Case Studies

A Voting Rights Organization

What Citizen Clinic Did: A team of students from Citizen Clinic, led by mentors from UC Berkeley and partner organizations, reached out to help the organization secure its online systems to be more resistant to cyberattacks.

They began by conducting a large-scale audit to understand the organization’s cybersecurity challenges and the threats their team members faced. This audit exposed that the organization had no formalized structures in place for securing online accounts and responding to security incidents. More worryingly, many of the organization’s online accounts were accessed by multiple volunteers through shared logins. The Citizen Clinic student team identified the shared accounts as the greatest immediate risk, and focused their efforts on moving the organization toward a more robust, secure account system.

A Regional Abortion Fund

What Citizen Clinic Did: The Citizen Clinic student team performed an audit of the client’s information storage and communication systems, as well as a comprehensive risk assessment that led to the identification of key organizational assets and likely threat scenarios. As part of this process, the team met with different people in the organization and rigorously documented the organization’s information workflow.

The students created a series of spreadsheets to help organize this information, which ultimately helped identify which systems were most vulnerable and contained sensitive information. This risk assessment revealed a major vulnerability in a document storage system that contained both financial information and patient data. In addition, vulnerabilities were found in the organization’s email system, as well as in an online form and data collection tool. The Citizen Clinic’s student team also upgraded some of the organization’s key digital business systems, which had previously been too difficult to safely and efficiently use. They also completed a migration of assets to a more secure data storage platform; re-organized a folder structure to better manage access permissions; and enabled multi-factor authentication for the organization’s new accounts.


A Domestic LGBTQ Support Organization

What Citizen Clinic Did: The Citizen Clinic team first gained a foundational understanding of the organization’s unique context, a contextual research process that included an in-depth interview with the technology director and a review of the organization’s existing cybersecurity protocols.

Based on insights from industry experts, the students provided concrete suggestions about how the organization could enhance its cybersecurity training program, as well as its telephone and website security. They also connected the organization with experts who could provide future support beyond the Clinic’s capabilities. After implementing cybersecurity practices, the students developed short security quizzes to assess the degree to which these practices had “sunk in” to the organization’s members. The quizzes were intended to remind staff about existing policies as well as to assess any possible weak spots in training. In addition, the students instigated a comprehensive phishing campaign, and emailed fifteen members from an unfamiliar email address and urged them to click a link and submit their credentials. The phishing campaign provided the Technology Director with concrete feedback on the organization’s strengths and vulnerabilities to phishing attacks.

Land Is Life, an Indigenous Community Support Network

What Citizen Clinic Did: A student team from Citizen Clinic performed an analysis of factors contributing to vulnerabilities and threats to Land is Life. The students interviewed regional field directors in different geographies (i.e. Africa, Asia, and Latin America), which revealed that team members around the world used a variety of digital devices, communication methods, and security practices. While the organization had baseline security practices in place, they lacked standardized secure protocols for communications and travel.

Citizen Clinic addressed this problem by developing a communications and travel protocol guide with a quick-guide section for easy usage. The student team also wrote an onboarding guide for technology so that employees could quickly set up their devices in a secure fashion, independent of their understanding of secure communications or travel practices. They also conducted phishing testing that revealed the organization is vulnerable to phishing attacks. They presented Land is Life’s leaders with a series of recommendations for implementation and integration. “We wanted to keep documents concise and condensed so that users of the document could quickly acquire the information they need and would not get fatigued from its density, while also being thorough in informing people of the motivations behind why such practices are necessary or important,” the students explained.

Last updated