How to manage security using a free app, Umbrella

You do security. It might say so in your job title, or it might not. You might not even have a job title. But if you’re making decisions about a team of people—where they work, how they get there, how they communicate—and you’re trying to keep them safe, we need your help. We’re security people ourselves. We face the same problems you do when it comes to managing team security.

We set out to solve them with our free, open-source Android, and iOS and web app, Umbrella. It contains the latest security advice, plus a range of new features to help you manage a team and their information. Now we need to test them. We want your team to use Umbrella and let us know how it’s going, so that we can make it better.

Get Umbrella from Google Play, iOS Store, Amazon, F-Droid or use the online web app.

This guide will show you what Umbrella can do, and help you get your team on board.

1. WHY USE UMBRELLA?

It’s comprehensive. - Sourced from publications by EFF, Tactical Tech, Frontline Defenders, Humanitarian Practice Network, CARE international, and many others. - Covers digital security, physical and operational security, including stress. - Appropriate for beginners, with additional content for advanced and expert users. - Want a new module? See the Get Involved section below.

It’s secure. - SQLCipher encrypted database hosted on reliable EU-based systems. - Best practice security methodologies: - CIS Benchmarks; - ISO 27001 standard; - Open Web Application Security Project (OWASP) Application Security Verification Standard Level 1‐3 (ASVS). - We conduct penetration testing and monitor our infrastructure. - Check our audit, code, and responsible disclosure policy.

We’re sharing, not selling. - Umbrella is an open-source, grant-funded project for NGOs. It’s not proprietary, it’s free. - We’ve made it as easy as we can for you to reuse and add to our content and code. - Developers, you can build your own Umbrella using our secure mobile CMS, Tent. Ask us how at info@secfirst.org.

2. MANAGE INFORMATION WITH UMBRELLA

Prepare with lessons, checklists and forms

a. LESSONS

Umbrella security lessons

Anyone in your team can take our easy security lessons at their own pace.

b. CHECKLISTS

Umbrella checklists to track progress
  • Add your own items or lists.

  • Share checklists to use offline or work on as a team.

  • Completed checklists demonstrate compliance for legal and insurance purposes.

c. FORMS

Umbrella forms to compile secure protocols
  • Compile secure itineraries and protocols.

  • Share with your team (Data is encrypted within the app while password protected, not when exported. Only share data with trusted email accounts on a secure network).

Respond to threats with alerts, masking, and emergency support

a. ALERTS

Umbrella feed to monitor local threats
  • Monitor local threats with live security alerts from trusted sources.

  • Add your own RSS feeds for customised updates.

  • No geolocation or tracking—you input location. We can’t see it, and neither can anyone else.

b. MASKING

Mask Umbrella app in high-risk settings
  • Disguise Umbrella in high-risk settings (or do emergency sums).

  • Simply shake to unmask.

c. DEBRIEF WITH INCIDENT FORMS

Umbrella incident forms for debrief

3. MAKE UMBRELLA WORK FOR YOU.

K is running a team spread across three countries. Staff have various levels of training—in some cases, none at all. Risk levels vary, from sources who require total anonymity, to an office administrator with no field experience and limited digital expertise beyond Microsoft Office. Here are some different ways for K to make use of Umbrella.

i. Adapt Umbrella

Umbrella was designed to meet the needs of people from different sectors operating at various levels of risk. To adapt Umbrella for the needs of the team, K should:

  • Point team members towards the most appropriate lessons and tool guides. Warn of any deviation from existing policies to avoid confusion.

  • Take mitigating action if having Umbrella on a particular device could increase risk.

  • Review legal and insurance requirements for security or duty of care to incorporate Umbrella.

Umbrella should complement and streamline K’s security strategy. It can’t replace a proactive security manager. Umbrella offers advice on what to do in risky situations. The advice may not always apply and you should consider all potential risks, use a wide range of advice, and use your own judgement. See our full terms of service.

ii. Customise Umbrella with Tent

K wants to put existing policies in a secure app. K has a technical background and a colleague in IT who’s up for a challenge. They build their own version of Umbrella at minimal cost using open-source tools, including Security First’s mobile CMS, Tent.

iii. White label Umbrella with Tent

K’s manager contracts Security First to white label Umbrella with the organisation’s own brand and content—no technical background required.

Request more details or a quote at info@secfirst.org.

4. GET INVOLVED

Make Umbrella into the tool you want it to be. See something missing or outdated? Want to request a module? Want to write one? Email info@secfirst.org or fork our content repo on GitHub.