Russian Moles in NGOs? Here Is What You Can Do

Spying Platypus Photo JD Hancock (CC BY 2.0) on Flickr

Photo: JD Hancock (CC BY 2.0) on Flickr

As you may have heard, Maria Butina, one of the alleged Russian spies accused of trying to influence the 2016 US elections, was involved in an Internews research project that included gathering information on the cybersecurity of other nonprofit organizations.

I feel really bad for Internews since nonprofit organizations obviously don’t have the resources to do exhaustive background checks on staff, let alone on graduate students like Butina who are temporarily involved in a project.

Nevertheless, NGOs and nonprofits can learn from this incident. After all, people cannot steal what you don’t have and, in the context of organisations working on human rights or freedom of the press, what some people want is your data.

Here are some things you can do to protect your data:

  • Don’t collect data you don’t need. For example, do you really need to collect the names or GPS coordinates of people you have talked to? You should always have a specific reason for collecting data before doing so. Don’t collect data “in case we find a use for it later”.
  • Anonymize where possible. Unless you intend to contact the same people again and again, you can probably replace personal information, such as a name, with numbers. So John Smith becomes Interviewee 14.
  • If you have to store data, don’t share it. Think about who really needs access to the data. Just you? Everyone in your local office? Everyone in the organization? You should restrict sensitive data to the smallest number of people possible. If you need to report up, aggregate or anonymize the data. HQ probably doesn’t need to have access to your full data set.
  • Encrypt it. Data on your work computer should be encrypted and protected with a secure password. Data on a shared drive should be encrypted where possible at the file level. While this may not stop the Russian FSB, it can stop less sophisticated actors.
  • Don’t keep it! Put a data retention policy in place that defines when data will be deleted and adhere to the policy.

Following these basic principles will not only make your data more secure, it will also help you be compliant with the EU’s General Data Protection Regulation (GDPR), which already requires you to do some of these things.

In addition, I would recommend the following resources:

What are your thoughts? Please leave a comment below!