xyxyxyxy
Case study: Human rights Centre ZMINA
“The approach to digital security should be systematic and brought to automaticity: just as we wake up every morning and brush our teeth, compliance with the rules of digital hygiene should also become automatic. human rights organizations must be responsible – for their own sake for the sake of those whom we help.”
(Tetyana Pechonchyk, photo)
(ODIHR summary) Human rights defenders confront numerous challenges, particularly in authoritarian regimes or conflict zones. Digital threats pose significant risks, including data theft, hacking, and surveillance, endangering the safety and freedom of both staff and beneficiaries. In Ukraine, intensified by Russian aggression since 2014, ZMINA operates in occupied territories, facing persistent cyberattacks from Russian intelligence, notably Fancy Bear. However, their organization’s steadfast adherence to digital security protocols, established since 2014 and fortified post-invasion, has thwarted these attempts. Their digital security policy encompasses various layers, adapting protocols based on geographic risks, conducting biennial audits, and providing ongoing staff training.
Read the complete testimony
Human rights defenders face many challenges in their work, especially when it comes to working in countries with authoritarian regimes or armed conflicts on their territory. Some of these challenges relate specifically to threats of a digital nature, when organizations can be attacked to steal sensitive data, compromise it, infect computers with viruses, hack organizational accounts, etc. This can threaten the life, health, safety and freedom of both employees and beneficiaries of human rights organizations – those whom the organization helps, with whom it works.
In Ukraine, this situation is particularly acute, since 2014 Russian armed aggression and occupation of part of the territory of Ukraine continues. From the beginning of the Russian aggression, ZMINA began working in the occupied Crimea, recording and documenting human rights violations, which was especially important against the background of the fact that neither then, nor for the next 10 years, no international organization or Ukrainian authorities could work on the occupied peninsula. It is clear that such work is quite risky, especially for those activists, human rights defenders, journalists with whom ZMINA has cooperated all these years.
We’ve experienced quite a bit of scrutiny from Russian intelligence agencies, including their affiliated group Fancy Bear (also known as APT28), which specializes in cyber espionage. For several years, there have been systematic attacks on the accounts of employees of our organization, but they were unsuccessful, since, starting back in 2014, our organization has developed digital security rules that we have followed all these years. A systematic approach to digital security became even more important after the beginning of the full-scale invasion of the Russian Federation into Ukraine.
Our digital security policy includes several layers. In particular, when it comes to the work of the team in government-controlled territories, the rules are less strict, and for those who come into contact with the occupied territories, there are increased requirements to encrypt messages, use exclusively secure methods for data transmission, etc. Also, ZMINA undergoes a digital security audit every two years, which allows identifying certain gaps and working on their elimination. Together with the audit, we conduct periodic training for the organization’s team on new threats on the Internet, phishing, etc.
Of course, all our computers are encrypted, and access to accounts is protected by two-factor authentication and complex passwords. We use only licensed and constantly updated software and anti-viruses and we constantly monitor compliance with these rules, as well as inform each other if someone is exposed to digital attacks, phishing attempts, etc. The site of the ZMINA Human Rights Center is protected from DDoS attacks, and our servers are located abroad (which is important to eliminate the risk of losing all data in the event of a missile or drone attack on Ukrainian servers).
We have a constantly involved system administrator who monitors the updating and replacement of equipment, compliance with the general rules of digital security, and we are also grateful for the long-term cooperation of specialists from the Digital Security Laboratory, who advise us in case of suspicious situations, conduct periodic audits and training.
In my opinion, the approach to digital security should be systematic and brought to automaticity: just as we wake up every morning and brush our teeth, compliance with the rules of digital hygiene should also become automatic. human rights organizations must be responsible – for their own sake for the sake of those whom we help.
Case study: Anonymous organization from Belarus
“The management of an organization should be not only an assistant, but primarily an initiator of all processes around the security of the organization, since management perfectly understands the risks and consequences and has the power to allocate resources and enforce rules in the organization.”
Anonymous Belarus organization
(ODIHR summary) An organization, based in Belarus, shared from their experiences that a systematic approach to security, led by management, yields better results than sporadic efforts to address immediate issues. They believe that when management takes ownership of risks and engages in discussions about security requirements, effective risk management systems can be established.
Read the complete testimony:
I have been working as a system administrator in a public organization for many years and have seen from my own experience that a systematic approach to organizing security is usually more effective, as opposed to episodic attempts to quickly solve some problems and then switch to other tasks.
Ideally, the management of an organization should be not only an assistant, but primarily an initiator of all processes around the security of the organization, since management perfectly understands the risks and consequences and has the power to allocate resources and enforce rules in the organization. Computer scientists often occupy the convenient role of maintenance personnel – such plumbers for computers, or vice versa, they come up with some strange policies like “everyone must change their password every month and you can’t use the last 10 passwords you had before.”
If management itself is the owner of risks and the main stakeholder, and does not take the position “I still don’t understand anything about this – do what you want,” then it is possible to establish a system of working with risks within the organization, periodic discussions of the situation in the organization and security requirements, as well as an honest discussion of what rules already work well now and what does not work with the opportunity to try new approaches and measures (explain to employees why or enable it automatically for all corporate accounts without the ability to disable any setting or search for an alternative, more convenient approach).
Case study:
Case study: Anonymous LGBTQ organization from Ukraine
“Regarding offline events, the minimum requirement is providing a corporate taxi for quick departure from the venue if needed. Additionally, you can implement corporate security measures, such as a ‘red button’ accessible to all team members via smartphone. It’s also crucial to organize first aid training for the team.”
Anonymous LGBTQ organization, Ukraine
(ODIHR summary) Anonymous LGBTQ organization, based in Ukraine, shared measures to mitigate their security risks, such as having an evacuation plan in case anyone threatens their events. Among other things, they expanded their security perimeter to include the implementation of surveillance cameras to employees’ homes and equipped the office with power stations for potential blackouts due to war in Ukraine. This approach demonstrates a well-tailored plan to organization’s needs, proactively addressing risks its employees might be facing both at work and at home.