Beyond SAFETAG: Internews’ Comprehensive Approach to Organizational Security

Author: Henry Wilson-Smith

Since its inception, Internews’ Global Technology team has supported human rights organizations targeted by digital and physical attacks around the world to improve their organizational security. Most notably, Internews developed the SAFETAG framework, a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to smaller non-profit organizations based or operating in the developing world.

The framework’s versatility makes it relevant and effective across a full range of possible scenarios, with modules that can be added or cut based on relevance, time, or funding. Key to this is ensuring that those who administer it are familiar with both the framework and with the environment in which the target organization operates. As a result, the Internews team has supported the localization and implementation of many iterations of SAFETAG by partners in diverse contexts over the years, bolstering the impact and relevance of the framework.

Throughout these iterations Internews has developed a particularly effective practice around SAFETAG, recognizing that the audit itself is an event which requires a well-resourced, long-term, community-based engagement. This engagement approach has proven to have a transformative impact on organizational security while remaining sufficiently scalable to reproduce widely. The rest of this article details a specific program which applied the entirety of this approach while working with a community with highly constrained resources and limited technical capacity which nevertheless faces sophisticated adversaries. This ‘Cadillac’ version of organizational security programming led to dramatic improvements in community-wide security practices and fostered a sense of trust and shared responsibility among previously disjointed organizations. The learnings and challenges uncovered during the program are of value to SAFETAG auditors and organizational security practitioners seeking to apply components of this approach in their work with at-risk organizations and communities.

SO, WHAT WAS OUR APPROACH AND WHAT DID WE LEARN?

A Comprehensive Approach to Organizational Security using the SAFETAG Framework

  1. Community Outreach: At the outset of the program the Internews team contracted trusted members of the local community to provide technical and administrative support throughout the process. These individuals visited the offices of local organizations, explaining project goals and how organizations could benefit from participation. Communicating in the local language and showing up in-person allowed the project team to build trust and expand our network of interested organizations more quickly.
  2. SAFETAG Audits: The project team conducted digital security audits based on the SAFETAG framework with all participating organizations. The local technical expert visited each organization to conduct an in-person assessment, while other members of the team provided remote support and assessed the organizations’ websites and external platforms for vulnerabilities. Each organization received a full report following the audit, which detailed the findings. The local technical expert met with the organizations to review the report and respond to any immediate questions or concerns.
  3. Risk Reduction Plans: The technical expert and project team also designed tailored Risk Reduction Plans (RRPs) for each organization based on the results of the audit. These RRPs set out actionable steps for organizations to reduce their vulnerabilities, divided into “LOW/MEDIUM/HIGH” priority bands based on scale of the risk. Recommendations ranged from purchasing up-to-date, licensed software and hardware for enhanced data security, to the creation of security focused practices and policies, to website redevelopment and migration to secure hosting servers.
  4. Funding: Internews made funds available to participating organizations wishing to implement the changes recommended in the RRP. A second round of funding was made available for organizations who were most active in implementing security improvements during the first round. The first round of subgrant funds prioritized improving baseline organizational security, while the second round of funds focused on applying enhanced security practices to each organization’s programmatic activities.
  5. Technical Support: Throughout the process, Internews had technical experts on the ground to provide support. This ranged from providing rapid response when incidents occurred, to facilitating organization-wide trainings on specific topics or tools, to liaising with web development teams. This support proved invaluable for our low-capacity partners. Many requested support identifying proper software, hardware, and other resources to implement the security recommendations.
  6. Community Threat Sharing: The project team brought together leaders from participating organizations for annual convenings to share learnings and discuss community strategies to enhance security. Additionally, project staff set up a monthly in-person security meetup and a Signal chat for community members to share threat information and connect more regularly. The project team also used these spaces to share mitigations, useful security resources, and other relevant news.
  7. Threat Analysis: The project team conducted forensic analysis on attack data reported by the organizations. Based on the results of this analysis, the project team designed tailored mitigations which they shared back to the community. In instances when adversaries were using private sector infrastructure, the project team shared data with those platforms to take down the malicious content.
  8. International Conferences: Throughout this process, Internews supported organization leaders to attend international conferences such as the Internet Freedom Festival and RightsCon, also providing translators. This enabled the organizations to build connections with the international human rights and tech community, and to share their programmatic and organizational security expertise in new fora.

