Most organizations improve their digital security following audits, develop greater awareness of the risks, of security behaviors, and implementing recommendations – this is one of the key findings of the evaluation of SAFETAG audits conducted under Greater Internet Freedom (GIF) project. The Internews-developed SAFETAG methodology is a professional audit framework that is adaptable and relevant to smaller non-profit organizations. For the past three years, GIF has been using the SAFETAG methodology, and in the spring of 2023 implemented an evaluation to better understand the performance, success and impact of the SAFETAG audits.
As one auditor explained: “I would say that the SAFETAG audit methodology is a very good instrument, especially for civil society groups, as it actually solves a lot of things: it solves incidents, it solves risk, it solves attacks, and [it] has really been something that has increased the safety of organizations. [It] has given us resources definitely, and even
given us more ability to be able to defend civil society rights and to be able to know where to get support.”
SAFETAG impacts a more confident approach to digital security
The evaluation revealed that staff in most audited organizations changed their digital security awareness, behaviors and processes. Interviewees stated that most staff have a more confident, safer approach to their work after the audit. “I can see that [my staff] are not scared anymore with the threats that are coming in, especially when there is a new incoming threat,” mentioned the director of one audited organization.
An auditor explained: “In many situations, the organization just became more relaxed, because they saw that they don’t have such high risks or they do have high risks, but they are prepared for them.”
The evaluation used qualitative and quantitative research methods, interviews, and surveys to gather relevant information. Through this process, evaluators were able to capture most common vulnerabilities in organizations: lack of digital security policies and procedures, issues with password strength, management and communication, unprotected devices, unprotected sensitive files, lack of digital security understanding and awareness, and phishing attacks. The general consensus is that management needs to be involved at all stages and is beneficial for the audit success.
Success of audits is higher when complemented by other actions
However, the evaluation also pointed that in most cases, the audit alone is not enough. Crucial elements need in addition to the audit are awareness raising and basic training efforts, upgrades of software and hardware, implementation of new policies, on-demand IT support, and follow up/ check-in audits.
Some negative impacts of the audits were mentioned, though usually outweighed by the positive impacts. In some cases, staff felt worried and concerned by what the audits might find. In other cases, recommendations made after an audit have overwhelmed the organization or are not adapted to the skills or capacity of it. Sometimes, after the audit, the team and especially management felt they had a lot more work.