00:00:00 Introduction

Hello everybody and welcome to today's webinar, "Top five risks an M&E specialist should know regarding data security." My name is Faye, and together with Mr. Corben Riedijk and Mr. Alex Bertram, we will be hosting this webinar, broadcasting from The Hague in the Netherlands. We're excited to see such a big interest in this topic; more than 500 people have registered for this webinar from all over the world. Thank you very much for joining us.

Before we start, I would like to share housekeeping rules. Your microphone is muted, and you should all be able to see the shared screen during the webinar. You can send us your questions and comments, and in the end, we will answer as many questions as possible. We will keep in mind all the questions to which we may reply with new articles, guides, or webinars. The webinar is being recorded, and you will receive the recording after the session.

I would like to introduce Mr. Alex Bertram and Mr. Corben Riedijk, who will be joining our discussion today. Alex is the Technical Director of BeDataDriven and founder of ActivityInfo. He started his career in international assistance fifteen years ago working with IOM and later as an Information Management officer with UNICEF in DR Congo. Corben is a graduate intern at BeDataDriven and a Certified Privacy, Security & Risk Professional (CPSRP) with a great interest in privacy and data security.

00:02:49 Defining data security

We are going to go through the top five risks that we have seen play out over the last 10 or 11 years of running ActivityInfo. It is worth starting by defining what data security is. You can think of data security as three different things. The first is confidentiality: the idea that there is some information not meant to be shared, such as personal data or sensitive operational data. Secure data remains confidential and does not get exposed to unauthorized parties.

The second element is integrity. This means the data you store in a computer system is the same when you retrieve it; it hasn't been changed by a system error or a malicious actor. Finally, there is availability. This means the data is there when you need it. If you need to report to a donor or manage an operation, the system is online and the data is accessible. We will be looking at risks to all three of these elements. We have tried to rank them in order from the most consequential and frequent—number one being user error—down to number five, social engineering.

00:04:37 Risk 5: Social engineering

Social engineering involves manipulating people to give up confidential information. In 2013, Syrian opposition forces and humanitarians were successfully targeted via Skype using social engineering attacks, allowing valuable information to be stolen. This included humanitarian needs assessments, lists of materials for refugee camps, and disbursement records. The attackers posed as women to build trust, eventually convincing victims to install malware on their phones.

Social engineering consists of multiple steps. It starts with an investigation where information is gathered on a person or organization. Next, they engage with the victim to build trust, often creating a story. Then, they execute the attack to gain information or financial benefit. Finally, they close the interaction to cover their tracks.

A popular form of this is phishing, where attackers send emails appearing to come from legitimate businesses, requesting verification of information and creating a sense of urgency. While standard phishing relies on spamming large groups, spear-phishing is targeted at a small number of users based on extensive research. When targeted at high-level positions, like country directors, it is called "whaling" or CEO fraud. The best way to prevent these attacks is awareness training, checking sources, and not rushing when presented with urgent requests.

00:11:05 Risk 4: Password management

Passwords are the key to everything we do online. Weak and reused passwords pose a significant risk. For example, a competitor of Red Rose was able to enter a cloud-based server of Catholic Relief Services and access details of over 8,000 families because of a default admin password. This was a clear password management error.

It is crucial to move away from weak and reused passwords. If you reuse a password and another organization suffers a data breach, hackers can use those credentials to access your other accounts. You can use tools like haveibeenpwned.com to check if your credentials have been compromised.

To manage this, use password management tools like 1Password or LastPass. These generate strong passwords, fill them in automatically, and sync across devices, meaning you only have to remember one master password. Furthermore, migrating to Single Sign-On (SSO) can reduce the risk of account takeovers. SSO allows you to enforce organizational security policies, such as two-factor authentication, and ensures that ex-employees lose access to all systems immediately upon their account being revoked.

00:15:09 Risk 3: IT operation failure

The third risk involves IT operation failures. These are risks that program managers or M&E specialists may not have direct control over, as they often result from human error within IT management teams. A notable incident occurred in 2019 when about 400 gigabytes of data were stolen from UN servers. This started with a bug in Microsoft SharePoint. Although Microsoft published a fix in February 2019, the systems hosting the data were not updated for several months. Attackers exploited this unpatched vulnerability to steal data.

