Protecting the integrity and safety of our organizations and communities is more critical than ever, especially as the potential for digital threats continues to rise. For organizations advancing racial justice, the stakes are even higher.
In Part 2 of our Digital Security for Social Justice Organizations blog, the final installment of our Crisis Communications & Rapid Response series, our CEO Bilen Mesfin Packwood continues her conversation with with Amro Radwan, Founder and CEO of Shake Technologies, about practical security tips and strategies for building a culture of digital resilience. This portion of the Q&A dives into what it really takes to stay safe, responsive, and effective in today’s high-risk digital landscape. Don’t forget to revisit Part 1 here.
______________________________________________________________________
Many of our clients are worried about doxxing, phishing, account takeovers, and harassment campaigns. From your perspective, what’s most important to have in place before something like that happens?
The single most important thing is that your organization has already decided what to do before the crisis arrives. The worst time to figure out your response plan is while you are actively under attack. When a staff member is being doxxed, when your social media accounts are posting content you did not authorize, when your executive director’s email has been compromised and is sending messages to every funder in your network, the adrenaline and chaos of that moment will destroy your ability to think clearly. Everything that matters has to already be in place.
That starts with an incident response plan that is specific, documented, and rehearsed. Not a 30-page policy document that lives in a folder no one has opened. A clear, practical plan that answers the essential questions: Who makes decisions during a crisis? Who has the authority to lock down accounts? Who communicates with staff, board, funders, and the public? Who is the external point of contact for technical support? Every person on your team should know their role before anything happens, the same way you would run a fire drill. If your plan requires people to figure out their responsibilities in real time, it is not a plan. It is a hope. This is something we build with every organization we work with. We develop incident response plans that are tailored to their specific threat landscape, their team structure, and their capacity, so that when the moment comes, no one is guessing.
The technical foundation has to be solid before the crisis tests it. That means centralized password management where every organizational account is secured with strong, unique credentials and your team is not sharing passwords over text messages or sticky notes. It means two-factor authentication on every account that supports it, with hardware security keys for anyone in a leadership or public-facing role. It means knowing exactly who has access to what, and having the ability to revoke that access immediately when someone leaves the organization or when an account is compromised. These are not advanced security measures. They are the bare minimum, and most organizations still have not fully implemented them.
For doxxing specifically, the preparation work is deeply personal and has to happen before anyone is targeted. Every staff member, especially leadership, organizers, and anyone who is publicly visible, should go through a personal data audit. What information is available about them online? Home addresses in domain registrations or property records. Personal phone numbers tied to organizational accounts. Photos with location metadata. Old social media posts that reveal patterns of movement or personal relationships. Data broker sites that aggregate and sell personal information to anyone who searches for a name. The time to scrub that exposure is now, not after someone’s home address is circulating on a harassment forum. This is not optional for people doing racial justice, immigrant rights, or trans justice work. It is a safety necessity.
For phishing and account takeovers, the most important investment is staff training that actually reflects the threats your organization faces. Generic corporate phishing simulations that test whether someone clicks on a fake Amazon shipping notification are not relevant to your reality. Your team needs to recognize the attacks that are actually targeting movement organizations: emails impersonating funders requesting wire transfers, messages pretending to be coalition partners sharing a Google Doc that is actually a credential harvesting page, urgent requests from what appears to be a board member’s compromised account. Training has to be ongoing, scenario-based, and rooted in real examples from the sector, not a once-a-year compliance checkbox.
For harassment campaigns, the preparation is both technical and human. On the technical side, your social media accounts need to be locked down with strong authentication, and access should be limited to the smallest number of people possible. You need a protocol for quickly shifting accounts to restricted mode, disabling comments, or temporarily going dark if a coordinated attack hits. On the human side, you need a support plan for the people who will be targeted. Harassment campaigns are designed to isolate and exhaust individuals. Having a buddy system, clear communication about when to step away from screens, and access to mental health support are not soft additions to a security plan. They are essential components of organizational resilience. If your people burn out or break down, your mission stops.
