How can leaders prioritize and manage the additional responsibility of security and privacy while running a growing business or nonprofit? We find clues by looking to the history and success of design thinking. Design thinking is now considered an essential business capability because it forces organizations to re-imagine their value propositions by applying a customer centric perspective. But this will only get you part of the way there. Its true value is realized only when an organization can internally re-organize and collaborate to consistently make ideas, the result of design thinking, a tried and true reality for its customers. The same is true for applying best practices in security and privacy in order to keep your organization growing and meeting increasing demands of the market.
Understand what you have and who might want itWhen employing a design thinking process for innovation, organizations start by trying to understand every habit, emotion, and motivation of customers and employees, always looking for details of unmet needs. Adopting security and privacy thinking is no different. Map the organization’s valuable assets and who may have access to them, currently and historically. Examine how employees use data, tools, and practices to understand the threat landscape or who might want access the data. To apply security and privacy thinking, leaders want to understand what types of data they hold, where they hold it, and what they use to communicate it both internally and externally. Even if you do not believe the organization has any obvious adversaries, by the organization holding and processing data, there are actors that wish to damage, steal or exploit your information assets.
Inventory to understand: map who has access and at what levels to all systemsMaking an inventory of everything digital, intangible, and hardware can be a valuable and surprising way to find out just how many points of entry an attacker has to access your valuable data. Here is an example of a Business Model Canvas - a dashboard to help brainstorm and identify all the notable assets at your organization.
Ideate and prioritize what is worth addressingOnce you have an understanding of what assets your organization has, it’s time to ideate on how to address them and what to prioritize. Hint: behavioral change will always be a significant part of improving your security and privacy state. There are a number of quick wins to implement and behaviors to encourage right off the bat. Discussing some of these as a team and committing to them will lead to other ideas and compromises that suit your specific organization’s needs.
How assets may be at risk
Here are some things that have improved basic privacy and security:
1. Know intimately the SLA (Service Level Agreement) terms for any vital business assets, like website hosting or CMS and customer relationship toolsIf you’re using a provider to host your website, check out the SLA to see if it protects your data in case of an emergency. A rule of thumb is: if you are not paying for a product, you are the product. Free versions often come with the lowest possible recovery or protection plans, so know what you are getting into and what you are protected and not protected from when you use something that is vital for your organization to run, like a website. If there is a paid tier of that service, or an add-on that costs a little extra, you may want to consider it to improve the SLA terms. Additionally, pay attention to where you store your backups or disaster recovery. You may need to maintain your own copy of the data if the provider loses it.
2. Write your own policies and terms of serviceThe National Institute for Standards and Technology (NIST) has examples and templates for digital security and data privacy policies that any organization can and should adapt to fit their needs. Radio Station WNYC, home to the ‘note to self’ podcast, ‘the tech show about being human’ also has some plain language and clear 'terms of service', you can use as a jump start. Great terms of service and policies don't always have to be 50 pages long and written in legalese. You can try brainstorming with your team the values, principles and acceptable and unacceptable habits that you expect of employees, founders, boards and customers to fold them into your own custom terms of service. For more inspiration on this, check out this podcast.
3. Pick great tools: minimize the amount of tools you use for communication and consolidate where you canOne of the best ways to reduce risk is to have everyone in the organization using the same cloud service, thinking carefully about who has what permissions. Additionally, opt for open source and encrypted tools like Signal, WhatsApp or Keybase as secondary tools for communication when you can. Most importantly, make sure all hardware devices are backed up and encrypted. This can as simple as turning on FileVault2 (MacOs), BitLocker (Windows). On phones, modern versions of (Android) ship with file or full disk encryption. iOS is also encrypted by default.
All employees should be using a password manager (like Enpass or 1Password). This provides a way for the user to keep complex passwords without having to remember all of them. It will ensure that all passwords for each site are unique. This will make it difficult for an attacker to reuse your password, which they may have obtained from a compromised website, and limits the scope of the potential damage damage.
Here is a site with more information on password managers. Eliminate any use of shared accounts. Shared accounts are often hard to manage, tough to track and almost impossible to enforce who has access. Specific people should each have access via their own account to data that is needed. Share accounts are often long lived, and can become a ‘back door’ that outlasts those with knowledge of its existence.