Digital security breaches can cause serious harm to civil society organizations (CSOs) and those they work with. These threats also pose a risk to grantmakers and to the larger strategies of impacted organizations. Grantmakers therefore should be able to assess and, when appropriate, help their grantees and grant applicants address digital security threats. Yet, because digital security is new terrain for many grantmakers, they are likely to be unfamiliar with the language of information security and face difficulty convincing grantees to make changes in technology, an issue on which they historically had been left to make their own decisions. Further, CSOs often face limits in their ability to combat digital threats due to limited budgets and competing priorities, as well as a lack of effective staff, policies, and software to counter these threats.
What’s in The Report
This report was written by employees of the Ford Foundation, Open Society Foundations, the MacArthur Foundation, and the Citizen Lab at the University of Toronto. It was published by the NetGain Partnership, a collaboration between six of the nation’s leading foundations to address issues of the digital age. The report provides an introduction to funders on how to assess the existence and potency of digital threats to grantees, and how to support grantees to bolster their digital security.
The report details two types of digital threats: passive monitoring (analogous to a phone tap on metadata and communications) and remote intrusion (traditional “hacking”). It recommends that, when supporting grantees to improve their digital security, funders take a case-by-case approach and remember that the goal is not to prevent attacks, but to “make hackers work harder.” It recommends three initial steps for funders: 1) Perform initial triage: identify grantees as “some risk” or “high risk” based on their activities and contexts; 2) Recalibrate: contact “high-risk” grantees to make sure they truly are at higher risk; 3) React: with high-risk organizations, steps can include identifying a specialist to conduct a needs and threats assessment and audit; supporting creation of new policies and procedures; and funding the resulting plan.
The report suggests seven questions that funders can ask about organizations’ digital security systems and procedures, as well as their plans to improve security and respond to crisis. Finally, the report recommends that funders take a systematic, rather than piecemeal approach to digital security, and that they encourage grantees to make iterative capacity improvements. It urges funders to support grantees to develop short- and long-term security plans, and to collaborate with other funders who are similarly interested in advancing digital security at the grantee and field levels. In its annex, the report offers suggestions for international travel security policy, including traveling with devices that do not contain sensitive materials and fully encrypting devices in case of theft.