00:00:00 Introduction

It is really great to see the attendance again. It is October, Cybersecurity Awareness Month, and as every year we try to spend a bit of time raising awareness and focusing on this important topic. I am really excited to have our friends from CyberPeace here. They are going to start us off with a general presentation on cybersecurity and then we will zoom in to ActivityInfo afterwards.

00:01:20 The CyberPeace Institute and the CyberPeace Builders program

Thank you so much, Alex and Timothy for having us here today. I am really glad to be able to talk about a topic that we deem important as the CyberPeace Institute. Hopefully, the attendees do as well, because they are here, which means they are interested in how this topic affects their organization or them personally.

First of all, the CyberPeace Institute was founded based on the idea that we have a big gap when it comes to securing our nonprofits. The problem is that nonprofits are under attack digitally. Because of the mission you are set up for, you receive funding dedicated to your goals. To run your own household is the second part, and we see an issue where security tends to be expensive. If you want to do proper cybersecurity, a lot of companies and public institutions spend quite a lot of money on it. As a nonprofit, funding is always an issue. To be able to protect yourself properly, we see that there is a clear need for more support, but the funding is lacking.

That is where we step in as the CyberPeace Institute. We created several programs that we run to protect nonprofits worldwide. Today is not only showcasing our work; we also dive into some practical recommendations. But first, let us introduce some of the programs we run. The first and most interesting one in this case is our CyberPeace Builders program. The website is cpb.ngo. The point of the CyberPeace Builders program is that we can connect nonprofits for free to cybersecurity experts worldwide. We have a pool of about 1,500 volunteers currently active that come from big corporations, cybersecurity agencies, and companies that are giving away their time for free to the nonprofit community that has signed up for our program.

00:03:40 How the CyberPeace Builders program works

As Jim said, nonprofits are under attack, and we provide free cybersecurity services to make sure that they remain digitally resilient. I am going to take you for a quick peek into the platform and what it is like to join as a nonprofit. Once you sign up as a nonprofit, the first thing that you do is take a cybersecurity assessment. This is just a quick overview. It shows us your score and how digitally resilient you are. The main thing that we can see here, and that as a nonprofit you can see as well, is what specific things within your organization you need help with. This could be help in assessments and user management, or maybe even a cybersecurity training.

When you finish your cybersecurity assessment, we give a list of recommended missions on how you can improve the score. This could be an awareness training or maybe less on the technical side, but more on a policy development issue or ongoing security advice. You can really pick and choose where you want these professionals to help you.

Regarding mission creation, usually, we provide a few missions that we think would fit best based on the needs that the nonprofit has. However, there is a really big list of all of these different things that you could request help with. Let's say for today, we go with data security best practices. You can view the details on what the mission entails, what the outcomes are, and what specifically the professional is going to help you with. Once you put this mission out, volunteers can see a big list of where these nonprofits need help. They can choose if they want to help you with these data security best practices. Once both sides connect, the mission starts, and the nonprofits will receive help immediately.

00:06:15 Best practices for data security

Today, we want to go in depth about what we consider as best practices for data security. Data security is a multifaceted problem. What we see happening at nonprofits is that a person dedicated to finance is also dedicated to IT and data security. Obviously, we all have seven days in a week, so you cannot have knowledge on everything. My first advice is to use AI if possible because AI does tell you a lot about best practices and where to start. However, sometimes it helps to have a real-life person explain why it matters.

Very frankly put, this is why it matters: data loss. If you lose data through an attack, like ransomware, or if someone sends an Excel file to a wider group of people that weren't supposed to receive it, we consider it data loss. Whatever the cause, it leads to mistrust. The organization or person affected will less likely trust you in the future because you were sloppy with the data. Mistrust leads to financial loss because your funders or donors will less likely fund you any longer. That ultimately leads to the end.

Where to start? First of all, identify your "crown jewels." What data do you process, and what could be sensitive? What IT systems or operational technology do you have? Make sure that you have a list of the most important systems. In case some of these systems drop out because of a digital attack, you should know which ones put you in deep trouble. The same applies to people; some functions or persons might be essential for the existence of your organization.

Then, look at all of the threats that are out there. Try to score them based on likelihood versus impact, which amounts to the risk. It is not an exact science, but it is important to know what you are facing and then decide to avoid, mitigate, transfer, or accept the risk. Accepting the risk is often overlooked, but you cannot avoid all risks.

Important is also to make sure that you know who gets into your systems. Control access. If you are in the cloud, and we definitely recommend that, make sure that Multi-Factor Authentication (MFA) is turned on. Google and Microsoft 365 have built-in MFA. Use password managers like Bitwarden or 1Password to help you memorize unique passwords. Don't use common passwords or the same password for everything. Also, make sure that if people leave your organization, you delete their accounts and access. A lot of times attackers use the access of a former staff member.

