DeepSec 2018 Talk: Security as a Community Healthcare: Helping Small Non-Profit Organisations Stay Secure – Eva Blum-Dumontet
This talk will look at the way Privacy International has relied on its experience from working with a network of small NGOs across the Global South to shape its approach to security and develop Thornsec, an automated way to deploy, test, and audit internal and external services for an organisation.
Privacy International works with a network of over twenty organisations located in Latin America, Africa, Asia and the Middle-East. Together we research and document threats and abuses to privacy from governments and corporations and advocate for better privacy protection both from a technological and a legal standpoint. Being at the forefront of the fight against surveillance means that the partners of privacy International are sometimes exposed to oppressive political regimes. They experience a wide range of threats from office burglary, physical surveillance by intelligence services to phishing attacks, hacking team-type of malware, … etc. Yet the advice they have received so far has been solely focused on end users, not organisations. This talk will highlight our journey towards challenging this situation and our take on attempting to help small organisations with network security.
We asked Eva a few more questions about her talk.
Please tell us the top 5 facts about your talk.
- This talk is about the real experience of security: What does security look like on the ground for small NGOs in the Global South?
- This talk is given by a non-technical person, who had to learn how each employee in an organisation can work on making their organisation more secure.
- This is about our journey on how we came to approach security through trial and errors and we are brutally honest about it.
- We will present Thornsec, our response to organisational security challenges.
- We are not here to provide definitive answers. Many of you in this room will understand security better than we do and we hope you will help us to grow!
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Too often we see security being discussed in the abstract, without understanding a threat model but also without understanding the reality of people’s lives and how they are affected by infosec practices. At Privacy International, we deal with those real life stories on a daily basis within our network of organisations and we thought it was important to tell these stories and explain what led us to approach security the way we do. It’s not perfect, we are still learning and we hope that participating in conferences like DeepSec will be an opportunity for us to improve.
Why do you think this is an important topic?
Organisational security affects NGOs, who are defending our rights, all over the world. They have limited resources and are often at risk regarding very specific threat models. We need to engage the security community to find solutions for them beyond the “Use PGP/use Tor” trainings that have historically been provided. Offering solutions that work for small NGOs also means finding solutions that could be applied to many other small businesses, making our whole society more secure.
Is there something you want everybody to know – some good advice for our readers maybe?
People who are joining in should definitely check out Thornsec on GitHub.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
With the development of internet of things and the reliance on “bring your own device” policies, the risks for organisations will multiply. At the moment we know printers are still a massive vulnerability for a lot of small organisations, yet more and more objects will now be connected to the internet and become new vulnerabilities.
Eva Blum-Dumontet has been a researcher at Privacy International since 2014. She is leading a project on gender and privacy, exploring the impact of corporate, government and societal surveillance on women and gender non-conforming individuals. She is the author of a report on smart cities and their impact on the right to privacy. Her work has largely focused on the Global South and she conducted a number of investigations on government surveillance in various countries, including Egypt and Thailand.