How Zero Trust Can Protect Domestic Violence Survivors
Originally published by @TechSoup at https://blog.techsoup.org on July 29, 2020.
Do you work at one of nearly 2,000 domestic violence organizations (PDF) in the United States? You may be struggling to balance the needs of the adults and children you serve, providing critical services while protecting their personal data. But the trouble is, you may find the notion of data security intimidating.
In this blog post, we’re going to discuss the cybersecurity community’s latest framework for securing data, zero-trust, and how it can help your organization prevent, detect, and respond to breaches regarding a survivor’s personal information.
What Is Zero-Trust?
Zero-trust is a standard for applying cutting-edge technologies to secure every single point of access to an organization’s information. Applying zero-trust as a framework means that you assume that all individuals and devices are untrusted until they are verified, thus providing access to information only as it is needed. For more information on implementing zero-trust, read this blog post from TechSoup’s Nick Mediati.
Why Is Zero-Trust an Exciting Development for Protecting Domestic Violence Survivors?
According to Toby Shulruff, senior technology safety specialist at the Safety Net Project, “Most organizations don’t have the policies and equipment in place to set up an adequate zero-trust architecture, but data breaches are increasing in number year after year, affecting the safety and healing of thousands of survivors. For example, a perpetrator may be able to breach a survivor’s place of work. What’s worse, landlords and employers often discriminate against domestic violence survivors out of fear that their former partner may show up unexpectedly. And naturally, those already experiencing social oppression are most likely to be impacted.”
Rather than prescribing a single technology platform, zero-trust is a road map that can help your domestic violence organization streamline and monitor threats wherever a survivor’s data is stored, from the office to the cloud.
In today’s increasingly mobile world, leaked information about domestic violence survivors could reveal their whereabouts to the abusive person. Stolen, misused, and breached data from cellphones, personal computers, and outdated infrastructure can potentially affect a case in family court or a criminal proceeding, or it could endanger the survivor once they’ve relocated.
Why Are Domestic Violence Organizations Implementing Zero-Trust?
Some domestic violence organizations are implementing this new framework to enforce enterprise-grade safeguards — from client services to internal operations.
Interest in zero-trust among domestic violence organizations stems from legislative mandates to better manage the data of domestic violence survivors. The Violence Against Women Reauthorization Act of 2013 has a universal grant condition that requires VAWA grantees and subgrantees to maintain the confidentiality of a victim’s personal information.
Providers may have very sensitive data that requires a high level of protection, but many may not have implemented basic tools to make sure the data doesn’t get into the wrong hands. Imagine if an abusive person got hold of a client’s new place of work or the location of their child’s school.
In addition to employee oversight, data on domestic violence cases is at risk of being breached via outdated or stolen credentials from employees and volunteers. With legacy devices and sometimes minimal IT budgets, an organization may not have the procedures in place to wipe information from the devices of its former personnel or a policy in place for accessing the personally identifiable information of clients outside of the workplace. With a zero-trust model, organizations can ensure that only authorized personnel can access only the minimum amount of information that they need to do their job.
Mitigating Access Privilege and Employee Turnover
At this point, you may be itching to make a change in your IT infrastructure to build your way up to zero-trust. But since no one vendor delivers all the components you may need for your zero-trust model, here are a few tips for developing a timeline without disrupting your existing workflow:
Develop the Proper Mindset Around Zero-Trust
After getting buy-in from decision-makers, you’ll need to coordinate with your IT experts to implement the platforms of your choice. It may be challenging at first to develop a workable solution for zero-trust, but don’t let that discourage you from taking the first step.
Leverage In-House Solutions
If you’re working with a limited budget, consider tackling your core needs rather than a complete overhaul. First, make sure to help staff and volunteers at all levels understand that zero-trust compliance is a team effort. You don’t necessarily have to purchase a new tool to implement zero-trust either.
For example, you can simply start educating employees on the risks associated with using their personal devices to access survivor data and conduct workshops on cybersecurity best practices. You can also host trainings on technologies like video conferencing that may actually breach a client’s privacy or potentially risk their safety via third-party listeners or viewers.
Choose Your Vendor Wisely
Finally, take the time to interview and vet your vendors. The biggest mistake you can make as an organization with limited resources is to immediately sign on to a shiny new platform with limited functionality.
Do you operate on-premises, or are you using mostly cloud-based tools? Do your employees often use their personal devices for work, or do you have robust cybersecurity protocols?
By communicating your specific needs early on, you will enable a vendor to point you in the right direction. For more information on protecting your organization and the individuals you serve, check out TechSoup Courses’ Digital Security Bundle. And for a quick guide on questions you may want to ask a new software vendor, read this blog post from TechSoup.
Why Minimizing Access Is Important
We understand that there are a variety of reasons that domestic violence organizations may find additional security measures to be a burden. From maintaining compliance to securing funding, being able to access information quickly can seem more attractive than having to constantly verify oneself. But the risk to survivors is too great. The Mosaic effect may allow criminals to cross-list your organization’s information with publicly available data to identify a survivor’s whereabouts.
As a guideline, keep as little information as you possibly need to meet a survivor’s needs. Instead of collecting exact information, you can “mask” particular characteristics such as age range rather than recording an exact age. And once services are complete, even for the time being, take steps to safeguard information access and disclosure. Finally, make sure to delete records as soon as possible once you’ve completed your services.
Documentation Is Key
In addition to maintaining access privilege, zero-trust can streamline your organization’s reporting and measurement capabilities. A core feature you may want is the ability to create an auditable request, with top-down oversight depending on an employee’s level of security clearance.
You may also want to consider implementing safeguards for downloads and file-sharing of critical information. To ensure that data is only accessed when needed, consider tools that provide an access log to expedite investigations or pull information as needed.
Also, implement access-level controls to prevent employees from potentially leaking information through shared accounts and credentials or weak passwords. While constant verification may take a while to get used to for the end user, your organization will ultimately be able to better oversee how employees navigate cloud technologies and use their mobile devices.
A Look Ahead at Zero-Trust
Since there is currently a shortage of vendors working specifically to implement zero-trust for domestic violence survivors, you may benefit from collaborating with organizations facing similar challenges in managing data. If you’ve experienced success with specific vendors or tools, you may want to share that information with like-minded organizations.
If you currently lack internal resources or even organizational will to implement zero-trust, remember that granular access privilege can literally mean life or death for a survivor. Every organization exists within a bubble of confidentiality, but studies show that individual staff and volunteer oversight and carelessness (PDF) are a primary source of data breaches.
As the Internet of Things expands, so does the potential of data breaches for survivors of domestic violence. And beyond employee computers and cellphones, smart homes — and even automotive devices — are forcing domestic violence service workers to rethink their approach to cybersecurity. The great news is that by implementing zero-trust security, you can help ensure that sensitive information about the survivors you work with is protected.
- Webinars to Support Service Delivery at Domestic Violence Organizations
- Digital Essentials for Organizations Focused on Domestic Violence
- Safety Net’s Confidentiality Toolkit
- The Electronic Privacy Information Center’s page on domestic violence
- Some resources related to privacy from the VAWnet and the National Resource Center on Domestic Violence
Originally published at https://blog.techsoup.org on July 29, 2020.