00:00:02 Introduction

This webinar is presented by the ActivityInfo team. For those of you who don't know, ActivityInfo is an information management software specifically designed for humanitarian and development operations, supporting monitoring and evaluation, case management, coordination, and even cash and voucher assistance. If you're not familiar with ActivityInfo, I hope you'll take a look later today, but the focus of this webinar is a little bit broader than just our software.

It is October, which is Cybersecurity Awareness Month, and it is a good moment to spend some time thinking about the threats, the risks, and some best practices for information security. We are a software company; we build software and host data from organizations around the world. It is something that we spend a lot of time on, but it is not something that we can do all on our own. Cybersecurity and the security of this data depend just as much on our users as it does on us. This webinar is an attempt to carve out some space in your busy schedules to share some best practices that you can add to your work. We will look at some of the threats—some new ones, some old ones—and then a series of best practices, ranging from the really basic to some specific things regarding data access.

00:01:53 Defining data security

To start, let's take a moment to provide a definition for what we mean by data security. Typically, we think about data security or information security as three pillars: the CIA pillars. First is Confidentiality: we have an obligation as implementers and controllers of data to keep sensitive data private. Second, we have an obligation to protect the Integrity of the data. The data that we share with donors, stakeholders, or the rights holders themselves must be correct, and we want to prevent unauthorized changes. Finally, none of that helps if the data isn't Available. If you don't have the indicators that you need to share with your project managers, donors, or the general public, then we haven't kept the data secure.

I recognize a wide variety of roles in the participants today. Most of you are not in the IT department; you are not information security professionals, but it is still an important topic because we all have a role to play. You might work with a big organization where a dedicated department handles big parts of this puzzle, perhaps providing secure laptops and training. However, even in the biggest organization, when you are in the role of project manager, M&E officer, or Information Management Officer, it is going to be your responsibility to plan and build systems. That involves deciding what data to collect, how and where to store it, how to share it, and how to communicate about it. That is the moment where we all have to make good choices about how we manage the data entrusted to us.

00:04:33 Emerging threats: Infostealers and malware

We are going to start by looking at threats. This is one way to approach cybersecurity: looking at what could go wrong, the motives of the actors, and whether it is accidental or intentional. This helps us understand vulnerabilities and potential impacts.

Malware and computer viruses have been around for a long time, but in the last couple of years, they have exploded, particularly one type called "infostealers." These are computer programs designed to infect computers and send information back to the criminals running them. They extract credit card numbers, passwords, session tokens, and any information they can scrape from your computer.

One factor leading to the scale of today's problem is the emergence of a criminal ecosystem. You have vendors who develop the malware—like one called Raccoon—and sell it to other criminals. These attackers then disseminate the malware via spam emails, forums, or streaming sites. They collect data from infected laptops, bundle it, and sell it to another group of criminals. This problem has become widespread. If you are using unprotected devices, such as a Windows PC without a virus scanner, this is a real problem. The malware is often distributed via Word documents with macros; once enabled, they unpack a program that sends everything you type to the criminals. These credentials end up on Telegram channels where they are sold in batches for a few hundred dollars.

This has affected our users as well. We work with a monitoring firm that watches these Telegram channels for email addresses being put up for sale. We get about 10 to 15 hits per month of ActivityInfo users whose credentials—whether for ActivityInfo, their work account, or unrelated sites—are for sale. This means their computer is infected. While 108 users year-to-date out of 40,000 or 50,000 active users seems low, it only takes one compromised account to give access to a database. Those 108 users represented access to 76 different project databases.

We have put in place alerting emails that go out as soon as we are notified that accounts are for sale. I saw a recent example where an account was breached, and the password used was a variant of "password123." We notified the database owners so they could reset the passwords, but we are seeing a steady stream of these incidents.

00:10:55 Insider threats

The second threat is closer to home. While many think of cybersecurity threats as mysterious criminals halfway around the world, some of the real cases causing damage stem from insider attacks. An insider attack involves someone in your organization or on your team who doesn't need to do any hacking because they already have a password and access to your systems. For whatever reason, they choose to abuse that authority.

While some may be self-interested, the cases I have seen in the last 15 years often involve people under stress or pressure who lash out. For example, in 2005, an NGO staff member was fired under non-amicable circumstances. On their way out, they logged into ActivityInfo and started deleting as much data as they could. While ActivityInfo has an audit log allowing us to reverse these actions, it takes time and effort to resolve. It is important to keep in mind that threats are not always external.

00:13:03 Conflict parties and human error

In some cases, a threat might come from a party to the conflict where we are providing humanitarian support. We are seeing more cyber warfare, whether it is sabotage to shut down infrastructure or interrupt banking. Humanitarians can get caught in the middle. For example, in 2013 during the Syrian refugee crisis, Syrian opposition forces and humanitarians were targeted via a social engineering attack on Skype. Humanitarian needs assessments and lists of materials were stolen. The attack vector was social engineering: a staff member was approached on Skype under the guise of a romantic relationship, but the file shared was a virus used to extract information.

Finally, we must not underestimate the power of human error. It can happen to anybody. There is an example where someone was running a report of learners in a learning management system. Instead of sending the report to two people for analysis, they clicked the wrong button and sent personal information to 20,000 people on the platform. Sometimes it doesn't take a malicious attempt to cause significant problems.

