00:00:00 Introduction to data security

Thanks so much. One thing that we spend a lot of time doing at ActivityInfo is thinking about information security. I am thrilled to be able to share some of those ideas and issues with you, especially since October is Cybersecurity Awareness Month. We are going to do this first session today talking generally about data security risks, and we will do another session on the 12th that is more specific to designing roles in ActivityInfo.

Today is very general for those of you working in M&E. You are working with personal information from your beneficiaries and information about your operations. We need to look at what data security is and what we can do about it. When we talk about data security, we are talking about three different things. First is confidentiality; personal data, health data, and any information that should not be shared widely must remain confidential.

The second thing is integrity. It is not just about keeping the data confidential, but we want to make sure it is correct, especially when that data is used to make decisions that impact rights holders. If you are doing a needs assessment survey that determines who receives cash assistance, it is important that the data isn't changed without permission or outside of the process you have put in place. Finally, there is availability. It does no good for information to be secure and integral if people can't use it to deliver aid. Whenever we make data more available, we have to take steps to ensure that we don't give up confidentiality or integrity.

00:02:50 The role of M&E professionals

You might be thinking, "I'm in M&E, data security is not my job; we have other people that handle that." However, this is actually a responsibility in the M&E world in a couple of different ways. First, when you are planning M&E systems, you determine how much data to collect. Often it is the M&E section saying we want to measure impact and test our theory of change, requiring specific data. It is important that you take into account the security of the information you are collecting.

Secondly, regarding planning data collection, M&E officers often play a role in determining who is going to be collecting data, how it is collected, and what tools are used. Data security is critical there as well. Finally, sharing data with internal and external stakeholders is often where confidentiality can be compromised, as well as when communicating results more broadly. We have to be thinking about this as M&E professionals throughout the M&E cycle.

00:07:12 Risk 1: Social engineering

We are going to look at five risks to data security, starting with what I think is the least frequent and working our way to the most frequent in M&E. The first thing we are going to talk about is social engineering. When you think about risks to information security, you might think about hackers who can magically open up any computer system. The reality is that most successful attacks involve tricking people into giving up secrets or access to systems. The most dangerous attacks are the ones where humans are the central weakness.

Social engineering can be very targeted. If you are working in a humanitarian context, there might be people looking to obtain data your organization has. Attackers will start with an investigation, learning about you and your organization to understand who has access. If they get access to your account, they have everything you have access to. They will learn your name and personal details so that when they engage with you, they sound like they know you. They use that connection to trick you into giving up a password, installing something on your computer, or sending money.

The most common type of social engineering is phishing, where attackers impersonate services like Dropbox or Google. These attacks rely on spamming large groups, hoping a few people get tricked. A more dangerous term is "spear phishing," where malicious actors target your specific organization. They might impersonate a trusted partner or use information from LinkedIn to make a request sound legitimate. This can also happen via WhatsApp fraud or even through romantic scams on platforms like Skype, which have historically led to breaches of sensitive humanitarian data.

00:13:34 Identifying phishing attempts

It is important to sensitize ourselves to these types of social engineering. For example, you might receive an email that looks like it is from Google Drive, but if you hover over the link, you can see the actual URL is not google.com. These can be hard to detect. Another example is the 2016 hack of Hillary Clinton's presidential campaign, where a very similar-looking email tricked her Chief of Staff into changing his password, leading to a massive breach.

If you receive a suspicious email, check the sender and the link before you click. Always confirm through an additional channel. If you get a message via WhatsApp asking for something, send an email to double-check. If it is an email, send a WhatsApp. Don't fall into the trap of being pressured into taking action because something is urgent. It is worth taking an extra minute to verify sources. I encourage you to use training programs available online, such as Google's free phishing quiz, to help generate awareness for yourself and your team.

00:19:55 Risk 2: Password management

The next risk is password management. Passwords are a terrible way of securing things, but we still rely on them. The first problem is that humans are lazy about picking passwords. For instance, the SolarWinds hack in 2020, which impacted many companies, involved a password "solarwinds123". Even in our sector, there was a case of a cash management application being left unsecured with a default password like "admin," exposing thousands of names, photos, and family details.

Another risk is reused passwords. If you use the same password for Facebook, LinkedIn, and your work accounts, a breach in one service puts all your accounts at risk. LinkedIn, for example, had a massive data breach. You can use the website "Have I Been Pwned" to check if your email accounts have been involved in known data breaches. If your password for a compromised service is the same one you use for work, your organization's data could be in danger.

00:25:43 Best practices for passwords

There are ways to mitigate these risks. First, do not recycle passwords; make sure you have a unique password for every service you use. Second, use two-factor authentication (2FA) when offered. This could be an authenticator app from Google or Microsoft, or a hardware key like a YubiKey. SMS is not ideal, but it is better than nothing.

