Evaluation findings: SAFETAG audits increase digital security of organizations and lead to changes in attitude and behavior

“I would say that the SAFETAG audit methodology is a very good instrument, especially for civil society groups, as it actually solves a lot of things: it solves incidents, it solves risk, it solves attacks, and [it] has really been something that has increased the safety of organizations. [It] has given us resources definitely, and even given us more ability to be able to defend civil society rights and to be able to know where to get support.” said a SAFETAG Auditor.

The Greater Internet Freedom (GIF) project has been implementing digital security audits, using Internews-developed SAFETAG methodology, adaptable and relevant to smaller non-profit organizations. The GIF team sought to understand the impact of SAFETAG in increasing the capacity and number of local digital security experts within beneficiary CSOs, media outlets, individuals, and auditors.

The evaluation was conducted to explore the performance, successes, and impact of the SAFETAG audits under the GIF project. A combination of qualitative and quantitative research methods, interviews, and surveys was used to gather relevant information.

Highlights from the evaluation:
● The evaluation revealed that staff in most audited organizations positively changed their digital security awareness, behaviors, and processes.

● As one staff member mentioned: “And all of a sudden, after the audit, [my colleagues felt] ‘we can trust the IT guys. Actually, they can help us identify these people who are listening to our conversation’. So I would say most of them, they are now [more] relaxed, as they know they found a solution.”
● A director from an audited organization stated: “I can see that [my staff] are not scared anymore with the threats that are coming in, especially when there is a new incoming threat.”

Highlights from findings:
● In most cases, SAFETAG audits increase the security of organizations and lead to changes in attitude
● Audits must be part of larger strategy of and for CSO’s security.
● Skills and competencies of Auditor are crucial
● Negative impacts of audits must also be recognized. Some examples of these include the possibility of increased fear and concern amongst audited staff; slowing down the work; or more work for staff.
● Management involvement are key

After the audit, 91% state the CSOs were between “Medium Awareness” and “Very Aware” in regard to digital security. Organizations also went further to implement new policies which increased digital security.

However, the evaluation also pointed out that in most cases, the audit alone is not enough. Crucial elements needed in addition to the audit are awareness raising and basic training efforts, upgrades of software and hardware, implementation of new policies, on-demand IT support, and follow up/ check-in audits. Some negative impacts of the audits were mentioned, though usually outweighed by the positive impacts. In some cases, staff felt worried and concerned by what the audits might find or how long the audit took and in other cases, recommendations made after an audit have overwhelmed the organization or they are not adapted to the skills or capacity of the organization.

This outcome evaluation was carried out from May to July 2023 by Purpose+Motion in close collaboration with GIF’s Monitoring, Evaluation and Learning (MEL) team.

The Greater Internet Freedom (GIF) project aims to advance Internet freedom (IF) in the countries in which it works by ensuring that digital security capacities, data awareness, and activism on behalf of an open, interoperable, reliable, and secure Internet are available for independent media and civil society.

Read the full SAFETAG Evaluation here.