Holding Regulators Accountable for Data Privacy and Protection in Uganda’s NGO Sector -DPI

By Helen Namyalo Kimbugwe and Noelyn Tracy Nassuuna

As Uganda heads toward a pivotal election season, the release of sensitive financial statements for Non-Governmental Organizations (NGOs) like Chapter Four Uganda has sparked intense debate. These disclosures carry significant implications for donors, NGOs, and the public, shaping trust, transparency, and operational stability.

What does this mean for NGOs operating in Uganda, their donors, and the communities they serve? How can transparency be balanced with protection in such politically charged times?

To delve deeper into these issues, download the full article now and stay informed about the future of civil society in Uganda.

1697312026600

Investing in Women’s Safety and Security

We hope you were celebrated or honored by the women in your life, and we encourage you to continue this appreciation beyond Women’s Day.

Speaking of Women’s Day, this year’s theme, “Invest in Women: Accelerate Progress,” underscores the critical need for increased financing in gender equality efforts, including funding gender-responsive, green energy initiatives, and support for female and feminist changemakers.

These challenges notwithstanding, as experts in the fields of security, safety, and human rights, we have witnessed firsthand how the unique security risks and threats faced by women impede progress not only toward achieving equity but also in improving their overall quality of life.

Here are four impactful ways in which we can invest in women to accelerate progress through enhanced security and safety measures.

Enhancing  Responsiveness of Security and Justice Institutions 

According to a 2020 Violence Against Women and Girls Survey (VAWG) conducted by UBOS, a staggering 95% of women surveyed reported experiencing physical and sexual violence. Shockingly, only 45% of those who had experienced intimate partner physical and sexual violence chose to report it, primarily due to a deep-seated mistrust in the judicial system.

Despite efforts such as the establishment of Gender-Based Violence help desks by Uganda Police, significant gaps remain in addressing these issues effectively. There is an urgent need to bolster the responsiveness of law enforcement and judicial institutions in apprehending and prosecuting perpetrators. Strengthening these mechanisms is crucial in not only delivering justice to survivors but also contributing significantly to deterring future occurrences.

GBV Toll Free Helpline 0800199195

Support, NOT Survivor Blaming

The UBOS survey also revealed that the other reasons why women opted not to report physical/sexual abuse were fear of being blamed for the incidents and the threat of continued abuse or worse consequences by their abusers if they spoke up.

In light of these distressing findings, it is clear that women who have endured abuse and violations, need tools and assistance to cope, recover, and pursue justice, to help them navigate these harrowing experiences and gradually rebuild a sense of safety and stability in their lives. This can be informed by psychosocial support or training in basic self-defense skills among others.

Equipping Women with Knowledge and Skills to Navigate the Evolving Digital Landscape

In today’s rapidly evolving digital world, it’s crucial to empower women with the necessary knowledge and skills to navigate cyberspaces safely. This includes providing them with the tools to prevent, recognize, and respond to cyber-attacks effectively. Explore our website for digital security support options/offerings.

As more aspects of our lives move online, women are increasingly vulnerable to various forms of digital abuse, including hacking, cyberbullying, harassment, and online stalking. By skilling women in cybersecurity and digital safety, we can empower women to protect themselves against such threats and confidently engage in online activities.

Investing in Gender-Inclusive Tech for Safety and Security 

By allocating resources toward the creation and refinement of tech tools tailored to women’s needs, we can address existing safety concerns and foster a more inclusive digital environment. 

Here are a few we like; digitalsafetea.com safebangle.org bitdefender.com 

Screenshot 2024-03-12 at 12.06.51

Child/Teen Online Safety Tips and Tools

More children and teenagers are actively engaging with the internet, and this trend is expected to persist. However, the online environment hasn’t always been tailored to cater to the needs of minors. Therefore, it is crucial to prioritise their safety. In honour of Safer Internet Month, here are some essential tips and tools parents, educators, and even the young netizens can use to guarantee online safety.

delayed-phishing

What you need to know about Delayed Phishing/ Post-Delivery Weaponized URL

Truth is, most of us have ever been a victim of phishing before and with the abundant resources online and trainings that we have so far had, we have become sort of immune to phishing.

Click here to as well look at our blog post about phishing and what you need to know

Our immunity against phishing has so far been boosted by e-mail service providers, mail gateways and even browsers that we use which has all embedded in their systems anti-phishing filters and malicious address scanners.

With all these above, cybercriminals are constantly inventing new, and refining old, circumvention methods. One such method is delayed phishing.

Delayed phishing is an attempt to lure a victim to a malicious or fake site using a technique known as Post-Delivery Weaponized URL.

“As the name suggests, the technique essentially replaces online content with a malicious version after the delivery of an e-mail linking to it. In other words, the potential victim receives an e-mail with a link that points either nowhere or to a legitimate resource that may already be compromised but that at that point has no malicious content. As a result, the message sails through any filters. The protection algorithms find the URL in the text, scan the linked site, see nothing dangerous there, and allow the message through.”

Effecting the malicious link

Attackers operate on the assumption that their victim is a normal worker who sleeps at night. Therefore, delayed phishing messages are sent after midnight (in the victim’s time zone), and become malicious a few hours later, closer to dawn.

If cybercriminals find a specific person to attack, they can study their victim’s daily routine and activate the malicious link depending on when that person checks mail.