Third, use a password manager. We are not disciplined enough to manage unique passwords on our own. A password manager can generate a unique password for each site and remember it for you. Options like Bitwarden and 1Password are excellent, and even the built-in managers in Chrome or Firefox are better than nothing. Finally, Single Sign-On (SSO) is another way to protect your account. It allows you to sign in with your work account (like Microsoft or Google), meaning you can utilize the 2FA of your organization without managing a separate password for each tool.

00:29:42 Risk 3: IT operation failure

The third risk is IT operation failure. This means that whoever is responsible for running the software you use—whether inside your organization or a vendor—can make mistakes. These vulnerabilities are often human errors: a programmer makes a mistake, or an IT department forgets to upgrade software. For example, in 2019, over 400 gigabytes of data were stolen from a UN server because of a vulnerability in SharePoint. Microsoft had released a fix, but the organization had not upgraded to the new version. A similar issue happened to the ICRC in 2021, affecting 515,000 people due to a delay in upgrading software.

As an M&E officer, you have choices to make regarding technology. You must decide whether to do something in-house or outsource it. If you do it in-house, you must ensure your team is equipped to upgrade and configure software correctly and consistently. If you outsource to the cloud (which is just other people's computers), you rely on that company to do their job. You must assess the reputation and competence of the vendor just as you would an employee. Often, outsourcing transfers the risk to companies with more resources to manage security, such as physical data centers.

00:40:49 Risk 4: Insider attacks

Up to now, we have discussed risks from outside your organization. However, a very serious risk is insider attacks—attacks conducted by people you work with. These individuals have the greatest potential to do damage because they already have access to systems and know where the data is. While we generally trust our colleagues, it is not always clear-cut.

For example, in 2005, a staff member was fired and, in anger, used their valid password to log in and delete all the data they could access. While backups allowed for data recovery, it was a distressing experience. This is an integrity issue, but insider attacks can also be confidentiality issues if data is leaked. Motivations can range from malicious intent to emotional reactions.

00:44:50 Mitigating insider threats

We can mitigate these risks by narrowing user permissions. Make sure people only have access to the data they need so that if someone acts maliciously, the damage is limited. Implement data loss prevention measures, such as audit logs, which allow you to see who changed what and recover deleted records. Furthermore, do not share passwords. If a password is shared among an office and someone leaves on bad terms, it is very difficult to terminate their access without disrupting everyone else.

00:46:16 Risk 5: User error

The most relevant risk to information security in M&E is plain human error. It is more common than hackers or insider attacks. For example, a mistake at UNICEF led to a list of 8,000 learners being emailed to 20,000 users. One misclick can lead to a data breach on a big scale. I recently received a panic email from a user who accidentally deleted a database. Fortunately, we could recover it from backups, but it highlights the risk of "fat fingers" or simple mistakes.

00:48:23 Reducing the impact of user error

To mitigate human error, we can narrow user permissions. If a user does not have permission to delete data, they cannot make that mistake. For instance, a Country Director might be the most important person in the office, but they likely only need "view" permissions, not the ability to edit or delete data. Consider whether users really need the ability to export or publish data. You may not want users downloading Excel spreadsheets with thousands of health records to a laptop that could get lost.

We recently analyzed ActivityInfo databases and found that in some cases, 40% to 75% of users had administrative privileges they were not using. Checking setup at a granular level ensures people only have the permissions they actually need.

00:51:07 Device security and conclusion

A bonus risk is device security. We covered this in a previous webinar, but the minimums include ensuring devices are encrypted and password-protected. Information security is essentially risk management. NGOs and the UN have experience managing risk in the physical world, such as sending staff to hard-to-reach places. We need to use the same logic and approach to risk management in the digital world.

00:52:41 Q&A session

Question: What is your opinion on password generators? Answer: I am pro-password generator, especially when used with a password manager. It allows you to use unpredictable, random passwords without having to remember them. If you use randomly generated passwords, you generally do not need to change them frequently unless you know of a specific breach.

Question: How often should one change a password? Answer: If you are using a password manager and randomly generated passwords, you shouldn't have to change that password unless there is a breach. It is more important to have unique, random passwords for every service than to change a weak password frequently.

Question: What about the risk of shared office Wi-Fi passwords? Answer: The Wi-Fi password is only the first layer of security. The most important thing is to ensure your connection is encrypted. Look for the lock icon in your browser (HTTPS), which means the connection between you and the service is encrypted. Even if someone intercepts the Wi-Fi signal, they cannot read the data. However, if being on the Wi-Fi network gives access to local servers or shared drives without further authentication, that is a significant risk. This is where a "Zero Trust" approach is recommended.

Question: Can I confirm the location of an email sender? Answer: You cannot confirm the geographic location via email protocols. However, you can verify if an email is genuinely from the organization it claims to be from. In Gmail, for example, there are indicators like a lock icon or specific verification checks that show if a sender's domain is signed and verified by their organization.