(1) Powerful Password Protection Processes
Since staff in environmental organizations are often less interested in technology than in other types of organizations, it's particularly important for future success that the 'people part' of cybersecurity is emphasized. One of the most important aspects of building a 'human firewall' is teaching staff to create strong passwords. On the Department of Homeland Security's Password Tip Card, the top 3 tips are:
- "Don’t make passwords easy to guess" - The easiest way to create a strong password is to use the first letters from a special phrase and then add a couple of numbers, capitals & characters. For instance: 1Dmpetg!
- "Unique account, unique password" - It's important to have unique password for every account you have because if your password is hacked and you have only one, then suddenly all of your accounts are at risk.
- "Never share your password" - The more people who know you password, the less secure.
(2) Timely Software Updates
Another 'human firewall' best practice for the future security of an environmental organization is to be sure to update all software used on all organization devices and computers. Updates are most often created to provide security patches, so it's important to tell your staff that these updates are for security purposes. When people know the reason for the updates they are more likely to take the time to perform the updates. Another best practice that can support people actually taking the time to do the updates is to provide time out in the work day to do them. Providing a coffee, popcorn or other treat during a 15 minute break during the day called 'Update Break' will help employees feel supported in the update process. Using a tool such as Patch My PC Updater (found on the 10 Best Free Software Updater Programs website) can also be beneficial.
(3) Regular Backup System
This cybersecurity area is one that can be taught to your staff, but also set up by a tech support professional. First, according to Dark Reading's article on Security Tips That Will Keep Your Company Safe, you need to identify the sensitive data that is "critical to the success" of the environmental organization's mission. These could contain financial information, contact information, or political strategy information as well as "hardware and software assets, record the manufacturer, make model, serial number, and support information". When you have a list of the sensitive data, you next need to create a schedule for backups and ensure this schedule is followed with secure processes.
(4) Two Factor Authentication
This is a process for enhancing the security of you password system and according to Gartner, is "gaining market traction" because if you use a passwordless, user friendly, method for the second layer of protection that associates users with their devices or cellphones, it's a "rare win/win for security". Examples of Two Factor Authentication include fingerprint or fact identification on cellphones or the drawing of a geometric pattern, or sending a code to a users email or cellphone to confirm their identity.
(5) Malware Protection
This is another cybersecurity area that requires the cooperation of tech support or security professionals in your environmental organization and any staff who work with computers or devices. Since there are so many viruses and malware being created every year, such as as the recent DNSChanger Malware found by the FBI, it is vital to have powerful and up-to-date malware and virus protection on all computers and devices. In the case of the DNSChanger Malware, there is not yet a patch for it, so the FBI recommends making backups of all files on your device or computer before having a computer professional delete the malware.
(6) White Hat Hackers
If your environmental organization is large enough I strongly recommend employing white hat hackers whose primary job is to try to hack into your own systems as a means of finding weaknesses and patching them before black hat hackers (real hackers with criminal or destructive intentions) cause a breach of data. For example, the white hat security research group Mirai, which is Japanese for “the future," have created a botnet composed of servers, loader and a 'bot' that is able to apply brute force to a victim, report on data, check status of a system, infect it with malicious binary code and attack on command. This botnet causes a distributed denial of service (DDoS) to a set of target servers by constantly propagating to weakly configured Internet of Things (IoT) devices." By running their botnet, these white hat workers have found weaknesses in IoT devices and suggested repairs (Kolias, et al, 2017).
Any organization, including environmental ones, can benefit in terms of cybersecurity by using encryption. The simplest definition of encryption is a 'secret code." In the computer age there are a variety of options for encryption technology; one of the most interesting is called blockchain. Blockchain is often used to protect financial data because it is made up of blocks of code that are protected in a unique method. According to Kshetri, N. (2017), an organization's money resources are protected because third parties do not need to be involved in the transaction. "If a hacker penetrates a network and tries to steal money from an account, multiple redundant and identical ledger are stored worldwide. If one is breached, there are many others as backups that can provide the funds in the hacked account."
