Case Study 1: HopeAssistOrg

“HopeAssistOrg” (ed: fake name) is a nonprofit organization focused on providing direct resources and counseling support to the trans community in the United States. Headquartered in New York City, it has employees, volunteers, and executives working remotely across the country. HopeAssistOrg depends on external funding from individual donors and grants from private foundations. Leaders believe it is imperative that HopeAssistOrg protect the financial and personal data associated with its funding to maintain a reputation as a responsible organization.

Some of the top threat actors for HopeAssistOrg are transphobic groups like trolls from “fast moving image boards” or “chans”. Users on these websites use OSINT skills to collect personal information (like home addresses or dead names) about HopeAssistOrg affiliates and post them on public platforms for harassment. They sometimes organize online harassment campaigns on social media (Twitter, LinkedIn, Facebook) directly targeting the organization’s staff and volunteers with hateful speech. Chan “trolls” will typically send hateful content via public or private social media channels but someone has previously left a letter on the front door of the home HopeAssistOrg senior employee. The trolls have threatened SWATing several times, but thankfully, this attack has not happened yet. HopeAssistOrg will not engage directly with law enforcement.

A previous audit of HopeAssistOrg’s security revealed several good practices such as (1) organizational devices which can be wiped remotely, (2) mandatory 2FA (authenticator app) for all employees and volunteers on organizational (GSuite) accounts (3) mandatory comprehensive training on phishing (4) a dedicated Slack channel for cybersecurity incident reporting, and (5) 2FA (authenticator app) for organizational social media accounts. They currently do not have policies for handling harassment, online or offline, or misinformation, however the organization does set Google alerts for the names of the organization and its staff as a simple way to keep abreast of brewing attacks.

Select roles as the HopeAssistOrg’s Executive Director, Technical Lead, Human Resources / Admin Lead, and a Program Manager.

1. What are the harms or risks you find most important to address? (top 3)

2. Which mitigations would you prioritize for implementation? (top 3)

Case Study 2: HaveAHeartOrg

“HaveAHeartOrg” (ed: fake name) supports the safety and advocates for the land rights of Indigenous groups in the Sahel region of Africa. Based in London, HaveAHeartOrg helps facilitate organization, funding, and exposure for these groups. HaveAHeartOrg primarily functions as a matchmaker and enabler by connecting its partners with private foundations for grant opportunities, with journalists and activists to report on the situation facing the partner, and with legal experts to help with litigation efforts. HaveAHeartOrg relies upon its website, social media presence, and newsletter to raise awareness of the needs in this space.

Given conflicts over natural resources and borders, Indigenous groups face a wide range of threats from governments, paramilitaries, other Indigenous groups, and corporations. One major threat for HaveAHeartOrg is the nation of Abkhazia and its state owned enterprises that invest and operate in Sahel Africa. Abkhazian cyber attacks by security services will often gain access to email or social media accounts (via spear phishing) to collect personal or compromising information for leverage over their adversaries. Additionally, Abkhazia’s funding and influence over media throughout the Sahel region creates a platform where information leaks and disinformation can be easily disseminated. Abkhazia have used these platforms (web, print, radio) to discredit “Western” organizations and competing stakeholders internationally.

HaveAHeartOrg’s connections and funding to many partners across the region is a valuable asset for HaveAHeartOrg. However, for some partners, the local perception of being affiliated or funded by a Western NGO would damage the reputation of the partner and place employees of both organizations in physical danger in that country. HaveAHeartOrg communicates with many partners that have minimal digital security measures and, while the organization has enabled 2FA (YubiKey) on all of its organizational email and social media accounts, they don’t feel comfortable helping their partners use 2FA. In a survey, a couple employees of HaveAHeartOrg stated that they felt leadership does not take disinformation threats seriously since no proactive steps have been taken to “bolster the organization’s reputation” in the region.

You are a consultant team working directly with the organization’s Technical Lead.

1. What are the harms or risks you find most important to address? (top 3)

2. Which mitigations would you prioritize for implementation? (top 3)