Overview
Advocacy organizations must move beyond fragmented, reactive protocols and adopt comprehensive security postures. This requires establishing rigorous frameworks that protect data, hardware, and the physical and psychological well-being of individuals carrying out the mission.
Holistic Security Framework
Core Principles
The concept of "Holistic Security," pioneered by organizations such as Tactical Tech, integrates three domains into a unified risk management strategy:
| Domain | Focus |
|---|---|
| Digital Security | Data protection, encryption, secure communications |
| Physical Security | Facility protection, access control, emergency response |
| Psycho-Social Well-Being | Staff welfare, trauma awareness, organizational health |
Interdependence
Security cannot be treated as a purely technical endeavor:
- Lack of emotional awareness can blind staff to physical threats
- Lack of digital literacy can expose organizations to cyber espionage
- Security is a deeply personal, subjective, and continuous process of "well-being in action"
Risk Assessment Methodology
Dynamic Process
Risk assessments must be viewed as dynamic, ongoing processes rather than static checklists.
Two Assessment Types
| Type | Focus | Key Question |
|---|---|---|
| Threat Assessment | External - adversary capabilities and intents | Who might target us and how? |
| Vulnerability Assessment | Internal - organizational weaknesses | Where are our gaps? |
CIA Triad Framework
Classify data assets and prioritize security investments using:
| Principle | Definition | Assessment Question | Mitigation |
|---|---|---|---|
| Confidentiality | Protection from unauthorized access | How severe if hostile actors acquired this data? | Encryption, RBAC, NDAs |
| Integrity | Protection from unauthorized modification | How detrimental if information was altered or deleted? | Cryptographic hashing, audit logs, version control |
| Availability | Ensuring timely access for authorized users | How disruptive if the organization lost access? | Cloud backups, disaster recovery, high availability |
EFF Threat Modeling Questions
The Electronic Frontier Foundation outlines five core questions:
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much effort are you willing to expend?
Assessment Components
A thorough assessment must evaluate:
- Physical access points
- Staff training protocols
- Emergency response plans
- Digital safeguards
- Network monitoring capabilities
- Technical testing validation
Security Culture Development
Why Culture Matters
Technical safeguards are easily bypassed if the human element remains vulnerable. Human error, negligence, and susceptibility to social engineering are frequently the weakest links.
Behavioral Security Model
Strong security culture operates on four interrelated dimensions:
| Dimension | Description |
|---|---|
| Knowledge | Understanding threats, tools, and countermeasures |
| Context | Applying security principles to specific situations |
| Motivation | Commitment to security practices |
| Behavior | Consistent action based on knowledge |
Training Ineffectiveness Problem
Traditional compliance-driven training fails:
- Single, lengthy onboarding sessions
- Cognitive science (Ebbinghaus forgetting curve) shows learners forget most information within days
- Knowledge without reinforcement does not translate to behavior
Effective Training Approaches
| Approach | Implementation |
|---|---|
| Spaced training | Short, frequent, interactive modules |
| Behavioral nudges | Active encouragement for continuous learning |
| Immediate application | Real-world practice of security principles |
| Surveys and focus groups | Uncovering resistance points |
No-Blame Reporting Culture
A security culture must be built on trust and openness rather than fear and punishment:
- If employees fear punishment for mistakes (clicking phishing links), they won't report promptly
- Delayed reporting gives threat actors more time to maneuver
- Clear accountability + no-blame reporting ensures immediate threat escalation
Workflow Integration
Refine procedures to balance security with operational efficiency by:
- Listening to employees about how they navigate security policies
- Understanding daily workflow constraints
- Adapting policies to reduce friction while maintaining protection
Physical Security
The Accessibility Paradox
Organizations serving marginalized populations face a unique challenge:
- Facilities must be highly secure against hostile intruders and enforcement overreach
- Facilities must remain welcoming and accessible to traumatized community members
Core Physical Security Elements
| Element | Purpose |
|---|---|
| Secure entry systems | Control access points |
| Visitor check-in procedures | Document and screen visitors |
| Enhanced exterior lighting | Deter unauthorized approach |
| Surveillance equipment | Monitor perimeter activity |
Trauma-Informed Design Principles
Implementation must be guided by trauma-informed design to prevent spaces from feeling:
- Punitive or exclusionary
- Reminiscent of detention facilities
- Triggering to survivors of institutional violence
Address Protection
Actively obscure physical addresses of:
- Undisclosed safe houses
- Domestic violence shelters
- Sensitive administrative offices
Do NOT include these on public-facing websites.
Staff Training Requirements
| Area | Training Content |
|---|---|
| De-escalation | Handling hostile encounters |
| Emergency drills | Evacuation and lockdown procedures |
| Suspicious activity | Identifying concerning perimeter behavior |
| Aggressive visitors | Managing counter-protesters or hostile individuals |
| Law enforcement thresholds | When to contact external authorities without endangering clients |
Clean-Desk and Document Security
| Policy | Purpose |
|---|---|
| Clean-desk policies | No sensitive documents visible |
| Secure document destruction | Shredding before disposal |
| Filing protocols | Legal intakes and rapid response notes secured |
| Facility incursion preparation | Documents cannot be quickly seized or photographed |
Security Investment Prioritization
Risk-Based Approach
Nonprofit organizations are frequent cyberattack targets due to:
- Resource constraints limiting security investments
- High value of constituent data
Recommended Actions
| Priority | Action |
|---|---|
| 1 | Active network monitoring |
| 2 | Regular gap analyses |
| 3 | Technical testing to validate defenses |
| 4 | Staff security awareness training |
| 5 | Physical access control upgrades |
Implementation Checklist
Phase 1: Assessment
- [ ] Conduct threat assessment (external adversaries)
- [ ] Conduct vulnerability assessment (internal gaps)
- [ ] Classify data assets using CIA Triad
- [ ] Document physical access points
- [ ] Evaluate current training protocols
Phase 2: Policy Development
- [ ] Develop security policies for each domain
- [ ] Create emergency response procedures
- [ ] Establish visitor management protocols
- [ ] Define law enforcement interaction guidelines
Phase 3: Training
- [ ] Implement spaced training modules
- [ ] Establish no-blame reporting mechanism
- [ ] Conduct de-escalation training
- [ ] Practice emergency drills
Phase 4: Ongoing
- [ ] Regular security audits
- [ ] Update risk assessments quarterly
- [ ] Staff feedback collection
- [ ] Policy refinement based on incidents
Related Resources
- Information Protection - Data security practices
- Personnel Security - Access management
- Communication Security - Secure communications