Voter information and data are often a campaign’s most valuable assets, and a candidacy can rise or fall based on how well the organization protects them. From email hacking to spear phishing to denial of service attacks, campaigns face a host of cyber security threats.
Still, they need to be active online and employ all the digital tools at their disposal in order to be successful. In this environment, no campaign, regardless of its size, can afford to neglect cybersecurity.
Here are five common cybersecurity mistakes and some advice on how to avoid making them.
1. Neglecting The Basics
Recently, the New York Times aptly described presidential campaigns as the “ultimate startups,” and this analogy can be applied to a campaign at any level. Campaigns start from scratch and grow rapidly, posing a host of challenges that divide a campaign manager’s attention.
Now, it’s crucial for cybersecurity to be prioritized from the beginning and not get lost in the shuffle. As staff is hired and roles are defined, make sure one staffer is tasked with managing cybersecurity and providing regular status reports. Campaigns should use current anti-virus and anti-malware software, content and email filters, firewalls, a data backup system and secure Wi-Fi networks. Throughout the campaign, be sure all operating systems, software, and browsers remain up to date. If any of this sounds foreign or intimidating, an IT consultant can help you navigate the basics.
2. Failing To Foster A Culture Of Security
The human element has often been called the weakest link in cybersecurity. The best way to minimize the risk of mistakes is to create a campaign culture in which everyone is invested in and values security. Never assume staffers, interns and volunteers understand cybersecurity — even when they are Millennials.
Instead, train them on their role in keeping the campaign’s information protected — with an emphasis on recognizing phishing and spear phishing emails that are designed to trick them into giving away credentials or installing malware. Training should also cover smart social media practices, ground rules for downloading software, and the importance of strong passwords.
Beyond formal training sessions, talking about security regularly at staff meetings, encouraging workers to think about security at the front end of projects, and displaying policies and tips around the office can help build a cybersecurity culture.
3. Forgetting About Personal Accounts And Mobile Devices
In one of the most widely publicized campaign cybersecurity incidents, then-Alaska Gov. Sarah Palin’s Yahoo! email account was hacked in September 2008. More recently, hackers have compromised CIA Director John Brennan and DHS Secretary Jeh Johnson’s personal accounts. As you think through campaign security issues, don’t forget to assess cybersecurity practices outside of the office.
If the candidates and staff have personal email accounts, they should use complex passwords and change them regularly, set security questions that cannot be answered based on publicly available information, and avoid forwarding sensitive campaign emails and documents to the personal accounts.
Mobile devices are highly vulnerable to cybersecurity threats: don’t neglect them as you form a security plan. The mobile devices belonging to candidates and staff —including laptops, smart phones, and tablets — should always be password protected and should have a remote wipe function that erases the device if it is lost.
Experts recommend using a virtual private network (VPN) for mobile devices to safely access the campaign’s network and to encrypt internet activity while on an untrusted or public WiFi network. Further, exercise caution when downloading apps. Downloading from trusted sources will minimize the risk of inadvertently installing malware.
4. Leaving Voter And Donor Information Vulnerable
More than ever, campaigns are gathering and storing voters and donors’ personal information —including biographical information and policy preferences. In any campaign, the candidate must gain and keep the public’s trust, and therefore protecting information voters provide to the campaign is crucial. Use a database that allows you to vary users’ access. This means you can assign individuals or groups database rights commensurate with their role in the campaign. For example, perhaps some individuals should only be permitted to see information and not change it while others only need to be given permission to access a small portion of the data.
In September, the Online Trust Alliance, a non-profit working that promotes online information security, conducted an audit of the 2016 presidential candidates’ website privacy and security. The results serve as a helpful guide of best practices for campaigns. Moreover, the group’s report emphasizes publishing an adequate privacy policy on the campaign website and securing the site to protect information users share with the campaign. The commitment to protecting personal information shouldn’t end when the campaign does. It’s important to have a plan in place for what will happen to the campaign’s data after Election Day.
5. Ignoring Cybersecurity As A Campaign Issue
The recent cyber attack on the Office of Personnel Management highlights the need for government officials to understand and act on cybersecurity. Any candidate for public office should consider how he or she will protect sensitive information if elected and what, if any, policy changes will be necessary to do so. To that end, candidates should address cybersecurity in their platforms and be prepared to discuss it on the campaign trail. Ignoring cyber security as an issue could be just as hazardous for a candidate as ignoring it in practice.
James Norton, a former defense-industry executive and deputy assistant secretary in the Department of Homeland Security, is currently an adjunct professor at Johns Hopkins University and a senior adviser at The Chertoff Group. Follow him on twitter @jamesnorton99