Digital Security Best Practices for Civil Society Organizations

May 1, 2024 By COMPSUDEV Admin Digital Security 13 min read

Civil society organizations face increasingly sophisticated digital threats. From our experience conducting security audits of CSOs across Cameroon, we've learned that many organizations lack basic digital security measures, putting their staff, beneficiaries, and data at serious risk. This comprehensive guide shares the best practices we've learned and implemented to help CSOs protect themselves.

Why Digital Security Matters for Civil Society

Civil society organizations—particularly those working on human rights, governance, and accountability—are prime targets for digital attacks. This is because:

  • CSO staff and networks provide valuable intelligence about advocacy campaigns
  • Compromised systems can be used to spread disinformation
  • Stolen data can be used to identify and target vulnerable beneficiaries
  • Security breaches undermine public trust and organizational credibility
  • Hackers can disrupt operations and derail important initiatives

Threat Landscape for CSOs in Cameroon

Based on our capacity building work with CSOs, we've identified several key threats:

Phishing and Social Engineering

Attackers send fraudulent emails appearing to come from trusted sources (donors, partner organizations, government agencies) to trick staff into revealing passwords or downloading malware. We've observed phishing attempts targeting CSO staff with the goal of compromising organizational email accounts and accessing confidential donor information.

Malware and Ransomware

Malicious software is distributed through email attachments, compromised websites, or USB drives. Once installed, malware can steal data, monitor keystrokes, or encrypt files for ransom. Many CSOs we've worked with have experienced data loss due to ransomware infections.

Targeted Surveillance

Government agencies and other actors may target CSO staff with surveillance tools to monitor their online activities, communications, and organizational planning. This is particularly common for organizations working on sensitive issues like governance and human rights.

Account Takeovers

Weak passwords and account recovery procedures allow attackers to take over email and social media accounts. We've seen several CSOs lose control of social media accounts during critical moments when they needed to communicate with beneficiaries.

Data Breaches

Insecure storage and transmission of sensitive data (beneficiary information, internal communications, financial records) makes it vulnerable to unauthorized access. Several CSOs we've audited had no encryption or backup systems.

Building a Security Culture

Effective digital security starts with organizational culture and commitment. This requires:

Leadership Commitment

Security must be championed by organizational leadership. This means:

  • Allocating budget for security tools and training
  • Including security in organizational strategic plans
  • Making security a regular agenda item in staff meetings
  • Holding staff accountable for security practices

Staff Training and Awareness

Security is only as strong as your least trained staff member. Organizations should:

  • Conduct quarterly security awareness training
  • Cover topics like phishing, password management, and safe browsing
  • Use real examples relevant to your organization and context
  • Make training engaging and ongoing, not one-time
  • Include contractors and temporary staff in training

Clear Security Policies

Written security policies provide clarity and create accountability. Key policies include:

  • Password Policy: Minimum 12 characters, mix of upper/lower case, numbers, symbols, changed every 90 days
  • Device Policy: All devices accessing organizational data must have encryption, screen locks, and antivirus
  • Data Classification: Clear categories for public, internal, confidential, and restricted data
  • Access Control: Employees only have access to data they need for their jobs
  • Incident Response: Clear procedures for reporting and responding to security incidents

Essential Security Measures

Every CSO should implement these foundational security measures:

Strong Passwords and Multi-Factor Authentication

Passwords are the first line of defense. Organizations should:

  • Require passwords at least 12 characters long
  • Use a password manager to generate and store complex passwords
  • Enable multi-factor authentication (MFA) on all critical accounts (email, cloud storage, financial systems)
  • Use authenticator apps rather than SMS for MFA when possible
  • Immediately revoke passwords when staff leave the organization

Device Security

Computers and phones are gateways to organizational data. Ensure:

  • All devices have full disk encryption enabled
  • Operating systems and applications are kept updated with security patches
  • Antivirus and anti-malware software is installed and actively scanning
  • Devices are protected with screen locks and automatic shutdown
  • Personal and organizational use of devices is separated when possible
  • Lost or stolen devices can be remotely wiped

