Citizen Lab has just published a detailed study of how targeted digital threats affected 10 civil society organisations over a four-year period. The report contains a wealth of information that organisations could include in a threat model when planning a project (see p.35 of the RDF book Ways to Practise Responsible Data for more).
It also gives a set of practical recommendations:
For civil society organisations
- Document precisely what happened, preserving attack vectors, malware, or compromised devices for analysis and digital forensics.
- Collectively respond to attacks with other civil society organisations.
- Involve funders in collective efforts, communicating with them regularly about security issues and incidents
- Develop programs and funding lines to help grantees make measurable improvements in their organisational security.
- Increase your knowledge of the scale of previous compromises within major funding organizations.
- Consider your responsibilities to your grantees and partners concerning disclosure of breaches.
For technology companies
- Understand how civil society organisations use your services by communicating with them (discreetly if necessary).
- Provide free/reduced-cost software licences to civil society organisations.
- Consult staff and management to ascertain interest in pro bono programs, and begin thinking through reputational risks and how they might be mitigated.