Technology behind Delayed Phishing

For delayed phishing to be effective, hackers use at least one of these 2 common methods:

  1. Simple link: In this case, the hackers are the ones who are controlling the target site in that at the time of delivery, the site is safe so it can go through the several security levels it is scanned before it is delivered to your mailbox. At the time of delivery, the link leads to either a meaningless stub or (more commonly) a page with an error 404 message and the malicious version of the site is activated after delivery.
  2. Short-link switcheroo: Several sites offer link shortening services to the world, with this you can get alternative links that are easy to remember and short instead of long and boring links. However, some of this services allow you to alternate the link behind these short links. So the cybercriminals take advantage of this in that, by the time they are sending the email, the short link it pointing to a legitimate site and is swapped to the malicious site after delivery.

Although there is a third technology that is not so common which includes a randomized and short link where there is a probabilistic redirection. That is, the link has a 50% chance of leading to google.com and a 50% chance of opening a phishing site. The possibility of landing on a legitimate site apparently can confuse crawlers (programs for automatic information collection).

Spotting & fighting Delayed Phishing

Ideally, there is need to prevent the phishing link from getting to the user, so rescanning the inbox would seem to be the best strategy.

In some cases, that is doable: for example, if your organization uses a Microsoft Exchange mail server. Kaspersky Security for Microsoft Exchange Server is also included in our Kaspersky Security for Mail Servers and Kaspersky Total Security for Business solutions.

security-tips

8 Tips to Secure your Office

We dwell a lot on “CyberSecurity” forgetting about the physical security for organizations. We just thought we could throw in a few tips for you to secure your office space.
Security risks are trending amongest HRDs and it is so unfortunate that many organisations do not have the necessary office security measures in place to help protect their premises & assets from possible threats.
Trending risks to organizations include but are not limited to:

policy

Security Policies: Quick Notes

What is a security policy?

A security policy is a formal, detailed and easily understandable document that addresses general beliefs, goals, acceptable procedures and security controls that governs an organization or other entity. It addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls, computer security threats, and how to handle situations when they do occur. A security policy must identify all of a company’s assets as well as all the potential threats to those assets. And lastly, it should be subject to amendment as threats have a dynamic.

Why a security policy?

A security policy should be one of the first documents in place for a corporate organization or entity to function flexibly. It should address all security concerns, the likelihood that they will actually occur, ways forward and speculation clearly so that the employees and employers feel at ease implementing their mandate. So you need a security policy so as to:

  • Establish the rules for user behavior on use of organizational assets. This ensures proper compliance of the staff.
  • To define and authorize consequences of violation of certain guidelines.
  • Establish baseline stance on security to minimize the risk of occurrences in the organization.
  • Builds a sense of carefulness among staff therefore reduces risk of data loss or leak.
  • Protects the organization from external and internal “malicious” users.
  • Guides staff on acceptable and unacceptable behavior.
  • Carries with itself how information is disseminated (private, internal & public information).

A Good Security Policy

A good security policy should be readily available for its intended audience. It shouldn’t be hard to get.

It should be understandable and not confusing. Avoid using words that are beyond the understanding of your audience. It should clearly indicate how violations are handled.

A security policy should be applicable to the organization and only reveal information relevant to the functionality of the organization. It should cover use of organization assets, specify minimum security standards used in protection of assets, prohibitions against malicious actions, home use of organization equipment, use of personal equipment for carrying out official duties, procedures deemed as accepted or best practices, etc.

Work to develop a policy that balances both current practices of the organization and practices the organization wants to see in future. And most importantly make sure to have a policy that protects and organization against multiple types of threats.

And lastly, It should be accepted, put into use and reviewed frequently, at least once a year upcoming concerns should be updated in it. This is because breaches will always keep evolving and therefore new measures have to come in place.

5 steps to compile a good security policy

  • Identify issues
  • Conduct a context analysis on issues identified. (vulnerabilities, fix/ways forward, influence of behavior). Set of rules
  • Make a draft policy covering all the above.
  • Have a review of the document internally and or hire an external entity to review too.
  • Deploy the policy to the rest of the organization.

Document Outline

  • Introduction
  • Purpose
  • Scope
  • Roles and responsibilities
  • Sanctions and violations
  • Review schedule
  • Definition of terms, abbreviations/acronyms

Topics should center around the following

  • Physical Security
  • Security Training
  • Privacy
  • Software Licencing
  • Password
  • Virus protection
  • Acceptable use
  • Account management
  • Special access (Authority)
  • Change management
  • Incident management

checklist

A Checklist for HRDs before field engagement

As Human Rights Defenders, we are exposed to a lot of risks during our public or field engagements and most of these tend to hit us by surprise since we do not adequately prepare to overcome these emergencies.
It could be a kidnap and being stranded in the middle of nowhere, could be an accident, name it.

Field engagement in this case is conducting work in the natural environment other than in office. During field engagements, we tend to be with the general public, known or unknown and new to us because it is our first time to engage with them. Even when the environment is known to us, we can never guarantee the dynamics of people who have been working with and there for, we need to have a number of things ready just in case things happen to go side ways:

  1. Make sure your phone is charged before going out.
  2. Be sure to have some cash on you just in case you might need to use some quickly.
  3. Make your you have an ID on you to easily identify with legal authorities.
  4. Make sure your phone security is something that only you know (Don’t use fingerprint or face ID) when going for vital field work.
  5. Have a contact of someone to call in case of emergencies. You can write such contacts somewhere and carry with you.
Windows-7-end-of-support-1024x673

Windows 7 End of Support

What Human Rights Defenders need to know:

As most of us might not be aware that Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. The 10 years came to an end officially on the 14th of January 2020. If you are still using Windows 7, your PC will still work perfectly, except it will be more vulnerable to security risks and viruses. Your PC will continue to start and run, but will no longer receive software updates, including security updates, from Microsoft.