Digital Harm Is Protection Work in Conflict Zones
Access Now’s upcoming webinar on May 19, 2026 gives a useful name to a reality many civil society organizations already understand from experience: in conflict and crisis settings, digital harm is not separate from protection work. It can decide who stays reachable, which sources remain safe, whether evidence survives, and how quickly an organization can recover after disruption.
The session is part of the Digital Security Helpline’s Safe and strong series and is framed around digital security challenges for civil society in war and conflict, with a focus on tools for resilience. The speaker list spans Access Now, WITNESS, Cloudflare, and Oxfam. That mix matters. It signals that the problem is not just malware, password hygiene, or staff training. It touches operations, platforms, infrastructure, documentation, humanitarian response, and policy.
Important boundary first: the source is an event page, not an incident report or technical advisory. It should not be read as evidence of a new exploit, campaign, or threat actor tactic. Its value is different. It shows how mainstream support organizations are increasingly treating digital exposure as part of the broader harm picture in armed conflict and humanitarian crises.
For civil society groups, that shift is practical. The useful question is no longer only, “Are our tools secure?” It is, “Can we keep people safe and keep operating when digital systems are targeted, degraded, seized, or turned against us?”
Why digital harm belongs in protection planning#
In stable environments, digital security is often framed as risk reduction: prevent account compromise, avoid phishing, patch devices, back up files. Those actions still matter. But in conflict settings, the consequences of digital failure can become immediate and physical.
A compromised inbox can expose beneficiaries, witnesses, journalists, local partners, or evacuation plans. A seized phone can reveal movement history, contact networks, internal coordination, or sensitive photos. A lost administrator account can interrupt aid coordination, public reporting, fundraising, or emergency communications. A platform outage or blocked service can cut off outreach during the exact moment people need verified information.
That is why “digital security” is too narrow if it is treated as an IT-only topic. In conflict and crisis work, digital systems carry identity, trust, evidence, location, money, relationships, and continuity. When those systems fail, the damage may not stay online.
This framing is especially relevant for organizations documenting abuses, supporting displaced communities, running hotlines, coordinating field teams, or communicating with at-risk groups. The digital layer can become a protection layer. If it collapses, people may lose access to help, confidentiality, or proof.
A protection-oriented approach does not require every staff member to become a security engineer. It requires leadership, program teams, legal teams, communications staff, and technical support to share a common map of what digital failure would mean for people.
Resilience is more than hardening devices#
The webinar’s cross-sector lineup points toward a useful model: resilience has to work across several layers at once. Endpoint security is part of it, but not the whole picture. Civil society organizations need to think about access, identity, continuity, and escalation.
1. Access: who can still operate when something breaks?#
Every organization has mission-critical accounts and channels, even if nobody has formally named them. These may include email administrators, cloud storage owners, social media accounts, donor platforms, case management systems, encrypted messaging groups, domain registrars, website hosting panels, and shared document repositories.
In a crisis, access problems escalate quickly. If one person is detained, displaced, offline, or unreachable, can anyone else publish urgent updates? Can the team contact partners? Can staff reset passwords without exposing themselves? Can leadership verify which communication channels are still safe?
Access planning should identify single points of failure before disruption happens. If one administrator controls the organization’s email, website, and storage, that is an operational risk, not just a technical inconvenience. If recovery depends on a phone number in a country where networks are unstable, that is a protection risk. If only one staff member knows where backups are stored, continuity depends on one person’s availability.
Good access planning asks: what must remain available, who needs emergency authority, and how can access be restored without creating new exposure?
2. Identity: can people and systems be trusted under pressure?#
Conflict settings create more opportunities for coercive access, impersonation, phishing, account takeover, and recovery failure. Attackers may not need sophisticated tools if they can exploit confusion, fear, staff turnover, poor documentation, or urgent requests.
Identity controls are often discussed as abstract security measures: multi-factor authentication, password managers, administrator roles, account recovery codes, device approval, and verification procedures. In crisis settings, these are not abstract. They can be the difference between quick recovery and operational paralysis.
For example, strong multi-factor authentication can reduce the chance that a phished password becomes a full account takeover. But recovery planning matters just as much. If staff lose phones while fleeing, are locked out by number changes, or cannot access office devices, the organization needs safe recovery paths. Otherwise, security controls can accidentally block legitimate staff during emergencies.
Identity also includes human verification. If a message arrives claiming to be from a director, lawyer, field coordinator, or partner organization, how does the team confirm it? In high-stress conditions, a simple out-of-band verification habit can prevent damaging mistakes.
3. Continuity: can the organization keep functioning during disruption?#
Resilience does not mean preventing every incident. That standard is unrealistic in armed conflict, where outages, device loss, border searches, raids, displacement, platform blocks, staff turnover, and incomplete documentation may be normal operating conditions.
A resilient organization is one that can continue essential work when a device, channel, person, or service becomes unavailable. That requires prioritization. Not every workflow deserves the same level of protection. Not every record needs to be retained forever. Not every staff member needs access to every sensitive file.
