green Group