The Political Campaign Cybersecurity Training Every Staffer Needs

IMGE’s Comprehensive Guide to Implementing Campaign Security Best Practices.

Strategy Development

With increased cyber-attacks across the globe, it is more important than ever to be implementing best practices at every level of the campaign team.

Are you working on a political campaign? Here’s what you need to be doing to make sure you aren’t putting your campaign’s cybersecurity at risk.

What Is Cybersecurity?

Cybersecurity is more than just “strong passwords.” Cybersecurity is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

“With access to valuable voter demographic and financial data, not to mention campaign strategies and communications, political campaigns are soft targets for nefarious actors, including sophisticated nation-states and financially motivated actors,” warns Micah Yousefi, Founder of Public Trust Technologies.

You need to make sure that your campaign is secured at two levels:

  1. The institutional level
  2. The individual level

In this article, we’re going to focus on how individuals on a campaign can contribute to the whole team’s cybersecurity. Join us as we lay out some of the best practices to securing your campaign and avoiding common scams.

Secure Your Passwords

Passwords are your first line of defense for all your devices and data. Make sure you are using a strong password on every platform to help keep out any unauthorized access, and always use two-factor authentication (2FA) where available.

The best way to keep passwords secure? Minimize who has access to them. Consider who on the campaign team really needs access to campaign accounts and grant access accordingly.

Here are some password do’s and don’ts to keep in mind.


  • Eliminate password reuse.
  • Contain at least 8 characters. 20 is recommended.
  • Contain a mix of alpha, numeric, and special characters.
  • Use a passphrase if possible: ex. “It’s time for a vacation.”
  • Consider using a password manager like 1Password to securely generate and store passwords.


  • Use personal information (birthdates, addresses, phone numbers, pets, high school mascots, etc.).
  • Use patterns (aaabbb, qwerty, 123321, etc.).

In sum, if your campaign is using the password “victory2022”, it’s time to change it right now.

Secure Your Devices

Passwords aren’t the only entity that needs to be kept secure. You must also make sure you are securing the physical devices your campaign is using.

  • Stay current with software updates for apps, operating systems, and anti-virus software.
  • Ensure access to campaign devices are protected with a strong passcode.
  • Never leave campaign laptops, tablets, and phones unattended.

Your Guide to Common Cyber Threats

What kind of cyber threats might you personally face? Some examples of various threats are:

  • Email Address Spoofing: When someone uses an email that is similar to an existing email address to confuse you. For example, someone might use a lower case “L” to look like an “I” (ex: [email protected]).
  • Targeted Attacks: Someone may use publicly available information to seem legitimate. This may be combined with other threats to get you to trust this person.
  • Malicious Links: Links that lead to harmful downloads can be sent in an email body or in attachments. Never click on a link from an unknown source!
  • Phishing Call: Someone may call you masquerading as IT support or a client/vendor/company executive and ask for confidential information.

How to Recognize a Cyber Scam Attacking Your Campaign

Have you received a suspicious message? Scammers use specific tactics that may make you more susceptible to their phishing scams. Here are the techniques scammers use that should set off your alarm bells:

  • Authority: The message may claim to be from a trusted official or campaign donor.
    • Example: You get an email that claims to be from the campaign manager and he needs you to hurry up and purchase gift cards for him within the next hour for an event.
  • Urgency: You will be told you have limited time to respond. This is so you feel rushed into not verifying its authenticity and providing potentially sensitive information.
    • Example: You get a message demanding a Venmo transfer that must be paid within an hour.
  • Emotion: You get an email filled with language that makes you feel panicked, fearful, hopeful, or curious.
    • Example: You get an email filled with threatening and condemnatory language from someone purporting to be an unpaid vendor.
  • Scarcity: You get an email offering you something that is in short supply.
    • Example: You get a text from a vendor demanding urgent payment for a limited inventory product.

Don’t fall for phishing scams! Always verify through a second medium if a request seems suspicious. Remember: Email addresses and phone numbers can be spoofed. Better safe than sorry.

The Weakest Part of Your Campaign’s Cybersecurity? The Humans on Your Campaign

The grassroots, get-it-done-yesterday energy of political campaigns is invigorating, but not always conducive to building strong institutional cybersecurity practices.

Your dedicated — but untrained — volunteers will always be one of the weakest points in your infrastructure. Make sure you are creating a culture of caution around digital security, and providing the education your staff needs to avoid falling victim to a phishing attack. Have them read this article, and make sure they internalize the lessons from it while they have access to campaign digital accounts and data.

All of this seem overwhelming? Work with a professional firm like IMGE to set up your campaign’s digital infrastructure. As a SOC II Type 2 Certified firm, we can be a partner to building a secure and effective digital operation for your campaign. 

Contact us today to learn more.

Thanks for reading!

While you're here, check out these related articles: