00:00:00 Introduction and defining information security

Today we are going to talk about information security. This is a topic that we spend a lot of time thinking about and talking about with our customers, so I think it is something that is good to repeat and to think about periodically. We are going to first give an introduction to what we mean by information security and look at some of the top risks—it might not be what you think—and then we will turn to best practices and open the floor to questions.

When we think about information security, we usually think about three things: the so-called CIA Triad, which stands for confidentiality, integrity, and availability. These are the three elements of having secure information. Confidentiality means that only the people that are meant to see the data can see the data. This is important if you have sensitive data that could lead to harm for others if the information were to become public.

Availability is also crucial because data doesn't do any good if people can't access it. If you are running a program for beneficiaries and you can't access that data, then you may not be able to help the people that you are intending to help. Finally, the data has to be correct; it must have integrity. If people are changing the data in ways that they are not supposed to, that will threaten the use of your data. You can imagine that is a source of fraud or a source of problems for your beneficiaries.

00:03:00 Why information security is relevant for M&E specialists

Why is this relevant for an M&E specialist? M&E specialists often have to be a jack-of-all-trades, and information security falls under this domain. When you are planning M&E systems, it is important to think about what kind of data you are collecting. Do you need to collect personal or sensitive information? That is your first choice: do you collect this data at all? The M&E specialist has a lot of influence there when planning data collection.

You also need to think about where you are storing this information. It is not just digital information; it might be paper forms left in offices where you need to think about physical security, or mobile data collection tools. The third area is sharing data with internal and external stakeholders. In the role of M&E, you are often called to coordinate information sharing and gap analysis with other actors, and you will need to incorporate thinking about information security risks in those practices. Finally, when you are communicating results, the confidentiality and integrity of the data are very important.

00:05:15 Top risks to information security

In this first part of the presentation, I want to focus on the risks to information security. In our collective imagination, we think of hackers as the biggest threat. While there are certainly malicious actors out there, we need to have a broader idea about the risks. I have made a list of the five biggest risks based on the last 12 years of working in more than 60 countries.

00:06:15 Risk #5: Social engineering

Social engineering is a term used for a broad range of ill-intentioned activities that seek to extract information from you or your team, not through technical skills, but by tricking people into making mistakes or giving away sensitive information. For example, in 2013, Syrian opposition forces and humanitarians were targeted via Skype. Attackers managed to steal humanitarian needs assessments and lists of materials by pretending to be women and feigning romantic interest. They tricked victims into running malicious software on their computers. No technological wizardry was necessary; they primarily played on basic human nature.

Social engineering attacks usually start with an investigation. Attackers look on LinkedIn, Facebook, and your organization's webpage to see who the M&E coordinator or MEAL manager is. They engage with you until they trick you into giving away information. It is closely related to phishing, where attackers impersonate legitimate services. A famous example is the 2016 attack on Hillary Clinton’s campaign chairman, who was tricked into resetting his Gmail password on a fake site.

Spear-phishing is a more sophisticated form where hackers perform extensive research to make emails look like they are coming from a trusted partner or colleague. Whaling is a type of attack where attackers use credentials of high-level positions, such as Country Directors, to leverage authority to gain access to sensitive data or force transactions. To mitigate these attacks, organizations should conduct security training. A good resource is Project Jigsaw's phishing quiz, which helps teams recognize what these attacks look like.

00:14:00 Risk #4: Password management

Passwords are the key to many things we do online. While it is inconvenient to remember passwords for many services, it is important to pick strong ones. For example, a Red Rose product used for beneficiary management in West Africa had a breach because administrators left the default password unchanged. This allowed someone to gain access to thousands of names and family details.

You and your team should not recycle passwords. If there is a breach on one site, attackers can access all your other sites. To reduce this risk, turn on two-factor authentication (2FA) when possible and use a password manager. A password manager is software that helps you choose and store unique passwords for every site you use.

You can check if your email has been part of a breach using the website "Have I Been Pwned." If you have been using the same password for years across different services, and one of them was breached, your accounts are vulnerable. Password managers, like LastPass, 1Password, or those built into Chrome and Firefox, give you one master password to remember and automatically fill in unique passwords for each site.

The last mitigation strategy is to migrate to Single Sign-On (SSO). Instead of having a separate password for every service, you can log in with your primary work account (like Gmail or Office 365). This allows your organization to enforce security measures like 2FA and automatically block access if an employee leaves the organization.