(8) Security Reward System
As more cities become smart, and members of environmental organizations live in these IoT profuse collectives, ensuring that your organization is following suggested techniques for secure smart cities is becoming increasingly important. A secure system proposed by Li, and Liao (2018) is to financially reward IoT vendors for ensuring security and also to reward governments. So for an environmental organization I suggest creating a reward system for staff and vendors who enhance security. This could be financial in small monetary rewards, or social, via badges or leaderboards or positive publicity.
(9) Home Security
Increasing numbers of organizations are becoming hybrid or remote so that employees can work from the comfort of their own homes. This practice has many benefits in terms of reduction of stress and sick days and financial savings in office space and travel requirements. However, for environmental organizations it is a preferred method since less travel to and from a physical office prevents much pollution and also reduces the spread of human disease. In terms of cybersecurity it creates an additional challenge since the organization must encourage its staff to make work-at-home offices secure. Oravec (2017) suggests using intelligent agents, remote deletion of rogue or infected programs as well as 'kill switches' to help protect staff homes and the technology they use for work.
(10) Protect Privacy
While it's important to use the above 9 security tips to protect your environmental organization, it is also important to protect the privacy of the staff who work for you along with the volunteers and members of your company. With the advent of the IoT, often profiling methods are used to link devices to a users account which can lead to discovery about the users identity and life circumstances which can in turn lead to "economic, social, and other forms of discriminatory treatment." Wachter (2018) suggests following the EU General Data Protection Regulation (GDPR), which became law in May of 2018. In the simplest terms, the GDPR requires privacy by design and privacy by default. For your environmental organization I recommend requiring your technology staff purchase and install only software systems, computers and devices that follow the GDPR regulations in their designs and default settings.
7 SMB Security Tips That Will Keep Your Company Safe (2019). Dark Reading. Retrieved from https://www.darkreading.com/endpoint/7-smb-security-tips-that-will-keep-your-company-safe---------------/d/d-id/1336067?image_number=2
10 Best Free Software Updater Programs. (2019). Lifewire. Retrieved from https://www.lifewire.com/free-software-updater-programs-2625200
Bat Conservation International (2019). Retrieved from http://www.batcon.org/
Charity Navigator (2019). Retrieved from https://www.charitynavigator.org/index.cfm?bay=search.summary&orgid=5684
DNSChanger Malware (2019). Federal Bureau of Investigation (FBI) Retrieved from https://www.fbi.gov/file-repository/dns-changer-malware.pdf/view
Stamford, C. (2019). Gartner Identifies the Top Seven Security and Risk Management Trends for 2019. Gartner. Retrieved from https://www.gartner.com/en/newsroom/press-releases/2019-03-05-gartner-identifies-the-top-seven-security-and-risk-ma
Kolias, C. Kambourakis, G. Stavrou, A., Voas, J. (2017). DDoS in the IoT: Mirai and Other Botnets.Computer, (7), 80. https://doi-org.proxy1.ncu.edu/10.1109/MC.2017.201
Kshetri, N. (2017). Blockchain’s roles in strengthening cybersecurity and protecting privacy. TELECOMMUNICATIONS POLICY, 41(10), 1027–1038. https://doi-org.proxy1.ncu.edu/10.1016/j.telpol.2017.09.003
Li, Z., & Liao, Q. (2018). Economic solutions to improve cybersecurity of governments and smart cities via vulnerability markets. GOVERNMENT INFORMATION QUARTERLY, 35(1), 151–160. https://doi-org.proxy1.ncu.edu/10.1016/j.giq.2017.10.006
Oravec, J. A. (2017). Kill switches, remote deletion, and intelligent agents: Framing everyday household cybersecurity in the internet of things. Technology in Society, 189. https://doi-org.proxy1.ncu.edu/10.1016/j.techsoc.2017.09.004
Password Tip Card. (2019). Department of Homeland Security. Retrieved from https://www.dhs.gov/sites/default/files/publications/Best%20Practices%20for%20Creating%20a%20Password.pdf
Wachter, S. (2018). Normative challenges of identification in the Internet of Things: Privacy, profiling, discrimination, and the GDPR. COMPUTER LAW & SECURITY REVIEW, 34(3), 436–449. https://doi-org.proxy1.ncu.edu/10.1016/j.clsr.2018.02.002