00:17:21 Basic cyber hygiene

Now let's turn to the good news: there are many basic things we can do to mitigate a large part of these risks. I consider these the absolute minimum of cyber hygiene.

First, use Two-Factor Authentication (2FA) everywhere you can. This could be an authenticator app on your phone or a hardware key like a YubiKey. This ensures that even if someone gets your password, they cannot exploit it without the second factor.

Second, use a password manager for everything else. Do not use "password123." Password managers like Bitwarden or 1Password are free and easy to use. Even the browser's built-in manager is better than nothing.

Third, if you are using a Windows machine, make sure you have antivirus and anti-malware installed. Windows machines are particularly vulnerable to the malware problems I described earlier. Alternatively, using a Chromebook, which is more locked down, can be a safer option.

Fourth, make sure your hard disk is encrypted. This won't save you from hackers or malware, but if your laptop is stolen or lost, encryption is essential. Phones (iPhone and Android) are encrypted by default, but laptops often are not unless your organization has configured them.

For ActivityInfo specifically, make sure you are enabling Single Sign-On (SSO). This connects your ActivityInfo account to your work account (Microsoft Active Directory or Google Workspace), enforcing your organization's 2FA policies.

00:21:23 Social engineering and phishing

Many vulnerabilities in our digital age are not in the software or devices but in the "people factor"—social engineering. This is essentially using deceit and trickery to gain access. We see this in personal attacks, like fake texts from "family members" asking for money, or work-related attacks, like fake documents that appear to be from a colleague but come from a strange email address.

Generative AI is amplifying these risks. Scammers can produce more realistic phishing emails, and we are even seeing deepfake videos used to impersonate finance officers. This volume of phishing attempts is likely to get worse.

To defend against this, training is essential. We need to be attuned to suspicious requests. Always check the sources. If you have any doubt, verify through a different channel. If you get an email from a colleague asking for gift cards, don't reply to the email; message them on WhatsApp or call them. Furthermore, do not get tricked by fake urgency. Scammers use time pressure to get you to ignore red flags. Slow down and double-check.

If your organization doesn't offer security training, there are free resources available, such as Google's phishing quiz. Organizing a session to go through these quizzes with your team can help build resiliency and digital literacy.

00:26:59 Physical security in the field

If you are traveling to do surveys or assess projects, your physical security extends to device and information security. If you take a laptop into a rural area or a conflict zone, you need to think about information security as part of your overall risk management. We have a training resource with Arculus Security that focuses on planning and determining your level of risk acceptance before taking data into the field.

00:28:11 Permissions and the principle of least privilege

Now we will look at some M&E-specific best practices regarding permissions. Whether you use ActivityInfo, Google Docs, Kobo, or SharePoint, you should always use the Principle of Least Privilege. This means giving the minimum access necessary for someone to do their job.

This often requires a mindset shift. For example, you might feel compelled to give a Country Director administrator access because they are the boss. However, a Country Director likely does not need to access personal information or edit data; they need reports and dashboards. Therefore, their role should be restricted to view-only or report-viewing. Similarly, caseworkers do not need access to all files—only the ones they are currently working on. You can lock out archived or closed cases.

Restricting access helps mitigate the risks we discussed. If an insider threat arises, the damage is limited to the few files they can access. If an account is compromised by an infostealer, the impact is contained. In ActivityInfo, you can design roles with very narrow permissions. You might disable the ability to export data to Excel to prevent files from floating around on laptops. You should also be careful with "share" and "publish" permissions, as these allow users to make data publicly accessible.

I also encourage using record-level permissions. This allows you to restrict access based on specific criteria, such as assigning a user only records related to their partner organization, geographic area, or specific project. While we want to trust our teams, we must weigh the risks. Restricting permissions protects the data if a team member becomes a target of a sophisticated attack or simply makes a mistake.

00:34:15 Policies and procedures

Finally, let's look at policies and procedures. The industry standard is an Information Security Management System (ISMS), such as ISO 27001. While you may not be managing a full security program, there are two procedures you can implement at the project level that are quick wins.

The first is a Data Inventory Map. Simply make a list of all the data you are collecting and controlling (beneficiary data, biometrics, case files). Note where this information is stored—is it in a cloud account? Who has access? Is it on physical laptops? This exercise shines a light on potential vulnerabilities, such as data residing on partners' laptops or shared cloud accounts.

The second process is Systematic Access Reviews. Pick a frequency—monthly or quarterly—and block out an hour to review who has access to your systems. Ensure that everyone with access still needs it. Check if anyone has left the organization or changed projects. In ActivityInfo, we have launched a Weekly Risk Report feature for database owners. It highlights risks such as over-permissioning (users having permissions they don't use) and user dormancy (users who haven't logged in for a long time). These reports can help you identify accounts that should be deactivated to reduce your attack surface.

00:41:51 Conclusion

ActivityInfo is an information management software that we have put a lot of effort into making secure. It works online and offline, with mobile and web apps. If you are looking to improve your monitoring and evaluation while making it more secure and actionable, please consider contacting us for a demo.

I also want to highlight one of our partners, CyberPeace Builders. They are a member of the H2H Network and offer an initiative that pairs volunteers from the private sector with NGOs that need help with information security. If you are a smaller organization without resources for a dedicated security team, I highly recommend checking out their free assessment and volunteer program.