About two weeks ago, National Cybersecurity Awareness Month (NCSAM) kicked off with a new message stressing personal responsibility for users keeping themselves safe online: “Own IT. Secure IT. Protect IT.” NCSAM asked users to consider best practices for both securing their own devices and protecting sensitive data.
But personal responsibility in cybersecurity extends beyond individuals—it reaches right into the workplace, affecting nearly every company, business, or organization that handles user, customer, and employee data. Without an organization’s help, individuals can still be left defenseless to several attacks.
The user who creates and stores long passphrases in a password manager is still vulnerable to a data breach that releases their sensitive details, like their email address, physical address, and full name. The online customer who only connects to secure Wi-Fi networks is still vulnerable to a corporate hack of that retailer from threat actors seeking credit card numbers. The employee who uses multi-factor authentication on their sensitive online accounts is still vulnerable to a company-wide ransomware attack.
The truth is that companies, businesses, and organizations have an obligation to protect the sensitive data that belongs to their employees, users, and customers.
For some organizations, that obligation is a matter of real, physical safety.
For National Domestic Violence Awareness Month, Malwarebytes announced a recommitment to protecting users from stalkerware— the nefarious threat often leveraged by domestic abusers to surveil their partners. In continuing our work in this field, today we are looking at how the NCSAM principles can be translated into practical, actionable recommendations for organizations that handle and protect the data of already at-risk individuals—domestic abuse survivors.
Though these recommendations focus on domestic abuse agencies, they touch on many of the same problems experienced by small- and mid-sized organizations. They deal with lost devices, data retention and deletion, device security, and location tracking. So even if you're not working for a domestic abuse agency, we highly recommend you read on. Your customers will thank you for helping to protect their sensitive data and their privacy.
Threats and recommendations
Threat actors today have changed their tactics. No longer do they just phish from a list of swiped personal email addresses. No longer do they rely solely on random employee missteps of opening an email attachment or clicking a link.
Instead, threat actors target organizations and zero in on their vulnerabilities in endpoint and network security. They phish, yes, but they spear phish—convincingly spoofing third-party vendors or banks or even the CEO. They attack major organizations and companies, looking to steal the sensitive data that they know is stored within, or cripple an organization's infrastructure in hopes of getting a ransom payout.
As the threat landscape has evolved, so, too, must the organizations at risk.
Below are several threats facing domestic abuse agencies and other businesses today. We hope some of the following recommendations, which have also been shared by the National Network to End Domestic Violence (NNEDV), can help organizations everywhere stay safe.
Advocates using personal devices for their jobs
Despite the important work performed by domestic abuse shelters and agencies around the world, those same shelters and agencies often suffer from narrow funding, which can directly limit the types of technology available to their employees.
When Malwarebytes Labs recently visited the Morgan Hill Community Center to discuss stalkerware with local domestic violence advocates, about one fifth of the audience showed us that they relied on their personal mobile devices to support domestic abuse survivors.
The risks of relying solely on personal devices for this type of work are myriad.
The loss of a personal device, either through forgetfulness or from theft, could reveal sensitive information, including the contact information, text messages, emails, and voicemails of survivors, along with the GPS location data and contact information of advocates, as well as the contact information for an advocate’s family, friends, and coworkers.
NNEDV, which has published multiple guides for tech safety for both survivors and advocates, explained why the use of personal devices creates unseen vulnerabilities.
“If advocates’ friends and family members have access to an advocate’s phone, they could see survivor information in the contacts, email, or text messages,” the organization wrote in its “Cell Phone Best Practices” guide. “In addition, if the advocate’s phone was part of a family plan, the account holder (which may not be the advocate) could have access to phone records and other details that could include survivor information, breaching confidentiality.”
Agencies have several options to limit these risks.
First, agencies should provide advocates with mobile devices to do their jobs. Understandably, not every agency can afford to give every employee the latest smart device, so, instead, agencies should only offer what advocates need to be successful in their roles.
If employees are frequently in contact with survivors, receiving both text messages and phone calls, they at least need a mobile device. If employees are meeting survivors in the field or traveling between shelters, they would benefit from a phone that has GPS features and a mobile app for directions and maps. Further, if an employee has no direct contact with survivors, maybe they don’t need an agency-provided phone at all.
Also, agency-provided devices should require passcodes to unlock.
Passcodes, as we explained before, are the first line of defense to prevent unwanted parties from accessing a device. For the type of work performed by domestic abuse advocates, this security step is vital. An unsecured device could reveal which domestic abuse survivors are reaching out, their contact info including their phone number and email address, and their plans for safety.
Each agency-provided device should have a unique passcode, and the passcodes should be known to the agency’s IT and technology staff, stored on a separate device (like a desktop or laptop) and kept safe in a password manager.
If agencies cannot provide phones, they can still implement policies on how personal devices are secured. For instance, passcodes should also be required on personal devices used for agency work. The passcode should be at least six digits long, and it should be required for every device unlock.
With both personal devices and agency-provided devices, the loss or theft of a mobile device could reveal potentially countless survivors’ sensitive details. Agencies should consider not only the security risks of a lost device, but also the potential breach of confidentiality and privacy for survivors.