Key Learnings

Commit time and resources to trust building

Having on-the-ground team members who are fluent in the local language, part of the local community, and implementing the project on a full-time and long-term basis is invaluable for building buy-in among community members at the outset of the project. This is especially the case in communities which have been targeted by attacks and are therefore hesitant to discuss security with outsiders. Establishing this buy-in – especially at management level – is a prerequisite to any organizational change: without it, security tools and processes will not be adopted regardless of how effective they might prove.

Tailor the approach to local language and capacity

Programming should be adapted for organizations with low technical and administrative capacity and financial, labor, and time constraints. The administration of funds may require the team to produce detailed guides in the local language beyond the typical templates, or offer on-the-ground support from a community manager fluent in the local language and familiar with applying for and managing USG funds.Similarly, since many organizations lack the resources for in-house technical experts, it may be necessary to contract a local technical expert to provide support in implementing mitigations.

Focus on community-wide safety

In working with small and interconnected communities, failure to bring all community members up to a baseline level of security undermines work done by any single organization. For example, if one organization has a compromised website, or contracts malware from a phishing email, this increases the risk for all community members with whom they are interacting. Establishing online and offline spaces for community members to meet regularly on security issues is a valuable way to foster collaboration towards this end. Similarly, orienting trainings towards entire organizations or communities rather than individuals increases adoption rates and creates shared accountability.

Share Threat Information

By intentionally creating online and offline spaces for organizations to share threat information and actively disseminating attack alerts, the project team dramatically increased the ability of the community to identify phishing attacks and take appropriate action. Building muscle memory around information sharing ensures that the community will continue security collaboration in the long run. In addition, the project team leveraged connections with private sector cybersecurity and tech platforms to neutralize attacks reported through these mechanisms, scaling protection for the entire community.

Provide funding

Internews has found that even highly motivated organizations with solid Risk Reduction Plans (RRP) can stumble during the post-audit phase without additional advisory or financial support to carry them through. Although existing rapid response mechanisms provide excellent support to organizations in a crisis, the support that organizations require post-audit is often distinct. Where possible, provide funding for organizations to implement the recommendations made following the audit.

Don’t be indispensable!

Connecting local organizations to the international human rights and security community – including digital incident helplines, web developers, and technical experts – ensures that the project team is not the only resource for support and expertise. As well as building sustainability after projects close, this prevents the project team from being overwhelmed as the sole provider of support in the program area. These connections can also lead to the development of new and innovative tech solutions that may not have been possible before. Nor is it a one-way process: fostering this collaboration also helps organizations that generally lack the resources to attend international conferences showcase their own work to the broader human rights community and share their security challenges with interested experts who may be able to support them.

Security collaboration has broader benefits

For low-capacity organizations in the human rights space who may be competing for funding or view each other as competitors from a programmatic perspective, establishing common interests around security and building inter-community trust has both direct and indirect benefits. Not only does it facilitate threat information sharing for stronger community-wide security, but it can also encourage programmatic collaboration in areas in which there was none before. In Internews’ experience, establishing physical – in addition to online – spaces for regular, face-to-face meetings is crucial towards ensuring organizations see each other as partners with shared goals and interests.

Conclusion

With on-the-ground support, a focus on community-wide security, and a long-term strategy that attends to the specific contexts and needs of targeted communities, Internews’ comprehensive approach to organizational security using the SAFETAG framework has proven effective in high need and low capacity contexts. We hope that Internews’ learnings from our experience implementing this approach with our partners will be of value, adding to the important work being carried out by organizational security practitioners, including members of the Orgsec.community, in supporting targeted civil society actors around the world.