Data security and access

Element Descriptor

Any data can be got at if a “bad actor” is sufficiently motivated and equipped (and nation states are highly motivated and equipped). However most information leaks are not the results of advanced hacking. Understanding basic opsec practices for daily use as well as encryption, offline storage, non-storage will help keeping (most) data safe from unwanted actors

Level descriptors

You understand the need for, and use, basic “data hygiene” practices – strong passwords for each service, password manager,You’re able to consider the different types of information your organisation uses, and what levels of protection (technical and operational) are appropriate, and use them accordinglyYou understand and can readily use more advanced techniques such as encrypted files, 2FA, and advise others on appropriate techniques for their use caseYou’re auditing other people’s code and pointing out the bugs. Nobody hacks you, they’re too scared.

Element Overview Essay

This is a draft. If something doesn’t make sense, or you see typos, or if you have further ideas, please email us on

So I suppose until you’ve been hacked, you’re complacent. And the main cause of data security not being taken seriously as people have an optimism bias, or they don’t know the tricks of the trade that they’re supposed to do.

The consequences are you’re more likely to suffer hacks, data leaks, threat, data theft, etc. And that can have really severe implications for your credibility, your morale, and the willingness of your supporters to keep supporting you. If you have been storing sensitive data in formats that leak or conceivable to leak.

So the fix involves taking data security seriously, having at least one person who is up to speed. Making sure that you do websites, email, Twitter, etc, that you use have two factor authentication as a basic feature, making sure that your core group members are aware of the common ways that phishing gets done. Unfortunately, with data security,, it’s a chain and it’s only as strong as its weakest link. And learning from other breaches when they happen and breaches do happen, is also a really good idea.

Development Resources

Assessment Resources