A guide to transitioning your digital security culture to meet the moment.
Updated April 1, 2020 by Equality Labs
As the impacts of Coronavirus unfold in the next couple of weeks, our movement cultures around the world are undergoing an unprecedented shift. Your office may now be empty, so hallway conversations are no longer part of how you share information. Childcare may be a bigger part of your day, so creating quiet space for video calls becomes an entirely different process. “Work clothes” may mean something new. And though your organization may be doing a good job of not panicking, everyone you work with may still be thinking and operating at a heightened level of anxiety amid concern for loved ones, family members and communities.
When you switch to working-from-home culture, your digital security culture changes as well, whether or not you are thinking about it. Physical walls and in-person conversations no longer guard sensitive information in your conversations with colleagues. And where it may not have been your designated job to think about digital security before, you’ve now taken on just a bit more of that responsibility within your work as your home’s digital security culture comes into contact with work life.
We’ve found that culture change is a foundational part of getting to digital security or resilience. So for this moment, here are some concrete steps to guide you through a transition towards safety in your work-from-home culture:
- Have a strategy meeting with the Operations and Program team leads in your work: While many organizations have started social distancing policies, these transitions may be happening without enough coordination and discussion of what is vulnerable in the organization’s communications, infrastructure, and/or plan for switching to digital practices. A strategy meeting can help with risk assessment and the realignment of technology platforms so you can move at the speed of trust, consent, and risk collectively.
- Have a trauma informed approach to the shift in work culture: Colleagues who have triggered their survival response modes are likely to be thinking tactically, from a “fight, freeze, or flee” mindstate. This may mean it isn’t possible to strategically shift work culture within a team until the psycho-social dimensions are fully realized. While many organizations are rushing to switch strategies, in the same moment their team members are grappling — or finding themselves unable to grapple — with the foundational realization that as a species, we will be seeing a kind of mass loss of life in our communities that we have not seen in this generation. And we will need to be resilient for what comes next-collectively.
- Slow down tactics to focus on the culture of your teams. Who we are before a pandemic will not be who we will be after, and we have to work on understanding this, to be able to rise to the moment of need our communities will require. We need to ramp down our need to act, and instead, breathe, and acknowledge this. Life is built on the premise of survival. Our politics determine if this will be an individual notion of survival or a collective one. To honor the differing realities of team members whose communities, and neighborhoods may be impacted differently or disproportionately by the virus, we recommend that teams move at the speed of trust and invest in collective care support. This could include trauma-informed social workers, digital somatic sessions, ancestral practices, and other methods that help people ground disparate emotional responses into a container. This helps the team navigate an emergent and volatile future, rather than looking for fast, inaccurate answers. If you are tired, unfocused, or experiencing panic, it’s easier to make security mistakes. Do things that bring you wellness when you start your day, and then check on colleagues. Doing so helps you prepare a resilient team that can move and tackle this moment with real support and alignment, rather than unrealistic expectations. Additionally, some team members may be called in to care for family members, deliver groceries for elderly neighbors, and help raise money for those who are facing the brunt of economic distress. Consider having open conversations about financial distress, and invest in institutional contribution to mutual aid pods. There have been hundreds of mutual aid pods organized across the United States.
- Have staff plan out where their work will take place in their homes, including where they can go for sensitive conversations. As we hunker down collectively for the next couple of weeks, have your team set up their workplace with an eye for comfort and physical awareness so they know where to go for conversations that require more discretion. This will then help shift behavior to a larger awareness of how their home is impacting their work and their work is impacting their home.
- Use an encrypted messaging/calling application like Signal in place of basic text messages and phone calls, especially for unscheduled conversations. In an office setting, we might not realize how often we communicate sensitive information through what is seen on our device displays, passing conversations, or non-scheduled in person meetings that might feel casual. Despite the urgency of this moment, all of the assumptions of state and corporate surveillance still apply to groups who work on issues like immigration, prison abolition, etc. So keep that in mind with the use of your phones. Encrypted apps can help with keeping those calls discrete. Additionally, adding the desktop clients to your computers can also help make texts also serve as fast threads for communications in lieu of e-mail or slack for discrete coordination.
- Offer accessible trainings for any new technology or processes that you are going to introduce or require, and communicate expectations for when and how they are used early and often to your entire organization. We have found that not offering security training is almost analogous to not offering security itself, since an entire network is only as secure as their employees who wanted to implement the change but were not set up to do so. Schedule training and give people the chance to be a source of strength.
- Adopt and correctly set up a password manager like 1Password, not only for individuals but to manage any shared logins across your team(s). This is especially important when transitioning to a work-from-home culture, because even with strong practices in place, co-workers without password managers will inevitably reach out to ask each other for a password. Password managers eliminate communicating that information over non-secure channel like a Google doc or a text message.
- Ask your colleagues about (and don’t forward to them!) any links or attachments coming through email or messages that you weren’t expecting or that seem strange, even if you have to pick up the phone to do it. This recommendation is helping your team get resilient around a hacking technique called phishing: where bad actors get you to click a link or open an attachment that introduces harmful software to your computer. It is a favorite technique of hackers everywhere, so if you aren’t sure why your colleague is sending you a document urgently needing your signature or directing you to a strange website, check if they really sent it.
- Use encrypted video conference: now that many meetings will be digital, folks will be using video conferencing more frequently. We use Zoom, Jitsi, and Talky.io in our teams, and often have several options just in case there is a tech fail at the time of a meeting or event. Zoom is most definitely a corporate platform that offers consistent video conferencing, but at a price. Recent reporting has shared how Zoom has not been transparent about its privacy policies and that its encryption is solely for chat and not for its actual video client. We are currently investigating othe options so that people can start to replace Zoom but in the mean time we urge people to use Zoom with the following administrator settings. We also encourage everyone who want to enable its encryption do so in the settings and also turn off the audio call-in function. For calls that are for smaller teams Jitsi and Talky.io are free encryption options while Whatsapp video and Facetime are two other options, but no matter what solution you choose we recommend that teams using those apps test these options an hour before a call, because they can often be wonky based on the numbers of people on a session and bandwidth available.
We hope this list helps give a strategic start to how your organization weathers this time of transition and uncertainty. We do not know all that might happen in the next couple of months, but we know that we are stronger together. There are also some relevant links from the Crowdsourced Tech Handbook for Coronavirus, this article on practical tips for managing remote teams, this list of 29 Tips for Effective Remote Managers and Workers, and the Work From Home Readiness Checklist.