Challenging power is becoming increasingly dangerous for civil society groups around the world. How organizations manage their digital security has a profound impact on the risk for reprisals.

Without safety precautions, emails, chat messages, browsing history and movement logs, can be used by adversaries to surveil and incriminate.

Zara Rahman and her colleagues at The Engine Room researched what they call the digital security “support ecosystem” in a report for the Ford Foundation this year. They interviewed 35 recipients and providers of security support in several countries, helping identify best digital practices for organizations.

Zara Rahman
Zara Rahman. Photo by Fotografiona (CC BY-SA 4.0).

Q: How should an organization protect itself against digital security threats?

A: Unfortunately, there’s no easy answer. Digital security threats depend upon context, which differs for every organization.

In our report, we compare digitally securing an organization to securing your office against the threat of a fire. It’s not a perfect metaphor, but we wanted to convey that digital security takes place at the organizational, not individual level.

You need to think first about digital infrastructure, such as your email provider or finance software. Can you “fireproof” it to avoid disaster in the first place?

Second, in the event of a threat, your response will vary. For a big fire, you might call the fire department. For a small fire, you might use a fire extinguisher yourself.

With digital security, sometimes you may need to call a malware expert. Other times you might simply need to research how to make online logins and passwords more secure.

The key is to keep building literacy on an ongoing basis.

Q: How have the trends for digital security training priorities changed over the years?

A: The biggest change we’ve seen is more widespread recognition that digital security depends on local contexts and specific threats.

In the past, digital security training used to be centered around Western priorities and assumptions, with a ‘one-size-fits-all’ approach.

In practice, this resulted in trainers sometimes encouraging people to use email encryption in countries where encryption is illegal, like Pakistan. Or English-only software being recommended to non-English speakers.

The other big change is that many groups have moved away from carrying out one-off trainings. Instead they now aim for longer term interventions for building security awareness and boosting capacity within an organization over time. That’s a good thing.

Q: What would you say to anyone who wanted to create a new digital security guide?

A: First I’d ask: “Who are you making this guide for?” If you’re not part of the target audience, maybe you shouldn’t be the one writing the guide. At the very least, you need to make sure you’re working directly with people who understand the local context.

One of the biggest problems is that existing guides are rarely updated, even though the technology and threats change rapidly. It could be more useful to update an existing guide, particularly if people already go to it for advice.

If you do create a new guide, make sure it’s designed in a way that can be easily updated (not a PDF only one person can edit). And don’t assume that people will automatically trust your advice if you don’t have an existing relationship.

Q: With all the security threats that exist, is digital security a lost cause?

A: No! It’s ultimately about building better habits and practices incrementally, and prioritizing digital security as much as physical security. Digital technologies connect us all, so my own practices affect not just me but my family, friends, my whole community.

We’re all in this together.

Further reading:

Strengthening the Digital Security Support Ecosystem, The Engine Room, 2018
Security Education Companion, Electronic Frontier Foundation (EFF)
Security Planner, Citizen Lab
Net Alert, Open Effect, Citizen Lab<