This illustrates how a series of human errors can lead to significant breaches. For a non-specialist, it is difficult to assess if an IT team has the right processes in place. One technique for reducing this risk is specialization. This means relying on teams responsible for very specific parts of the technology.

For example, at ActivityInfo, we specialize in the software, but we contract out the physical data center management to Google, who specializes in running secure, reliable data centers. As a program manager, you can evaluate options based on specialization. Solutions with full-time, specialized teams are often safer than a server running in the corner of an office that might not receive the attention it deserves.

00:22:38 Risk 2: Insider attacks

Every organization faces the risk of insider attacks because you must trust employees with access to your systems. In 2005, a fired local staff member used active credentials to delete all reports in ActivityInfo. Fortunately, the data was recovered via backups, but it highlights the threat. Insider threats can come from current or former employees, contractors, or anyone with inside information.

We categorize these into compromised users, careless users, and malicious users. Malicious users are often emotionally motivated, perhaps due to a conflict or a desire to start a competing NGO. Because they have legitimate access, they are hard to spot.

To prevent this, organizations should narrow down user permissions on a need-to-know basis. Only give the minimum access required, especially for exporting or deleting data. Additionally, implement data loss prevention measures: log everything, review logs regularly, and ensure you have backups so you can roll back changes if suspicious activity occurs.

00:26:28 Risk 1: User error

The number one threat to data security is not mysterious hackers, but human error. This is the most common issue we deal with. For instance, a user at UNICEF accidentally shared a report containing the personal data of 8,000 learners with 20,000 people by clicking the wrong box.

To reduce the risk of user error, keep user permissions as narrow as possible. In systems like ActivityInfo, you can disable export permissions or bulk delete capabilities for sensitive data. We found that in many deployments, 40% to 75% of users had administrative privileges they did not need or use.

Avoid granting administrative roles simply based on hierarchy; if a boss only needs to review data, they should not have delete permissions. By limiting the number of people who can make a mistake, you reduce the overall risk. Continuous backups and audit logs are also essential to recover data when mistakes inevitably happen.

00:32:50 Managing risk in M&E

This is not all bad news. As humanitarian and development professionals, we have significant experience with risk management. Just because risks exist does not mean we stop our work; it means we mitigate them. You need to assess what is most important for your specific context—confidentiality, integrity, or availability.

If you are working with vulnerable populations, confidentiality is paramount, so you should narrow permissions and enforce strong authentication. In other contexts, availability might be the priority. Review the mitigation strategies we have discussed—such as training, password management, and permission settings—and decide where to put your resources to protect your program and the people you serve.

00:35:42 Q&A session

How can we detect fraudulent or dangerous emails? There are several pointers, such as misspelled domain names, emails coming from public domains like Gmail for business requests, unusual links, or a created sense of urgency. Always double-check the source. We recommend taking the Google phishing quiz with your team to train them to recognize suspicious documents and emails.

How important is it for an M&E officer to handle security, given there is usually an IT team? While IT teams play a huge role, especially regarding infrastructure, many risks like social engineering, password management, and user error fall on the individuals handling the data daily. Security is a shared responsibility.

What do you advise regarding ransomware attacks? Prevention is the only real cure for ransomware. If you are attacked, we generally advise against paying the ransom, as it marks you as a willing payer. The best defense is having recent, offline backups that allow you to restore your data without dealing with the attackers.

How secure is data on Google Drive? Google Drive benefits from high specialization and resources dedicated to security. However, it is not 100% risk-free due to human error. We strongly recommend enabling two-factor authentication (2FA) for all Google accounts. You must also be vigilant about sharing settings—ensure sensitive documents are not shared with too many people or via public links.

How can we protect data in office networking? There is a shift toward the "Zero Trust" model. Instead of building a wall around the office network and trusting everyone inside, this model assumes no device or user is trusted by default, regardless of whether they are in the office or remote. This provides better defense in depth.

Are public Wi-Fi networks safe? Public Wi-Fi requires vigilance. As long as your connection is encrypted (look for the lock icon and HTTPS), a third party cannot read your data. However, attackers controlling a network can try to trick you into visiting unencrypted versions of sites or monitor which websites you are visiting via DNS lookups. Using a VPN can add a layer of security when using untrusted networks.