People often talk about trust on the Internet. Reports of data theft, corruption of data and denial of service (DDOS) attacks are commonplace. As an organization begins to use the Internet for its activities, it needs to practice safe computing and safe internetworking. Despite the many scary stories of online problems, the systems that people use already contains many of the features and tools needed to make safe internetworking possible. Often these features are not activated by default and need to turned on.
An NGO or non-profit organization needs not only to protect their own networks and operations, but needs to safeguard to a reasonable extent any who accesses them over the Internet.
Safe Internetworking
In deciding on safeguards, each organization will need to evaluate its own risk and decide the extent of the security it wants to implement, ranging from basic virus and malware checking, privacy concerns, a need to encode data, or a need to engage in anonymous operations. Not all not-for-profits need the same level of security. Some of the considerations include:
- Do you know the risks that apply to you?
- Do you know where your data is?
- Do you work with endangered populations?
- Do you know what you have done with your users and partners data?
- How are you going to manage all this data?
Handbook from the Responsible Data Forum
This downloadable PDF, written to support international development projects is based on academic, human rights and advocacy sources. Written in the Netherlands with the support of Hivos as part of a book sprint in 2014.
Questions you need to consider:
- How transparent should you be about your data management?
- How do you prevent data breach?
- How do you protect your systems and networks?
- How do you protect your donors’ and users’ data?
- What are you legal data retention requirements?
- What privacy risks and requirements do you and your donors have?
- Jurisdiction dependencies.
- How do you deal with credit cards
- Transparency around your data handling policies
- Consider whether you should provide anonymity services.
- for example, proxies,
- TOR a way to proetect privacy and defend against surveillance
- How will you avoid SPAM, phishing and online fraud?
Sources of explanations and tools
Answers to the question above can be found in Security in Box, which offers a full set of tutorials and references to tools for Windows, OSX and Linux as well as for mobile devices like smart phones and tablets. The contents include:
- Protect your device from malware and hackers: Prevent worms, viruses and trojans
- Protect your information from physical threats: Ensure your workplace and devices are secure
- Create and maintain secure passwords: Learn to manage strong passwords
- Protect the sensitive files on your computer: Learn to encrypt data and files
- Recover from information loss: Back up your devices and data
- Destroy sensitive information: Delete data permanently
- Keep your online communication private: Encrypted chat and email
- Remain anonymous and bypass censorship on the Internet: Using Tor and VPNs
- Protect yourself and your data when using social networking sites: Using Facebook, Twitter and Flickr safely
- Use mobile phones as securely as possible: Staying safe when using cellphones
- Use smartphones as securely as possible: Android and iPhone safety
The Association for Progressive Communications (APC) offers a Digital Security First-Aid Toolkit for Human Rights Defenders that covers a set of topics useful for every organization coming on line, especially those involved with advocacy and endangered populations.
- Keeping Passwords Safe
- Carrying sensitive data in a secure manner
- Using a computer without leaving a trace
- Chatting in a secure manner
- Accessing a blocked website anonymously
- Send email that only the recipient can read (encryption)
- Send email that can’t be traced
- Securing mobile device communications
- Recovering a hacked or hijacked website
- What to do if email, Facebook or Twitter account is hijacked
- How to protect privacy when using a computer
Electronic Frontier Foundation provides recipes for Human Rights Defenders for avoiding surveillance:
- An Introduction to Threat Modeling
- Communicating with Others
- Keeping Your Data Safe
- Things to Consider When Crossing the US Border
- Choosing the VPN That’s Right for You
How To Check If Someone Else is Using Your Social Media Accounts
Certificates
In order to set up a secure website, one that use HTTPS instead of HTTP in its Uniform Resource Locator (“url”- for example, https://toolkit.wiki), it is necessary to obtain a certificate from a recognized authority. This can be challenging, and sometimes expensive. Let’s Encrypt automates the process of turning on and managing HTTPS. It is also free, though donations are requested. When using a service like WordPress.com, the certificates are included as part of the service.
Advanced Topics
- Setting up your own DNS servers