Finally, and this is the piece most organizations miss entirely, you need relationships in place before the crisis. A relationship with a digital security consultant who already knows your infrastructure. A relationship with legal counsel who understands the intersection of digital threats and civil liberties. A relationship with peer organizations who can amplify your voice or absorb your workload if you are forced to go into lockdown mode. Trying to find and vet these partners while you are under active attack is like shopping for insurance while your house is on fire. Things are not quiet right now for anyone in this space. But there is a difference between the constant pressure of this political moment and the acute crisis of your organization being directly targeted. The time to build your support network is before that acute moment hits.
For a small organization with limited capacity, what are the top 3-5 digital security practices you’d prioritize to reduce harm quickly?
When capacity is limited, the instinct is to try to do everything at once and end up doing nothing well. The better approach is to focus on the practices that dramatically reduce your exposure with the least operational disruption. These are not aspirational goals. They are the non-negotiables that every organization should be able to implement regardless of size or budget.
First, mandatory multi-factor authentication on every account that touches organizational data. This is the single highest-impact change a small organization can make. The vast majority of account takeovers succeed because an attacker obtained a password and there was nothing else standing between them and full access. MFA changes that equation entirely. Hardware security keys like YubiKeys are the gold standard, especially for executive directors, finance staff, and anyone with admin-level access to your Google Workspace, social media, or financial platforms. For the rest of your team, authenticator apps are a strong baseline. SMS-based codes are better than nothing, but they are vulnerable to SIM swapping attacks, which are increasingly common against activists and organizers. This is not a recommendation. It is a requirement. If your organization does one thing after reading this, it should be this.
Second, aggressive data retention policies. The most effective way to protect sensitive information is to not have it. Every message, every document, every spreadsheet your organization holds is something that can be subpoenaed, seized, or exposed in a breach. Turn on auto-delete for Signal, Slack, and any other communication platform your team uses.The same principle applies to email. Set retention policies in your Google Workspace or email platform. Archive what is legally required, and let the rest go.
Third, data minimization at the point of collection. Before your organization collects any piece of personal information, ask the question: do we absolutely need this to deliver this specific program or service? Immigration status, home addresses, phone numbers, demographic details. If it is not essential to an active, live program need, do not collect it. If you collected it in the past and no longer need it, delete it. For organizations working with undocumented communities, survivors of violence, or trans individuals, this is not an abstract best practice. It is a direct line between your intake form and someone’s safety.
Fourth, centralized password management. A small organization cannot afford to have credentials scattered across sticky notes, personal browser saves, text message threads, and the memory of whoever set up the account three years ago. A password manager gives your team strong, unique passwords for every account and ensures that when someone leaves the organization, you are not locked out of your own systems or left wondering what they still have access to. It also eliminates the single most common security failure in small nonprofits: password reuse. When one account is compromised and the same password was used for your email, your donor database, and your social media, a single breach becomes a total organizational exposure. A password manager solves that problem overnight.
Fifth, treat digital cleanup as an ongoing practice, not a one-time project. Audit your shared drives. Review who has access to what. Remove former staff and volunteers from systems. Delete old files that serve no current purpose. Close accounts for tools you no longer use. This is not busywork. It is harm reduction. Every forgotten account with a weak password is an entry point. Every shared folder with permissions that were never tightened is a potential leak. In a small organization where everyone wears multiple hats, this kind of hygiene gets pushed to the bottom of the list. But the reality is that cleaning up your digital footprint is an act of solidarity with the people you serve. It directly limits the blast radius if any part of your organization is targeted.
None of these practices require a large budget. None of them require dedicated IT staff. What they do require is time, attention, and follow-through, and that is exactly the resource most small organizations are shortest on. Your program director is also managing your Google Workspace. Your operations manager is also your de facto IT person. Your executive director is making security decisions without the technical background to know what they do not know. That is the real barrier. It is not that these practices are complicated. It is that the people responsible for implementing them are already stretched to their limit doing the work the organization exists to do.