To mitigate the damage of a lost or stolen device, agencies should install remote wiping capabilities on the devices they own and provide. These tools, like Find My iPhone on iPhones, Find My Mobile on Samsung devices, and Find My Device on Google Pixel devices, allow a device’s owner to remotely locate a device, lock it, and wipe all its stored data if lost or stolen.
Further, agencies should remember that lost devices have a separate, equally vital risk. Not only is the data that is locally stored vulnerable, but so is the data that is accessible through online accounts and networks connected to that device. Whatever platforms an employee connects to on their device, like their work email, their Slack groups, even their HR and benefits portal, are also left vulnerable to an attack if a device is lost or stolen.
To stem this risk, agencies should install a single sign-on (SSO) solution for employees who access the variety of work platforms necessary to do their jobs.
As we said before on this topic:
“Single sign-on offers two immediate benefits. One, your employees don’t need to remember a series of passwords for every application, from the company’s travel request service to its intranet homepage. Two, you can set up a SSO service to require a secondary form of authentication—often a text message sent to a separate mobile device with a unique code—when employees sign in.
By utilizing these two features, even if your employee has their company device stolen, the thief won’t be able to log into any important online accounts that store other sensitive company data.”
Agencies could consider using any of the most popular single sign-on providers for small and medium businesses, including Okta and OneLogin.
Stored text conversations and call logs
Smart devices today store an enormous amount of information by default, including text messages that are several years old, and call logs that go just as far back.
The sensitivities of survivors’ text messages are obvious. These are the conversations of often at-risk individuals who are seeking help in developing a safety plan or receiving emotional support. These are private conversations that should be protected.
Similarly, a device’s automatically stored call logs can reveal sensitive, private information, even if the phone call itself is not recorded.
Call log history that shows a middle-of-the-night phone call to a suicide prevention hotline, a weekly call to an HIV emotional support line, or a between-work-and-home phone call to the National Domestic Violence Hotline all immediately reveal the potential content and topics of those conversations, even without a transcript of what was said.
To provide security and privacy for domestic abuse survivors, agencies should delete stored text messages when they are no longer needed. Agencies could also consider using a secure, end-to-end encrypted messaging app, like Signal, which allows for chat messages to automatically disappear after a scheduled time. For this process to work, though, survivors would also have to download and use the same secure messaging app.
Like with stored text conversations, agencies should regularly delete incoming and outgoing call logs. Further, agencies should not save survivor contact info on the actual devices being used.
We understand that some agencies work directly with law enforcement, sometimes offering stored text messages and call logs as a means to provide evidence of domestic abuse. If that is part of your agency’s support services, let your survivors know this ahead of time.
Most domestic abuse advocates cannot do their work only from a desk. Often, advocates work outside, meeting survivors in safe locations, traveling between an organization’s multiple chapters, and potentially visiting conferences and training sessions.
For the advocates who rely on GPS services on mobile devices for directions, their digital location history can reveal potentially private information, including the locations both of survivors and currently nonpublic safe houses. One of the most popular GPS mapping apps today, Google Maps, has a feature called “Your Timeline,” which, if turned on, allows a user to view their own location history, including what locations they visited, what time they were there, and what route they took.
Though “Your Timeline” is only visible to users and not third parties, the problem of a lost or stolen device remains—if someone else can access an unsecured mobile device, then they could access that device’s location history, too.
Domestic abuse agencies should turn off location history for the devices they provide to advocates, and they should stress that advocates who rely on personal devices do the same.
For a full understanding of how to do this on Android and iPhone devices, you can read The Guardian’s piece here, which delves into how to turn off all location tracking.
Organizational cybersecurity threats
Protecting your organization is about more than being smart with the devices your employees use and the data that lives there. It also includes protecting your organization’s infrastructure from threat actors and human error.
Domestic abuse agencies should protect themselves with an anti-malware, anti-virus solution. With a proper solution, employee devices, including both desktop/laptop machines and mobile phones, can be protected from an infection or an attack before it even happens.
Domestic abuse agencies complete an extraordinary amount of work in providing services, emotional support, and safety planning to survivors. Today, much of that work leaves behind a digital trail, and it is up to those same agencies to make sure that the data belonging to survivors is equally protected.
Though the list of cybersecurity threats and recommendations can seem overwhelming, it can be split up into easy takeaways:
- Advocates should, whenever possible, be provided with devices to do their jobs
- All devices should be required to have a passcode to unlock
- The threat of a lost device can be mitigated by installing remote wiping capabilities and using a single sign-on solution to protect connected online account information
- Stored text messages and call logs should be regularly purged
- Location tracking on advocates’ devices should be turned off
- Agencies should install anti-malware protection on their machines
Many years ago, the intersection of National Cybersecurity Awareness Month and National Domestic Violence Awareness Month had little overlap. Today, the two are closely intertwined. For domestic abuse agencies, the protection of data is analogous to the protection of domestic abuse survivors.
Though NCSAM's cybersecurity principles may stress personal responsibility, it is the duty of organizations everywhere to understand their own responsibility in today’s world. Secure those who rely on you. Protect them. They should not be left alone.