00:00:01 Introduction

Thanks so much, Faith. I'm really excited to be here with Alun and Adrian from Arculus. We work closely with Arculus on our own ISO certification. They really provided us with a lot of help and guidance in thinking about the way we organize, and I'm happy to share that with you guys today. Before we get started with their presentation, I just want to make an introduction to talk about why device security is so important. ActivityInfo is a tool that provides you with a lot of features to help with security, especially in difficult-to-reach places. You can download the database on your phone for casework; it's really fabulous. You can, without an internet connection, have access to all of the information on your own device, but that, of course, means that information is on the device and vulnerable.

We offer tools that allow you to define very granular permissions so that only the right people have access to the data at the time they need it. But in the end, that data is living on a device. I have an overview here of how we think about the risks to information. When I say information, I mean your information: the caseworker files that you're collecting with ActivityInfo, reports on GBV, or even that information about your own activities. It starts with our team; we're responsible for secure application development, deployment, and keeping our own team secure. We rely on the Google Cloud Platform for the actual hosting of servers, and they use world-class procedures for their security.

But the third element of vulnerability is really on your side when you're using ActivityInfo in the field. You have to be careful about who you offer access to that data, the network that you're using, your own email services, and, of course, the subject of today's webinar: the devices that you're using. As Alun and Adrian will share, all of these great permissions and tools that we give you won't do any good if you leave your device unlocked on a bus somewhere. So that's why I think it's so important to talk about the subject today.

00:02:50 Understanding the landscape

Thanks, Alex. Arculus Cyber-Security is where we work now and have been working for some time. We essentially look to fulfill your security needs, especially in the realm of cyber, information security, compliance, and testing. What we're covering today is device security in the field. In the most part of this, we'll make some assumptions. We are assuming that there's an element of people here that will be going to higher-risk areas, both to themselves and to their data; that you may be working with people who are more vulnerable, potentially from state actors or militias, and that you want to protect their information and ensure it doesn't fall into the wrong hands.

Before we even think about going and deploying, one thing that we all should be doing is looking at the area that we will be deploying to. I appreciate that many of the people here may be experienced professionals and operators within high-risk locations. However, there may be some people in the audience with little to no experience, or maybe they haven't considered building an intelligence or information picture and going through what I call the 'understand' phase. There's a saying that we used to use quite often: 'Time spent on reconnaissance is seldom wasted.' The more time you can commit to building a picture of where you're going and understanding what's going on in any region, the better.

You need to understand the people—be they friendly, neutral, hostile, or host nation—and the situation, both in the past, the present, and what you may predict may happen in the future. Ensure you're best placed to protect yourself and your information assets. There's no being too detailed. There are various sites that will help you do this, such as the British Foreign and Commonwealth Office, which gives its own understanding of what's going on in the areas to potentially avoid due to crime or the political situation. Social media is also quite good, though if you're going to ask people about what's going on in an area, be vague if what you're doing is relatively sensitive. Consider the threats from crime, irregular forces, militias, host nation governments, and third parties who may just be interested in what you're doing.

00:07:31 Risk assessment

Once you've done all that and you understand what's going on, you need to understand what your level of risk is. I'm sure many people here will have carried out risk assessments, but for those who haven't, I want to demonstrate a basic risk tool. You can work up scenarios and decide what level of risk you want to accept. With a basic risk table, we have the severity, the likelihood, and then we measure that to see what the impact may be. Then you decide what your appetite is to either ignore it or to stop.

For example, let's say you want to go into a country where there is conflict, but the area you're going to hasn't seen any fighting. Because there's been no fighting, it is improbable that there will be in the future. However, if there were, it would be catastrophic. That might still result in a low impact score, meaning it's an acceptable level of risk. But let's change this. Consider that there are security agencies working within the area that are interested in what you're doing and have been known to interrogate mobile devices and laptops. If there's a probable chance of that happening, and the severity on your potential clients could be catastrophic, that has a high impact score, which might mean you don't have any appetite to do that. We're going to look at ways and controls to reduce that severity and likelihood.

00:09:36 Policies and processes

We'll start with processes and policies. If you have data that you're handling, you really should consider having a classification policy. Usually, you would have three levels of classification: public, internal, and confidential. Public stuff is what you're happy to be released, like advertising your good work. Internal stuff is handled internally within your organization. Confidential data may be financial details or sensitive aspects of your work with at-risk people. This kind of data needs to be handled in the most sensitive ways, limiting access based on the principles of least privilege and 'need to know'.