00:22:30 Risk #3: IT operations failures

This risk involves mistakes made by people in programming, configuring systems, and setting up networks. For example, in 2019, 400 gigabytes of data were stolen from UN servers in Geneva. This happened because of a bug in Microsoft SharePoint. Although Microsoft released a patch, the IT team managing the servers did not install the update in time, allowing attackers to exploit the vulnerability. A similar incident happened with the ICRC this year involving a product called ManageEngine.

For M&E staff, this is important because you are often asked to choose systems. You need to consider who is going to manage the software and install updates. It is useful to think about specialization. If managing server updates is just one of 50 tasks for a staff member, it might slip through the cracks. At ActivityInfo, we offer a hosted version where we manage the system. We specialize in the software, but we rely on Google Cloud for data storage because they have specialized teams for that. If you are an NGO, think carefully about who you are trusting to manage this data.

00:31:00 Risk #2: Insider attacks

Insider attacks occur when someone in your organization, a partner, or a vendor abuses their trust. In the NGO world, we like to trust our teams, but emotion and stress can play a big role. In one of our first security incidents, a local NGO staff member who was fired logged into ActivityInfo and deleted all of the NGO's reports out of anger. This undermined the integrity and availability of the data.

To mitigate these risks, you should narrow user permissions. Give people only the access they need to do their jobs. If that person had not had permission to delete records, they wouldn't have been able to do so. Data loss prevention measures, like backups and audit logs, are also crucial. In ActivityInfo, the audit log allows you to review every change and recover deleted records with one click. Finally, never share passwords. If a team shares a password, you cannot revoke access for a single individual without resetting it for everyone.

00:37:00 Risk #1: User error

The number one threat to information security is user error. It happens to everyone. For example, someone at UNICEF accidentally sent a list of learners to over 8,000 users instead of just the manager. More commonly, we see people deleting the wrong fields, forms, or databases by accident.

To mitigate user error, permissions are key. We found that between 40% and 75% of users granted administrative privileges in ActivityInfo were not using them. If someone has never deleted a form, they probably don't need permission to do so. Restricting permissions prevents accidental deletion.

00:40:47 Device security

Device security is critical because if you access a service, that data is often stored on your device. Attackers don't need to break into the database if they can steal a laptop or phone containing the data. There are three minimum principles for device security.

First, have a screen lock on every single device so that if you walk away, no one can access the data. Second, use hard drive encryption. If a device is stolen, a determined attacker can pull the hard drive out and read the data unless it is encrypted. Windows offers BitLocker, and most modern mobile phones come with encryption enabled by default. Third, use antivirus software, especially for Windows laptops, to combat viruses and ransomware.

00:46:28 Risk management and conclusion

Ultimately, this comes down to risk management. NGOs have a lot of experience with risk management in insecure environments, and you should view information security through the same lens. Ask yourself: what are the risks if this information falls into the wrong hands? How much risk are you willing to accept to make data available for decision-making? By implementing practical tips like narrowing permissions, using password managers, and securing devices, you can take concrete steps to improve your information security.

00:48:40 Q&A Session

Is it safe to keep the password in the web browser memory or use a password manager?

All security involves trade-offs. The most secure way is to never share information, but that isn't useful. You have to trust that the password manager company is acting in good faith and has their house in order. On balance, it is better to trust a password manager than to reuse passwords or write them down on sticky notes.

If ActivityInfo does not have a proper backup system, that should be a serious concern.

To clarify regarding the insider attack story: because of the audit log, we were able to revert all the deletions. No data was lost. The audit log helps you detect and recover from such actions.

Has there been a data breach that happened to ActivityInfo?

Thankfully, we have never had a data breach involving unauthorized external actors in our 12 years. We have only seen incidents of insider attacks where people used valid credentials to act against their organization.

Is Windows Defender efficient enough?

Windows Defender provides a good level of protection and is an acceptable baseline. However, as a company, we decided to use a third-party antivirus (Bitdefender) out of an abundance of caution. If you have limited resources, Windows Defender is certainly much better than nothing.

Can the company access audit data via ActivityInfo without my permission?

We do not have access to your passwords because they are hashed. Regarding data, while we manage the servers, we have strict policies limiting access. We only access your account if you contact the Help Desk and grant us permission to look into an issue.