Part of that comes from having vigilance against scams and the ability to identify suspicious emails, calls, and text messages. Another important element is having a solid policy framework to govern acceptable behavior. This is about more than just writing down a bunch of rules, but also about creating a culture of compliance. Policies should be seen to enable work, not stifle it. Engage your team in this effort.
Before diving in, make sure to have a look at points 1 and 2 in the "Cybersecurity" series, as well as points 3 and 4.
5. Social Engineering & Opportunistic Threats → Strengthen People & Culture
Technical controls matter, but many attacks on CSOs succeed via people: phishing emails, fake login pages, impersonation, urgent requests for help, manipulation of volunteers, and threats to personnel. Awareness and culture are key.
Over 90% of all data breaches start with an email. You may feel that some of the more sophisticated technical defenses are out of reach of your organization, but vigilance against social engineering is not. That doesn't mean its easy to avoid getting tricked, but impressing awareness amongst your colleagues (and family and friends) is something we all have the power to do, and eliminate the majority of your risk.
Actions to Take:
1) Consider investing in a cybersecurity awareness training program and ensure that all staff use it. There are paid options like KnowBe4 and Phin that are very good, and free options like Wizer that are quite good as well. This may be the single most effective thing you can do to protect your organization’s data.
These programs provide both training content and also the opportunity to send “phish tests” (fake phishing emails) to staff to test if they are able to spot social engineering tactics. These are very effective in keeping up staff vigilance.
2) Really think about how to build a culture of security. Security tends to often be the thing we “have to do” instead of something we want to do.
Publish and circulate a “quick reference” one-pager: If you receive this type of email, check that; If someone asks for access, verify via another channel.
Encourage a culture of “Pause, Verify”: if something seems odd, stop. If a staff or volunteer feels uneasy about an email, ask. Often, taking a few seconds to take a closer look at the email (or SMS, or phone call) can be the difference between experiencing a data breach and not.
Report phishing: part of building this culture is creating ways for people to easily report suspected phishing attempts, and especially to report when they think they may have clicked on something they should not have. Victims of cybercrime should never be blamed for their mistakes.
Make this part of your regular team meeting or onboarding process: and not a one-off.
Risk awareness: Because activism often involves external partners or volunteers, ensure new members are onboarded with awareness of risk.
Recognize that threats may be tailored: adversaries may attempt to access platforms by posing as “donors” or “journalists”. Make sure to build awareness of such tailored scams.
3) Stay alert for fake logins.
Many phishing campaigns mimic familiar platforms — Google, Microsoft, Instagram, WhatsApp Web. If you click a link and the page asks for your password, pause. If you get an email with a link to a site and have any doubt, avoid the link and go directly to the site or mobile app to access your account.
Check the web address before entering anything
Bookmark official login pages so you don’t rely on links from emails.
When in doubt about the validity of an email, ask a teammate to verify.
6. Do We Need a Policy for That? → Make It Live, Make It Simple
Often, organizations say “we’ll write a security policy later when we have staff/time/urgency.” But a policy doesn’t need to be 100 pages of technical jargon. It just needs to be clear, actionable, visible, and understood by all staff. Without a policy (or at least a simple framework), you make everything ad hoc, which increases risk.
Actions to Take:
1) Start small! Don’t let the perfect be the enemy of the good enough. Even a page of key bullet points is better than having nothing.
Draft a short “Cybersecurity Charter” (1-2 pages) aimed at your organization’s context.
Include: purpose (“we protect our mission and our people”), scope (what this covers: accounts, devices, volunteers, remote work), roles (who leads, who assists, who reports issues), key responsibilities (e.g., enable MFA, update device OS, report suspicious emails), incident/reporting steps (who to talk to if something goes wrong).
Circulate this charter to staff and volunteers, and host an info session to introduce and explain it. Post it somewhere visible (shared drive, office wall, volunteer portal).
2) Think about the policies that are relevant to your organization and staff. Most organizations should have an acceptable use policy and a data handling policy. Are staff using personal devices for work? A BYOD policy should be developed. Is everyone tinkering with the latest AI tools? You’ll want an AI acceptable use policy as well.
Review policies annually (or when you change major systems). Think of these as living documents that will change with the times and your capacity.
3) Don’t make policies a vehicle for punishment, but do make them a part of culture.
Help staff understand why it is important that they follow policy guidance. In some cases non-compliance should have consequences, but that should not be the main mechanism for shifting behavior and mindset.
Final thoughts
If you only do one thing this year, pick one intervention from this "Cybersecurity" series and make sure it becomes part of your organizational routine. If you can, add a second. Over time, build around all of this guidance.
The aim isn’t perfection, it’s resilience: making it much harder for adversaries to disrupt your mission, compromising fewer assets, and recovering more reliably if something does go wrong. Remember, this is a process of continual improvement. Like one’s personal health, you can’t change everything in a day or a week or even a year. But you can commit to the process today, celebrate wins big and small as you go, and achieve huge growth over time.
For CSOs, the stakes are higher, but so is the opportunity. Your mission depends on being able to operate, communicate, organize, and mobilize despite external pressure and threats. Cybersecurity here is not optional. But it doesn’t have to be overwhelming. By focusing on the right interventions, aligned with your mission, capacity, and context, you can do meaningful defense without trying to boil the ocean or simply crossing our fingers and hoping for the best.