They began by conducting a large-scale audit to understand the organization’s cybersecurity challenges and the threats their team members faced. This audit exposed that the organization had no formalized structures in place for securing online accounts and responding to security incidents. More worryingly, many of the organization’s online accounts were accessed by multiple volunteers through shared logins. The Citizen Clinic student team identified the shared accounts as the greatest immediate risk, and focused their efforts on moving the organization toward a more robust, secure account system.
The students created a series of spreadsheets to help organize this information, which ultimately helped identify which systems were most vulnerable and contained sensitive information. This risk assessment revealed a major vulnerability in a document storage system that contained both financial information and patient data. In addition, vulnerabilities were found in the organization’s email system, as well as in an online form and data collection tool. The Citizen Clinic’s student team also upgraded some of the organization’s key digital business systems, which had previously been too difficult to safely and efficiently use. They also completed a migration of assets to a more secure data storage platform; re-organized a folder structure to better manage access permissions; and enabled multi-factor authentication for the organization’s new accounts.
Based on insights from industry experts, the students provided concrete suggestions about how the organization could enhance its cybersecurity training program, as well as its telephone and website security. They also connected the organization with experts who could provide future support beyond the Clinic’s capabilities. After implementing cybersecurity practices, the students developed short security quizzes to assess the degree to which these practices had “sunk in” to the organization’s members. The quizzes were intended to remind staff about existing policies as well as to assess any possible weak spots in training. In addition, the students instigated a comprehensive phishing campaign, and emailed fifteen members from an unfamiliar email address and urged them to click a link and submit their credentials. The phishing campaign provided the Technology Director with concrete feedback on the organization’s strengths and vulnerabilities to phishing attacks.
Citizen Clinic addressed this problem by developing a communications and travel protocol guide with a quick-guide section for easy usage. The student team also wrote an onboarding guide for technology so that employees could quickly set up their devices in a secure fashion, independent of their understanding of secure communications or travel practices. They also conducted phishing testing that revealed the organization is vulnerable to phishing attacks. They presented Land is Life’s leaders with a series of recommendations for implementation and integration. “We wanted to keep documents concise and condensed so that users of the document could quickly acquire the information they need and would not get fatigued from its density, while also being thorough in informing people of the motivations behind why such practices are necessary or important,” the students explained.