One of the first things you need to do to protect your technology stack is to know what’s in it! Do you have an inventory of all software and hardware used by your organization? Is it kept up to date? You can’t protect what you don’t know you have, so definitely don’t skip this step.
Have a look at points 1 and 2 in the "Cybersecurity" series, here. In this installment, we’ll take things a step further, with points 3 and 4, and consider how to protect sensitive data and access to our systems.
3. Data Discipline → Protect What You Collect
For activist organizations, data isn’t just files; it represents people’s lives, identities, and safety. A careless spreadsheet or unsecured folder can expose supporters, witnesses, or partners to real danger. Practicing data discipline means being intentional about what you collect, how you store it, and who can see it. Once you have created your inventory (see point number 2), you now need to decide how to manage and protect your data. This doesn’t require expensive tools, just a shift in culture and behavior.
Actions to Take:
1) Start by asking three simple questions about the information you collect and hold:
Do we really need this data?
Every name, phone number, or image you store carries risk. If you don’t truly need it to achieve your mission, delete it or avoid collecting it in the first place. For example: if you’re running an event, collect only the data needed for logistics, not full profiles or ID numbers.
Where does it live, and how exposed is it?
Many organizations spread data across personal laptops, WhatsApp threads, shared drives, Google Sheets, Signal backups, and USB sticks. Make a quick list of where your sensitive data lives (especially information about people, partners, or ongoing campaigns). Then, decide which locations are trusted (e.g., encrypted cloud folders with MFA) and which are risky (personal devices, open drives, old email threads). Move sensitive items out of risky spaces.
Who can access it, and who shouldn’t?
Activist groups often grow fast and share generously. But old volunteers, consultants, or coalition partners may still have access to shared folders or group chats. Once a quarter, review access: remove anyone who no longer needs it, and reset passwords or permissions after people leave a project.
2) A few other habits to consider:
Label folders or files with sensitivity levels: even simple tags like “HIGHLY SENSITIVE – internal only” can shape safer behavior.
Enable auto-deletion or regular review: especially for chat messages and emails that contain sensitive data.
Keep one “clean” backup of essential files: encrypted and offline so that if something is lost, seized, or deleted, you can recover.
3) You may be working in high-risk contexts. If that is the case, you may also consider:
Use encrypted messengers (Signal, Wire) for sensitive coordination.
Avoid storing lists of activists, donors, or community members together in a single document.
Consider using pseudonyms or codes for participants in dangerous settings.
If you must collect sensitive information (e.g., testimonies, evidence), establish a separation of identity and content and store identifiers in a different location or system.
Consider encryption options for data on highly vulnerable individuals
Data discipline isn’t about compliance, it’s about stewardship. Protecting your data is protecting your people and your community. When you handle information with restraint and respect, you build trust and reduce harm. And the simplest discipline (deleting what you don’t need, limiting who can see what, and locking down where it’s stored) is often your strongest defense.
4. Passwords Are Just the Beginning → Secure Devices & Accounts
If your email or social accounts are compromised, your whole organization can unravel. Not just your data, but your credibility, safety, and ability to coordinate or deliver services. Most attacks on activist groups don’t start with high-tech hacking; they start with a guessed or stolen password.
A strong password is all of the following: long, unique, unpredictable, and complex. The problem is that most of us have hundreds of accounts, and our feeble human brains can’t possibly remember that many strong passwords. So we need help.
It is human nature to prioritize convenience at the expense of security. People may bristle at the user friction caused by using a password manager of multi-factor authentication. Try to encourage your colleagues to see that these small actions are habits that will protect them, not just something management is doing to make their work hard. Most people don’t bristle at taking two seconds to put on a seatbelt in the car, and we should see cybersecurity in the same way.
Actions to Take:
Make passwords and authentication your top defense priority. Even if you can’t afford new tools or security consultants, these simple steps dramatically cut your risk:
1) Use a password manager, and make it a team norm.
Password managers (like Bitwarden, 1Password, Proton Pass, or KeePassXC) generate and store strong, unique passwords for each account. They also allow shared credentials for group logins without revealing the actual password.
Train everyone to never reuse passwords, not even across personal and work accounts, and don’t use easy to guess passwords like important dates or loved ones names.
For high-risk accounts or staff, consider a physical security key (i.e., Yubi Key). These are the best way for most people to thwart phishing attacks.
2) Turn on multi-factor authentication (MFA) everywhere it’s offered.
MFA (sometimes called two-factor verification) requires something you know (your password) and something you have (your phone, app, or security key). Even if your password leaks, MFA keeps attackers out.
Prioritize MFA for your email, cloud storage, social media, and messaging platforms.
Use app-based MFA (like Authy, Aegis, or Google Authenticator) rather than SMS codes, which can be intercepted.
Encourage staff and volunteers to enable MFA on their personal accounts too, those are often entry points for attackers. Don’t message this as something people “have to” do, but a simple action that can pay huge dividends.
3) Limit who can access what.
Give each person their own login whenever possible.
Teams often share credentials out of necessity, but that convenience can backfire. If you absolutely must share credentials, make sure the shared password is stored securely and changed anytime someone leaves the group.
Making ourselves less attractive targets to cybercriminals is the best way to reduce (we can never eliminate) our cyber risk. Ensuring that strong authentication is part of accessing our accounts is key and also demonstrates how, at its core, a good cybersecurity posture relies on every member of staff being engaged and vigilant. In the final installment, we’ll look at ensuring all staff are sensitized to risks and mitigation strategies, and building a culture of compliance.