So the question becomes: What can you do, even if you can’t do everything? The answer: shift to treating cybersecurity as a process of continual improvement where you start with a handful of high-leverage interventions, embed them in your organization's routines, and commit to growing over time.
Think of it a little like personal health: if you don’t exercise, eat processed foods, smoke, and drink to excess, you won’t become an Olympic athlete overnight, but you also don’t really ever have to become one. You can start today by getting a little exercise, tomorrow cut back on drinking, quit smoking at New Year’s Eve, and mix in a few healthy meals per week. When you start to see some positive outcomes, you’ll want to commit to getting better all the time. You may never be perfect, but don’t let that discourage you from being better. It might just make all the difference for your organization.
In this spirit, in this three-part series, we will share six interventions to give you a place to start. If you’ve already done these things, great! You are already ahead of many, many organizations. If not, these are simple, practical, oriented to organizations with limited capacity - but can make a meaningful difference.
1. Embrace Your Cyber Risk → Build The Right Approach for Your Organization
Some activist organizations implicitly assume “we’re small, we’ll fly under the radar”, but that assumption is unsafe, especially when you operate in contested or high-risk spaces. A small group working on human rights, climate activism, or political advocacy is often exactly the kind of target adversaries look for.
Those who do not have highly technical skill sets often struggle to assess digital risk in the ways we do every day in the physical world. We generally understand how we should carry ourselves, for example, at night in a high-crime city or when undertaking a dangerous sport like mountain biking, so that we can minimize risks to our personal safety. We take measures to minimize the risk of the worst things happening to us or at least to lower the impact of an adverse event. The challenge is to start to understand and consider the digital risks we face, so we can decide what actions are appropriate for our lives and our organizations.
Actions to Take:
1. Convene a working session (in-person or virtual) with leadership and key staff/volunteers and ask:
What data, systems, or accounts would cause major harm if compromised (to our mission, our people, our constituents, our reputation)?
Where are those assets stored/accessed (own laptop, cloud account, shared drive, website)?
What known threats exist (phishing, credential theft, infiltration, device grab, website defacement, state-level intrusion)?
How severe would the consequences be if we were to suffer an intrusion?
2. Once you’ve identified your most critical assets and identified real threats, document them in plain language.
Even a single page, bullet-pointed, works. It gives you a focus: you’re not trying to protect everything equally, you’re protecting what matters most.
Keep an open mind: be sure to consider not just donor/supporter data, but also community partner data, sensitive campaign materials, and identities of vulnerable people you serve.
Recognize the personal risk: staff, volunteers, and local partners may be individually targeted.
Decide what you can let go of: maybe you don’t need to collect or keep certain data at all.
2. Know What You Have → Inventory & Optimize
Once you’ve identified what matters, you need to map where it lives and reduce unnecessary exposure. A frequent chronic weakness in smaller organizations is accumulating data, accounts, and devices without review. Unused accounts become entry points. Old files accumulate. Devices move between offices or travel. It is important (and not too difficult) to compile and maintain an up-to-date list of all hardware and software assets, and all critical data.
Actions to Take:
1. Create a simple inventory on a spreadsheet (with access limited to those who manage it, of course)
Columns could include “Asset description” (e.g., Google Drive folder ‘CampaignX’, laptop of Kevin the Outreach Manager), “Who has access”, “When was it last reviewed/used”, “Level of sensitivity (high/moderate/low)”. Think about other relevant information like serial numbers and warranty information (in the case of devices).
Make sure someone has responsibility for keeping the inventory current, and that it becomes part of the onboarding and offboarding process as staff and volunteers come and go.
2. Immediately disable or delete any accounts for people who have left, remove former volunteers’ access, and archive old campaigns or drives that no longer serve active work.
3. When travelling or working remotely (in hostile or restricted environments), assume devices might be lost/seized — have an offline or minimal device policy for high-risk situations.
These measures might not feel like cybersecurity approaches, and on their own, they are not. But they create a foundation on which changes can be made to processes and behaviors to enable a stronger cybersecurity posture. Especially for organizations without a lot of in-house IT expertise, it is critical to identify measures that can be taken in lieu of some of the more sophisticated technical controls.
In the next two installments, we will go into what some of these measures are.
🔗 Meanwhile, you can head to our free, online safe-paced course on Digital Safety and Security and boost your skills further!