This is why having a dedicated technology partner who understands both the technical landscape and the movement context matters so much. Not a one-time audit that produces a report and disappears, but an embedded, ongoing relationship where someone is carrying the technical weight alongside your team. That is how we approach it at Shake Technologies. We build deep, long-term relationships with the organizations we work with because digital security is not a project with a start and end date. It is a practice that has to evolve as your organization grows, as your team changes, and as the threat landscape shifts. But regardless of who that partner is for your organization, the principle is the same: small organizations should not be carrying the burden of digital security alone. The threats facing movement organizations right now are not small-organization-sized problems. They require support that matches the scale and sophistication of the adversaries your communities are up against.
If you could wave a magic wand and get philanthropy to fund one aspect of digital security or infrastructure for movement groups, what would it be and why?
Unrestricted, long-term funding for dedicated technology and security capacity within movement organizations. Not a one-time grant for a security audit. Not a line item for a new tool or platform. Sustained, multi-year investment in the people and processes required to keep an organization’s digital infrastructure secure on a daily basis.
The magic wand answer is simple: treat digital security the way you treat any other essential organizational capacity. Fund it like you fund executive leadership development. Fund it like you fund financial management. Fund it like you fund communications. Because in 2026, an organization without sustained digital security capacity is an organization that is one incident away from having its mission, its people, and its community put at serious risk.
The reality is that most funding in this space is structured around discrete projects and deliverables. A security assessment. A new platform. A training series. And those things matter. But what often goes unfunded is the person who has to implement the recommendations from that assessment, maintain them over time, manage data deletion protocols, run staff trainings, respond to incidents at 2 AM, and ensure that security practices actually evolve as the threat landscape changes. That ongoing human labor is what actually keeps organizations safe, and it is the hardest thing to get resourced. Security is not a product you purchase once. It is a daily practice that requires sustained attention, and that means sustained investment in the people doing the work.
What we have seen work incredibly well is when funders recognize that the digital security of their grantees is inseparable from the impact of their grantmaking. We have worked in various cohorts with foundations who stepped into this space intentionally, resourcing the safety and security of the organizations they already fund. If a grantee suffers a data breach that exposes donor information, compromises program participant records, or forces the organization to shut down operations while they recover, that is a direct threat to the funder’s investment and to the communities that investment was meant to serve. When a funder says to their grantees, “We are going to resource your digital security as part of our commitment to your organizational health,” it changes the entire dynamic. It moves security from an unfunded mandate to a shared priority. More funders need to see this not as a separate category of giving, but as a fundamental component of protecting the work they are already investing in.
There is another dimension to this that rarely gets discussed, and it is the sustainability of the service providers themselves. Organizations like ours that do this work, the social justice technology consultancies, the digital security trainers, the embedded IT partners serving movement organizations, we are doing deeply relational, high-stakes work with organizations whose needs are growing every day. In order to sustain that work, to grow our capacity to meet the scale of what this moment demands, we need investment too.
Funding is the most critical piece. Direct grants and investments that allow providers like us to build organizational capacity, recruit and retain talented people who are not just technically skilled but deeply values-aligned with the communities we serve, and train our teams beyond just the technology. The people doing this work need to understand trauma-informed practice, cultural competency, power dynamics within organizations, and the political context that shapes the threats our clients face. That kind of talent does not grow on trees, and developing it takes intentional investment.
But funding is not the only piece. Legal support when navigating complex threat scenarios, mental health resources for teams that are holding the stress alongside the organizations they serve, and pathways to share knowledge across the dedicated community of practitioners doing this work are all essential to keeping providers in this space healthy and effective. If philanthropy is serious about protecting the digital security of the movement ecosystem, investing in the providers who deliver that protection has to be part of the strategy.
______________________________________________________________________
At Change Consulting, we understand the unique challenges organizations face in today’s environment. If you need support building a crisis communications plan or navigating a difficult moment, we’re here to help. Reach out to us at hello@change-llc.com.
Shake Technologies operates at the intersection of Social Justice and Technology. They understand the unique technology and security challenges that nonprofit and social justice organizations face. If your organization is looking for a trusted technology partner, please reach out to them: https://shaketech.com.