Email Security

Email is the primary attack vector for CSOs. Protect it by:

  • Using reputable email providers with strong security track records
  • Enabling DKIM, DMARC, and SPF protocols to prevent email spoofing
  • Training staff to identify phishing emails
  • Encrypting sensitive emails
  • Archiving important emails for compliance and recovery
  • Using email security gateways that scan for malware and phishing

Data Protection and Backup

Data is your most valuable asset. Protect it by:

  • Encrypting sensitive data at rest and in transit
  • Implementing automatic daily backups to secure locations
  • Testing backup recovery procedures regularly
  • Storing backups offline or in geographically separate locations
  • Implementing data retention and destruction procedures
  • Using secure cloud storage with access controls

Network Security

Network infrastructure should be protected:

  • Use firewalls to control network traffic
  • Separate sensitive systems on their own network segment
  • Use WiFi Protected Access 2 (WPA2) or WPA3 with strong passwords
  • Disable WPS (WiFi Protected Setup) on wireless networks
  • Monitor network activity for unusual patterns
  • Keep network devices (routers, switches) updated with security patches

Advanced Security Practices

As organizations mature, they should implement advanced measures:

VPNs for Remote Work

Virtual Private Networks encrypt all internet traffic, protecting staff working from home or on public WiFi. This is essential for CSOs with remote staff or field researchers.

End-to-End Encryption for Communications

Use messaging and communication tools with end-to-end encryption (WhatsApp, Signal, Telegram) for sensitive communications that cannot be intercepted even by service providers.

Regular Security Audits and Penetration Testing

Larger CSOs should conduct annual security audits by external professionals to identify vulnerabilities before attackers find them.

Incident Response Planning

Develop and practice procedures for responding to security incidents:

  • Who to contact when a security incident occurs
  • How to isolate affected systems
  • How to preserve evidence for investigation
  • How to notify affected parties and authorities
  • How to recover systems and resume operations

Lessons from Our Audits

Based on security audits of 15 CSOs in Cameroon (conducted with support from Defend Defenders and Tech Sisters), we identified common security gaps:

Findings

  • 86% of organizations had no written security policy
  • 73% of organizations lacked multi-factor authentication
  • 67% of organizations had devices with outdated software
  • 60% of organizations had no backup systems
  • 53% of organizations lacked security awareness training
  • 40% of organizations used weak passwords without a password manager

Improvements Made

After providing recommendations and support, the same organizations showed improvements:

  • 100% of organizations adopted a security policy
  • 87% of organizations implemented multi-factor authentication
  • 95% of organizations established regular patching schedules
  • 100% of organizations implemented backup systems
  • 100% of organizations conducted security training
  • 93% of organizations adopted password managers

Resources and Tools

Many excellent security resources are available for CSOs at little or no cost:

Free Security Tools

  • Password Managers: KeePass, Bitwarden, 1Password (free tier)
  • Antivirus: ClamAV, Avast, AVG (free tier)
  • Encryption: VeraCrypt, 7-Zip
  • VPN: Proton VPN (free tier), Mullvad
  • Messaging: Signal, Telegram

Training Resources

  • Tactical Tech: Security guides specifically for NGOs
  • Freedom of the Press Foundation: Digital security training
  • Electronic Frontier Foundation: Surveillance self-defense guides
  • Internews: Digital security for media and civil society

Getting Help

If your organization needs security support, COMPSUDEV offers:

  • Security assessments and audits
  • Staff security awareness training
  • Policy development assistance
  • Technology recommendations and implementation support
  • Incident response assistance

Contact us to discuss your organization's security needs and arrange support.

About This Post: This guide is based on security audits conducted by COMPSUDEV with support from Defend Defenders and Tech Sisters fellowship program. Recommendations are based on industry best practices adapted to the Cameroonian context and the operational realities of CSOs.

← Back to Blog