Secure your devices. Make sure that updates are pushed automatically so you don't have to ask every staff member to update. Encryption is very important; make sure your data is encrypted on your device with BitLocker or FileVault. Ensure screen locks activate automatically and fast. Use USB blockers when traveling to avoid malicious USBs transferring data. For cloud storage, go for the nonprofit subscriptions from Google or Microsoft as they do encryption and backups by default. When sharing documents, avoid clicking on the "anyone with a link" option.

Train and talk about security. Often people get punished if they make mistakes, but that is the culture you don't want to have. People click on links; phishers are getting better by the day. Make sure that people dare to report if they made a mistake. If they don't, you will never know until the attacker has been in your system for months. Create a security awareness culture where staff and volunteers feel encouraged to talk to others about risks. Try to come up with trainings that are fun and engaging.

Finally, pray for the best and prepare for the worst. No one can get 100% secure. You have to think as if someone is already in your systems. Make sure you have backups, not just of your data but also of your system, and test them regularly. Have disaster recovery plans for your critical IT assets. Know who to call in case of need. Make sure to have a crisis plan for your organization where you practice on a scenario-based level. As we quote here: you don't need big budgets, you just need good habits.

00:16:30 ActivityInfo security features and risk management

Thank you, Jim and Rachel. That covers much of what I am about to speak about. Cybersecurity is basically a collection of technologies, processes, and practices designed to protect your data, systems, network, and devices from unauthorized attacks. This brings me to the CIA triad: Confidentiality, Integrity, and Availability.

Confidentiality means users in a system only need access for what they require to perform their tasks. Integrity is about preventing malicious deletions or editing of records to ensure you have the correct information. Availability is where ActivityInfo teams up to ensure that the system is up and running every time you need to enter or access data.

We have practices that allow you to enforce the CIA triad, one of them being Single Sign-On (SSO). This is where you need one single set of credentials to access multiple applications. This removes a lot of risk, especially when you need to memorize multiple passwords. ActivityInfo offers SSO, so you just need one password for your Google Workspace or Microsoft 365 to access the system. It also helps mitigate risks when staff leave the organization. If you deactivate their accounts in your main identity provider, they cannot access ActivityInfo. It also helps you enforce Multi-Factor Authentication.

ActivityInfo also has a weekly risk report sent out every Monday to the database owner. This helps mitigate risks like users who left the organization but still have active accounts. It also highlights overly permissive or shared access, where a user has roles they do not need. For instance, a data entry role should not be able to manage users or roles. We also have tools to ensure information is visible only to the right people, such as record-level permissions and user fields for sensitive data like PII or health information.

We also monitor for "stealer logs." These are malware-created records that happen when you use your device in ways you aren't supposed to, like visiting risky websites. This malware creates logs that go up for sale on the dark web. ActivityInfo uses third-party monitoring tools to tell whether credentials used to access ActivityInfo have been listed for sale. If we find this information, we reset your passwords immediately and send an alert.

00:23:45 Steps for remediation

Once you find out that a user has their credentials stolen, there are a few steps to follow. This is where the CyberPeace Institute comes in as well for organizations that don't have a budget for cybersecurity.

00:25:30 Q&A and conclusion

Alex: Thank you so much, Timothy. I am going to launch a quick poll while we wait for some questions. Jim, you said that it is important to make cybersecurity training more interesting. Give us an example of some fun cybersecurity training.

Jim: What you see more and more is that training is gamified. You could rehearse in terms of a simulated crisis. Let everyone sit in a room and do a crisis simulation with the board. This simulation is very helpful because it will raise awareness within the board that this is necessary. You can also do virtual reality or online games where you experience threat development.

Alex: We have a question from Miriam Al-Wazir: "How flexible is access to program/project data, for example, multi-country selection across regions?"

Timothy: This relates to record-level permissions. ActivityInfo allows you to grant specific users access to information that is only related to them. If users go without configuration, it might allow them to view information they are not supposed to see. You can set parameters to associate a region with a user so they can only access resources linked to their region.

Alex: Maybe one for Rachel. When cybersecurity professionals are paired with NGOs, is there a waiting list?

Rachel: It happens pretty quickly. Volunteers and nonprofits get a list of missions. From experience, usually these missions are taken within a week, maybe two weeks at the longest. You don't really have to wait that long.

Alex: I am sharing the results of our poll now. About two-thirds of our audience are ActivityInfo users. It is great to see that 87% of respondents are using a password manager. Only about three-quarters are using antivirus, and only about a quarter are using an encrypted hard drive. Those are all things to think about.

Jim and Rachel, thank you so much for joining us today. Thanks to everybody else for giving cybersecurity some attention this month. We wish you all a great afternoon.