Written by: Elyse Sheppard, IMGE Intern
Date: August 7, 2018
In the 2016 U.S. election, every significant presidential campaign was targeted by cyber attacks. And the threats continue to mount: so far, experts have discovered targeted hacks on at least three Congressional campaigns in the upcoming 2018 elections.
Our current political environment welcomes outsiders and grassroots campaigns. More first-time candidates are organizing grassroots campaigns than ever before. Yet with short timelines and a try-whatever-it-takes-to-win culture, campaigning has never been a highly lucrative or secured industry — not for the campaign professionals, and especially not for first-time candidates. This may have many concerned that they don’t have the resources to protect their campaign data. Luckily, there are some basic measures you can take that will add some protection.
It Starts At the Beginning. . .
Campaign security starts at the onset. This is an especially important lesson for first-time campaigners. The weakest part of any security system is the people who use it; your team must remain vigilant with these best practices. If you can create a culture that is focused on safety and accountability within your campaign, you will only need to take basic measures to ensure the security of your campaign.
Keep Campaign Emails Out Of Your Personal Inbox.
Ensure that anyone associated with the campaign keeps personal and professional accounts separate. Drill this into your campaign culture. You don’t want campaign business discussed through personal emails, as these accounts likely have a much weaker server and are more at risk for phishing tactics.
Phishing is a common tactic used by hackers to steal passwords and information by posing as a trustworthy entity. If users click on a link sent through phishing and unwittingly provide their password, they are unknowingly giving access to communications that span years back. If staffers conduct campaign communications through personal accounts, this information could fall victim to phishing tactics.
Use Secure Third-Party Apps.
You can keep your campaign data safe by relying on trusted third-party software. These companies have been tested for multiple kinds of security attacks and are held to high safety standards, so you know your data will be safe. Remember to activate all security settings when you set up any third-party software.
At IMGE, we use third-party software such as Iterable, Marketing Cloud, Revv, and Google business apps to keep our clients’ data safe.
Amp Up Your Passwords.
Campaign staff should enable security features on campaign accounts by default before they assign email addresses to individual team members. Users should also have strong passwords and avoid reusing passwords for every account.
If remembering passwords comes as a challenge to you, try making a unique sentence in your head and use the first letter of each word for creating your password. You can diversify this per site using the dynamic password trick. Here’s how it works: Make a considerable amount of your password the same, but have part of the password change depending on some unique characteristic of the site, such as its color scheme or purpose. An example would be like so:
Furthermore, try adding a layer of security on top of your passwords using two-factor authentication. With this security feature, even if your password is compromised, hackers would need a second code (usually a notification to a person’s phone) to gain access. Although it can be annoying to need capital and lowercase letters, numbers, and symbols, a strong password and two-factor authentication are the easiest and best protection available to you and your team. Information security is becoming more of an issue as technology grows, and by not taking these two simple steps, you are putting your information at risk.
Use Encrypted Communications.
Encrypted chat apps prevent hackers from intercepting and accessing your communications. End-to-end encryption with forward secrecy secures all instant messages to users of the same software, and some even offer end-to-end encrypted file transfer support and group messaging. Some popular apps are WhatsApp, owned by Facebook, and Signal.
It’s critical to use encrypted chats when sending important information like polls, strategy memos, and budget numbers within and beyond the campaign. This will mitigate the risk of seeing your important documents and strategic information posted online.
Leverage Against Human Error.
Despite our best efforts, it’s still human error that leads most commonly to security breaches. Because of the nature of campaigns, many low-level volunteers are given access to accounts with important information and capabilities. There have been too many security breaches due to these volunteers recycling passwords or clicking on phishing links.
From the beginning, it is important to create a culture in your campaign that stresses the importance of privacy, caution, and accountability. But as much as this helps, it can only do so much in circumventing human error. For that reason, we recommend making sure individuals — especially low-level volunteers — don’t have too much access to important documents and accounts.
. . .And Lasts Throughout the Lifetime of the Campaign
Once you have instilled the basic measures into the structure of your campaign, feel confident that you have created an accountable and preventative culture in your workplace. However, beyond these initial measures, it is important that you continuously test the security of your campaign as cyber threats are always evolving.
First, prioritize software updates, including those for your operating systems and applications. Developers creating these updates are always adding better security features, so it is important for your campaign security that you always have the latest and best versions.
Second, implement a comprehensive, campaign-wide incident response plan. Make sure your staff is comfortable with how to conduct the plan, and test it regularly. You can test it through penetration testing, which is an authorized simulation attack on a computer system that you can perform to evaluate the security of the system. Always be on the lookout for anomalous behaviors.
Additionally, remember to back-up and segregate your data for recovery. In the case of a security breach, you will want to have your data saved in another place so that you do not lose access to it.
You can also enhance the security of your campaign by purchasing new programs such as Google’s Advanced Protection Program. This program offers Google’s strongest security and protections against phishing, and limits which third-party apps can access your sensitive data. You can also use the free Chrome extension Password Alert to monitor which sites you use the same password as your Google password. Ideally, you should not use your Google password for any other site, so knowing which ones you do use it for can help you change them to avoid phishing.
Creating a New Culture of Campaign Cybersecurity.
As helpful as these security measures are, we urge you to remember the most crucial aspect of campaign security: your office culture. If your campaign is going to succeed amidst today’s security concerns, your strongest defense against hackers is a culture of prevention, accountability, and care. As Debora Plunkett, the former director of information assurance at the National Security Agency said, “our democracy is in your hands, so take good care of it.”