Continuity planning should define the minimum viable operation: what must continue in the first hour, first day, and first week after disruption? For some groups, that may be hotline availability. For others, it may be evidence preservation, emergency partner coordination, payroll, public messaging, legal referrals, or field team check-ins.
Once those priorities are clear, technical decisions become easier. Backups, alternate channels, admin delegation, device policies, and data retention rules can be built around real operational needs instead of generic checklists.
Practical takeaways for civil society and support organizations#
Because the source is a webinar announcement, the safest way to use it is as a planning prompt rather than as a technical checklist. Still, several evidence-bounded takeaways follow directly from its framing.
Put digital risk into protection meetings#
Digital security should not sit only with IT staff or the “technical person” in the office. It belongs in protection, program, legal, and leadership discussions. The people who understand field risk often know which records, contacts, routes, or identities would create harm if exposed.
Start with simple questions:
- What work stops if a key account is lost?
- Which records would create real-world harm if exposed?
- Which staff, partners, sources, or beneficiaries need priority recovery support?
- Which platforms are essential for public communication or emergency coordination?
- Who has authority to suspend, rotate, or recover access during a crisis?
This turns digital security from a compliance exercise into a protection conversation.
Prepare for unstable conditions before they arrive#
Conflict plans should assume intermittent connectivity, device loss, displacement, blocked services, and incomplete documentation. Plans that only work from the office, on stable internet, with everyone’s usual phone number, are fragile.
Practical steps include reducing dependence on single administrators, storing recovery codes safely, maintaining updated emergency contacts, documenting critical accounts, and deciding which backup communication channels are acceptable for which types of information.
The goal is not to build a perfect system. The goal is to remove avoidable failure points before people are under pressure.
Separate sensitive workflows#
Organizations should avoid handling evidence, public messaging, routine coordination, donor communication, and beneficiary support through the same accounts and devices when possible. Mixing everything increases blast radius. If one account is compromised, too much becomes exposed.
Sensitive evidence should have stricter access controls than routine documents. Public-facing accounts should not be managed from the same weakly protected devices used for casual browsing. Case files should not be scattered across personal inboxes and messaging apps without a retention or deletion plan.
The principle is simple: the more sensitive the material, the fewer people, tools, and endpoints should touch it.
Rehearse the first response#
The first 15 minutes after account compromise, device seizure, or suspected impersonation often matter more than a long policy document nobody can find. Staff should know who to alert, which channels to stop using, and where backup communication lives.
A basic first-response rehearsal can cover:
- how to report a suspected compromise;
- who can disable accounts or revoke sessions;
- how to warn affected staff or partners;
- what information should not be sent over potentially compromised channels;
- where incident notes should be recorded;
- when to escalate to external support.
Short drills are useful because they expose assumptions. If nobody knows who owns the domain registrar account, that is better discovered during a rehearsal than during an attack.
Line up outside help early#
The Access Now event highlights the Digital Security Helpline’s support role. The operational lesson is straightforward: trusted escalation paths should exist before a crisis.
During an incident is the worst time to search the internet for expert help, evaluate unfamiliar vendors, or decide whether a message from “support” is legitimate. Civil society groups should identify trusted digital security responders, legal contacts, platform escalation routes, hosting providers, and peer organizations in advance.
Support organizations can help by making these pathways easier to understand and safer to use. This includes clear intake processes, multilingual support, realistic guidance, and respect for the fact that affected groups may be operating with limited time, bandwidth, and trust.
What support organizations should take from this shift#
For donors, humanitarian agencies, digital rights groups, and infrastructure providers, the bigger signal is that digital safety is now part of conflict resilience. That should influence funding, program design, and incident response.
One-off trainings are rarely enough. Organizations need sustained support for account architecture, secure documentation workflows, recovery planning, device replacement, website resilience, platform escalation, and leadership decision-making. They also need help that fits operational reality, not ideal lab conditions.
Support should be threat-informed but not fear-driven. Not every group faces the same adversary. Not every risk requires the most complex tool. Overly complicated advice can reduce safety if staff cannot maintain it during displacement, stress, or low connectivity.
A practical support model starts with what the organization must protect and continue. Then it builds controls around those priorities.
Conclusion: resilience is the protection standard#
Access Now’s May 19 webinar does not present a new technical finding, and it should not be treated as a warning about a specific campaign. Its importance is broader: it reflects a posture change. Digital safety is being discussed as part of humanitarian protection and conflict resilience, not as optional IT hygiene.
For civil society organizations in conflict settings, that is the right direction. The baseline question is not just whether tools are secure in theory. It is whether people can remain safe, reachable, and credible when accounts are compromised, devices are seized, platforms fail, or networks become unreliable.
That standard is harder than a checklist, but more useful. It connects digital security to the work civil society actually needs to preserve: trust, evidence, access, identity, and continuity under pressure.