I also want to mention protecting data at borders and checkpoints. If you're going to a place where you are unsure of how the local security services may react to you and your data, it may be a consideration to go in 'clean'—with no data on your person at all. This includes both work data and personal data. You might consider cloud solutions, where you go into an area with a clean device or buy a device locally, and then download the data from the cloud or work on the data in the cloud. The only consideration is that if you're going to a place with low internet connectivity, this won't work. This comes as part of your understanding phase and having a backup plan.

00:12:38 Device hardening

Now we'll cover device hardening. First of all, make sure that all security patches on your devices are as up-to-date as possible. It's also about ensuring that the operating system you are using is supported. For example, an iPhone 5S using iOS 11 is not supported anymore and would be compromised. You can check your system version and search online for the 'end of life' date. If your OS is out of date, your device and data are at risk.

We highly recommend turning off Bluetooth and Near Field Communications (NFC) if you're going to a high-risk area. People can connect to your devices and remove data quite quickly. Using anti-malware and antivirus is key, and these must be kept up-to-date. We also advise disabling automatic connections so you don't connect to random Wi-Fi hotspots. People can spoof Wi-Fi networks to mimic places like Starbucks, and your device might automatically connect to them.

We recommend using a mobile device management (MDM) solution if you're an organization. This allows you to monitor devices and, most importantly, remotely delete data if a device is stolen or an employee goes rogue. We also strongly recommend the use of PINs, passwords, or biometrics to lock your devices. However, if you're going to a high-risk area, consider using a PIN instead of biometrics, as you could be forced to provide a fingerprint or face scan under duress.

Use software firewalls on devices to close down ports that allow potential attackers in. Avoid jailbroken devices because they generally allow downloading anything from anywhere and often don't allow the machine to receive updates. If you must use software that hasn't been approved or doesn't receive updates, consider using virtual machines to create a detached area within your laptop. Finally, encryption is a really important aspect. Most OSs have a level of encryption, but you can use tools like BitLocker and VeraCrypt to enhance encryption for data at rest.

00:18:14 Passwords and authentication

It's really important that you have a unique username and a unique password for all your devices and accounts. Avoid easily guessed passwords like 'password' or '123456'. Consider a password of a minimum of 12 characters. We recommend setting up a password policy shared with your entire organization. Complexity can include uppercase, lowercase, alphanumeric, and special characters. Instead of randomly generated strings, we recommend using three words or a phrase that you will remember, which stops people from writing it down.

There is advice from the UK's National Cyber Security Centre, which provides a list of 100,000 known bad passwords you can upload to your Active Directory to stop people from using them. We also highly recommend using two-factor authentication (2FA) or multi-factor authentication (MFA), especially for cloud services. This reduces the chance of phishing and hacking. However, consider your connectivity; if you receive challenges via text or email, ensure you will have GSM or internet connection in the field.

00:20:52 Secure communications

You should secure emails. Most major providers provide a level of protection, but companies like Google may scan emails for marketing purposes. There are more secure email services out there, such as Egress, Secure My Email, and Proton Mail. These often store data in secure locations like Europe with strict privacy laws and offer end-to-end encryption.

Also, use temporary SIM cards and temporary devices, otherwise known as burner devices. If you're traveling to different countries, your organization may want to provide you with an in-country SIM card or a fresh mobile device. Organizations can track movement across borders based on mobile networks. If you are doing something sensitive, consider buying devices and SIM cards in-country. Be mindful that if you buy a batch of devices and SIM cards at once, the serial numbers usually run sequentially. If all those devices pop up on the network at once, that can flag up on a monitored network.

00:23:54 Incident response

Things will go wrong, from an employee sending an email to the wrong person to a phishing attack. You need to plan for things to go wrong and have an incident manager—someone controlling the response who understands the process. You need contingency plans in place so you know exactly what to do if something goes badly wrong. Practice these policies and procedures, review the outcomes, and improve. This is called Red Teaming—testing your plan to destruction to prove it wrong so you can improve it.

00:25:25 Working in insecure locations

When you are on the ground, consider the security of your location. If you are in a hotel, restaurant, or cafe, be aware that the access points they use may be vulnerable. Use a VPN. Be mindful of hotel business lounges; just because they say they are secure doesn't mean they are. Be aware of what you're transmitting and avoid doing so from insecure networks if possible.

Do not leave devices lying around in hotel rooms or cafes. If you have a device with sensitive data, it should be monitored at all times or carried with you. Consider guarding against "overwatch" or shoulder surfing; people can take pictures of your screen without you knowing. Sit with a wall behind you.

I also want to mention sanitization regarding yourself. If I were going somewhere that was a higher risk area, I wouldn't take anything that would identify me other than my passport. I wouldn't wear my wedding ring or take letters from loved ones. If you were detained, people might use personal information to manipulate you. The less they have, the less they can do.

