The demands and requirements for information security of nongovernmental organizations in the countries of the Eastern Europe and Central Asia region are increasing every year. Their personal security, as well as the activities and safety of the organizations themselves, largely depends on the development of the relevant knowledge and skills of their staff. In June 2021, a two-day information security training was held in Batumi, Georgia, for UnMode members, where network activists received the necessary tools to store and transmit data, correspondence, etc.
The argument for the need for information security training for UnMode members was simple: if activists don’t know how to recognize a security threat, then how can they avoid it and protect themselves.
They can’t!
According to information security specialist and trainer Dmitry Pukalenko, who trained UnMode members in Batumi, worldwide studies of the state of information security show that security, such as email and employee training, are the main problems faced by various organizations.
In addition, most people do not even know what phishing or malware (software) is. That said, affected organizations almost always have security software and the ability to use secure communication channels. That alone is not enough. Employees themselves, not technology, are the most vulnerable link to possible information threats.
This does not mean that employees behaving insecurely are irresponsible. They make common human mistakes – using insecure communication channels, not taking advantage of various programs that increase security, etc. But this happens if they are not prepared for such things, have not participated in information security training and education programs.
According to Pukalenko, 90-95% of information security breaches are caused by human error. Therefore, the changing patterns of work and communication and the scale of presence on the Internet make it urgent to teach information security skills.
To protect yourself and your organization, you need training,” Dmitry Pukalenko told UnMode members at the beginning of the training. – By becoming familiar with the threats, the procedures to take when a threat is detected, you strengthen the most vulnerable links in your security chain.
Information security education and training is no longer a personal choice. Members of various nongovernmental organizations today are the first and main line of defense. Ideally, any activist with access to work information should receive information security training. After all, almost anyone can become a target – personal phones can hold data that can be used to access information; or, if an activist becomes a victim of identity theft – that unique information can be used against him or herself or the organization.
For UnMode, information security training for its members is extremely important also because the network is regional, operating in many CEECA countries. Because of this, there is a lot of cross-country communication involving data transfer. And, in addition, UnMode does not have an office, so all operations are conducted remotely.
Remote work using cloud technology has increased the efficiency of UnMode, but at the same time it has increased the risk of intrusions into the network’s information flows. In this situation, network members bear their own responsibility for the use of any personal endpoint devices, so taking information security training in Batumi aimed primarily at teaching them how to use various personal devices: laptops and cell phones.
The training program began with basic information – for UnMode members to be able to detect and prevent violations, they need to know about the different forms of threats. For the most part, this includes spam, phishing, malware, etc. For example, spam is not only found in emails, but also in messages and invitations on social networks. The same goes for phishing and various other malware.
Much of the training focused on the importance of passwords. Today, passwords are needed everywhere – to unlock one’s devices, to log into accounts, and for every work-related application. Conceived as a security tool, this tactic has led many people to set common, repetitive passwords that are easy to remember and, consequently, easy to crack. At the training session, participants discussed how important passwords are and what reliable programs there are that can generate and store passwords.
Behavioral habits with e-mail and social media can put activists and the organization at risk. That’s why the training also included a discussion of policies and guidelines on the use of e-mail, the Internet, and social media.
Protecting available data and its transmission is an important component of information security. At the UnMode information security training session, activists learned and installed special programs on their own laptops and phones that increase the level of protection of all data during storage and transmission.
As a result, this specialized training allowed each member of the network, through training and coaching on software installation and use, to develop a full virtual protection strategy that takes into account UnMode’s unique organizational structure, data privacy, and the needs of its members.
An additional part of the safety training program was an explanation of current Russian legislation on the activities of non-governmental organizations, conducted by lawyer and human rights activist Arseny Levinson. Today it is important to understand what conditions for work exist within the current legislation in order not to violate them. Conducting activities in Russia in accordance with the legislation, development of an understandable protocol on safety, its implementation in practice should ensure the possibility to continue activities among key populations.
Overall, the goal of the training was to change security habits and behaviors and create a sense of shared responsibility. Of course, the one-off two-day security event for activists held in Batumi with the financial support of AFEW International was not enough to achieve this goal, so the training in information security skills for members of UnMode and friendly organizations will continue in the very near future.