Cybersecurity for think tanks part three: what to do

Now that you know what the main cybersecurity risks and threats for think tanks are (read part two of this series), what can you do to protect your organisation and create safe spaces for sensitive conversations online? To help you with this process we present some of our lessons learned.

First, it’s important to know that just as there is no 100% safe sex, there is also no 100% safe online communication. All digital conferencing tools can in principle be hacked, either via their servers or via your personal device. Some require more sophistication than others.

Nonetheless, there are important steps you can take in the short, medium and long term to significantly improve your cybersecurity and minimise or mitigate the risks.

Short term: determine your individual threat model and prepare

If you haven’t really thought about IT security before, now is as good a time as ever to start thinking about it.

Since threat models are an interplay of risks, threats, and IT infrastructure, you might want to figure out what your ‘crown jewels’ are – that is the asset that is most valuable to you and the loss of which would be devastating.

For example, it could be your employee’s private information, budgeting, sensitive research materials like interviews with dissidents whose life could be at risk if the information got in the wrong hands, or simply more abstract goods like reputation.

Then you need to prioritise the threats. You cannot defend against every scenario because you likely have limited resources. Focus on those threats that are manageable. Unfortunately, you cannot realistically defend against state-sponsored hackers that are really advanced.

You also need to get to know your internal network topography or IT landscape. What systems do you have, what software do you use, where is sensitive stuff stored, and who has access to it? What devices can access what part of your internal network? Make sure you know which parts of your systems face the web (i.e. are accessible via the internet). These are the most likely targets for cyber-attacks. This might include your web server, email, and potentially cloud or collaboration platforms.

This is a cumbersome process, but necessary. If you start adopting new tools, apps, and techniques, before having figured out your threat model, you might choose tools that do not fit your needs.

If you are unsure about your threat model, many national cyber-security centres offer advice for think tanks. In some countries, there are specialised programmes or ‘cyber alliances’. So, reaching out to others is generally a good idea. You can even hire ‘friendly hackers’ called penetration testers, that will test the IT security of your systems and give you advice, for a fee.

Medium term: harvest the low hanging fruits first

After you have thought about your threat model and understood your network topography, you can start to fix some low-hanging fruits – these are the attack vectors that are often exploited but relatively easy to fix.

1. Have backups. If you have duplicates of your most important data, loss of integrity and availability can be compensated more easily. Ideally, you have an off-site backup in case a fire burns down your office. If you rely on ISO certified cloud storage providers, they can guarantee regular backups.
2. Segregate your networks. Your ‘crown jewels’ should be hosted on a different network to your day-to-day stuff like research notes or emails. You should erect access control barriers around this segregated network, making sure that only essential personnel can access this area. You also might want to physically segregate your guest Wi-Fi from your internal Wi-Fi network. And while you are at it, make sure there are no easily accessible ethernet or USB ports in your office.
3. Make sure you update your software regularly. Most hackers exploit known software vulnerabilities. This can be avoided if all your systems have up-to-date software. Make sure you run operating systems that still receive regular security updates. IT security is not just about technology, but also about policy and processes. For example, if you have a policy that employees can bring their own device into your network, then you shift responsibility to them. Now you must make sure that you have a process whereby your employees regularly install updates to fix software bugs that can be exploited by hackers. In turn, if you have a more centralised approach, where your IT-team manages updates, responsibility rests with them.
4. Use two-factor authentication. Bad passwords are a primary vulnerability. With two-factor authentication, for example via your smartphone, you add a second token that is required to log-in to your accounts. While hackers can easily steal your password, it is way more complicated to steal that second factor, like a randomly generated number that changes every 60 seconds. Two-factor authentication prevents a lot of phishing schemes and thus is a relatively easy security measure that goes along way. Most commercial platforms from Google, Microsoft, or Twitter have two-factor authentication that can be activated. If your system is self-hosted, this might be harder to set-up.
5. Set up encrypted communication channels. If you rely on email to get in contact with sources, set up PGP (Pretty Good Privacy), a plugin to encrypt emails. If you use messenger apps on your smartphone, use Signal instead of WhatsApp. Remember that open source tools tend to have better privacy and security profiles because the source code can be inspected by researchers for hidden capability.

For more information and best practices check out Tactical Tech or the Electronic Frontier Foundation, who compile useful digital self-defence techniques for journalists and NGOs worldwide. For example, you could install ad blockers and anti-tracking plugins to prevent large Internet companies from tracking you. You also might want to check out the security planner by the Canadian tech security think tank Citizen Lab that helps you to create a threat model.

Long term: invest in IT security and employee awareness

1. Make IT-security a CEO-matter. IT security is no quick fix. It is a long-term process that requires constant adaptation. There is a saying: ‘there are only two kinds of organisations: those who got hacked and those who don’t know they got hacked.’ This is of course a matter of money and priorities. If you depend on external funding, ask your funders to increase your IT budget. If you can, hire a chief information security officer, but they do cost!
2. Develop a plan to protect your IT and react in case of emergencies. You need something like a fire-emergency plan describing what you will do if you get hacked. This should outline your communication chain: who calls who, even if your communication system is offline or the IT department or system administrator is on vacation. It also includes a situational awareness about your attack surfaces, i.e. the networks, devices, and software you use.
3. Train your users and employees in general IT hygiene. For example, spotting phishing emails and using diverse passwords for different services. This will require constant training.
4. Other policy-related questions to ask are about where you store data. Do you host all of your services locally or are you completely dependent on third-party cloud apps like Google’s Productivity Suite or Microsoft’s Office 365? If the answer is yes, you out-source security to these providers. This may be a relief for some think tanks, but a no-go for others who have stronger confidentiality requirements. Remember that the cloud is just someone else’s computer and uploading sensitive internal information to US servers might not be in your interest since it can be accessed with lawful interception orders.

We hope this advice will be useful to your think tank. Remember, this is a marathon not a sprint. In part four of the series, we explore the bright and dark sides of Zoom and how you can create safer spaces for sensitive conversations online.