00:28:37 Phishing and social engineering

Phishing is an issue to consider as you build up to go somewhere. The obvious pathway is emails. Phishing usually involves a blast email to thousands of people hoping to get lucky. Spear phishing is when they know something about you, which is why we talk about sanitization and reducing what you put on social media. Vishing is phishing using a phone, and smishing uses text. The key thing with all these is that they will usually tell you something is wrong and that you need to take action immediately.

Whaling is a method where someone pretends to be a senior member of your organization to put pressure on others, like a financial director, to transfer money or data. To counter this, verify identities prior to giving out any information. Any manager worth their salt should not be upset if you take the time to verify a request, especially if it is unusual or rushed.

Be careful what you share online. Reducing your online footprint makes it harder for someone to target you. Also, consider reducing awareness of what you're doing. If you're doing sensitive work, maybe don't talk about it or your travel plans. Don't set patterns as a business or as an individual—vary your routes, your Wi-Fi usage, and call times. Finally, test your employees with phishing simulations to ensure they are ready and protected.

00:33:31 Summary

In summary, plan, prepare, and practice information security. Understand the limitations of you and your team, your location, and your technology. Too much security can be almost as bad as too little; if measures are too restrictive, people will work around them using shadow IT like WhatsApp, which you don't control. Ensure initial and continued training takes place. Always have a backup plan for contingency. If you can't work in one way, find another way to recover and mitigate risks to protect your people and data.

00:36:18 Q&A session

Alex: Thank you so much, Alun. I think there's a lot of great ideas here. We work with organizations that have a wide range of security postures. For those working in an NGO that's just getting started or doesn't have the resources for a full information security program, where should somebody start?

Alun: I think having appropriate devices that are protected at the very basic level is key. Then you need to have processes to protect your data, like classification. It's all very well having technologies, but if your processes mean you're leaking data, that's a problem.

Adrian: I'd say start with some form of security assessment. Look at what devices are being used, get a list of them, and check if they are in date. Look at how your data is being used—is it secure? Is it encrypted? Build a picture for yourself, and the outcome of that will tell you if you need to upgrade devices or buy encryption.

Alex: We have a question from Scott in the chat: "What does a device policy look like?"

Alun: It could be part of a wider information security policy. It sets a framework for how you wish your devices to be handled—physical handling, technical controls, and designating who is responsible.

Adrian: Think of what the device is (laptop vs. phone) and what the users are using it for. If they are going to high-risk areas, you'll want decent encryption and updates. You build a blanket policy upon that basis that everybody sticks to.

Alex: For example, in our team, we have headlines on our device policy: every device needs a screen lock password, every device needs to be encrypted, and it must have anti-malware.

Alex: We have a question from Abdul Wahab regarding data collection in Ghana. He notes that while the company provides tablets, some staff use personal tablets and laptops to share sensitive HIV data.

Alun: If you're using a cloud-based service like ActivityInfo, you can have a Bring Your Own Device (BYOD) policy. However, users must still comply with the organization's device policy regulations—devices must be up to technical specifications and kept up to date. If data is being installed on a personal device that goes home and is used by kids to play games, that's inappropriate for sensitive data.

Alex: Using the risk framework, BYOD has risks. If the impact on the individual whose data is leaked is catastrophic (a score of 5), and using a personal device raises the likelihood of a leak to a 4 or 5, you have a very high risk score. This warrants urgent action to reduce those risks, perhaps by enforcing PIN codes and OS updates, or putting a halt to the practice.

Alex: An anonymous question asks if it's ethical or safe for an organization to ask you to use your personal phone number for two-step verification for a work email.

Adrian: Realistically, yes, it could be fine. If it's your phone and you know where it is, it's similar to using an authenticator app on a personal device.

Alex: Looking at the poll results, about half of the attendees said their organization has a device policy, and half said no or don't know. Regarding checkpoints, 56% said their organization experiences risk to information at checkpoints. Finally, regarding data classification, more than half said no or don't know. This highlights the need for simple policies like Public, Internal, and Confidential.

Alex: One last question: Can you tell us more about "going in clean" and measures to reduce digital footprint in insecure areas?

Alun: It depends on the area. I would only consider going in clean if I knew there was a good chance my device would be physically or technically intercepted. I've done this where I bought a cheap device locally, downloaded a VPN and a messaging app like Wickr or Telegram just to contact family. However, in high-risk areas, having no mobile phone can be suspicious itself. A happy medium might be buying devices locally and downloading data from the cloud.

Alex: We've come to the end of the hour. Thanks to Alun and Adrian for joining us, and thanks to everyone who participated.