As threats from criminals and state-backed hackers grow, candidates and elected officials continue to be targets for cyber attacks like cyber vandalism and ransomware. It doesn’t matter that the campaign is separate from an elected official’s government organization, but the goal is disruption and campaigns offer numerous points of entry.
Cybersecurity has, unfortunately, become a key consideration for campaigns in order to protect from digital threats. Here are six steps anyone can follow to ensure your campaign cybersecurity is as strong as possible.
Clean Up Access Permissions
Make sure only the people who need to have access have access. Delete old email accounts from your Google Business account. Remove former staff from admin roles on Facebook. When someone leaves, their access should go too.
Attackers can use old, inactive accounts to gain access to your campaign through a variety of methods.
Update Passwords and Setup A Password Manager
Use a password manager to create, store, and share strong passwords. Passwords should be a minimum of 12 characters and contain a mix of upper and lowercase letters, numbers, and symbols.
Never use the same password for multiple sites or applications. In many data breaches, hackers can gain access to users email address and password and post them online. If you use the same password, it’s simple for attackers to login to your other accounts.
Enable Two Factor Authentication Everywhere
Two-factor authentication (or “two-step verification”) is an additional layer of security that requires not only a password and username but also something that the user has on them, like a phone.
Most campaign applications offer two-factor authentication including Google G Suite, Facebook, Twitter, Slack, and more. Even if someone uses a weak password personally, if the attacker doesn’t have their mobile device, they still can’t get access.
Campaign Cybersecurity Means Everyone
You’ll have consultants, allies, and vendors who have access to sensitive campaign information. Make sure they’re also following these best practices, like using a password manager and two-factor authentication.
If someone’s device is lost or stolen, that puts your campaign at risk. The phishing attack that led to Hillary Clinton’s leaked emails didn’t come from within her campaign, but rather an outside consultant with poor cybersecurity.
Most importantly, the candidate needs to secure all of their own personal online accounts. Attackers may go after the personal email and social media accounts of candidates in order to gain access to campaign-related information.
Audit and Update Security Settings on All Third Party Apps
For all of the other services like DropBox, Amazon Web Services, GoDaddy and others that you use make sure you are using strong, unique passwords and aren’t exposing sensitive information like voter data or polling data inadvertently.
When you no longer need an account, close it out completely. Inactive accounts can be a vector for attack as well.
Get Notified Of Breaches
Use free services like Have I Been Pwned? or Firefox Monitor to be notified when your email addresses – both personal and professional – are involved in a data breach. That way, you can take steps like changing your passwords to protect your accounts before an attacker does.
These re-used passwords are often how attackers will try to gain access to other accounts you use.
There’s no guaranteed answer for campaign cybersecurity, but if you follow these steps, you’ll be less vulnerable and cyber criminals or state-backed hackers will move on to other less prepared targets.
While campaign cybersecurity might seem daunting, it’s important to remember that these basic steps can prevent a misstep that will set your campaign back and distract from all of your other hard work.