• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Shop
  • Jobs Board
Campaigns & Elections logo

Campaigns & Elections

  • Subscribe
  • My Account
  • Facebook
  • Twitter
  • LinkedIn
  • Articles
    • Industry News
    • CampaignTech
    • Creative
  • Videos
  • Buyer’s Guide
  • Reports
  • Expert Database
  • Events
  • Awards
    • Reed Awards
    • CampaignTech Awards
    • Rising Stars
  • Consultant Directory
  • Become a Member
  • Shop
  • Job Board
  • Subscribe
  • My Account
  • Facebook
  • Twitter
  • LinkedIn

How to Do Cybersecurity Triage

Much like you don’t need to know brain surgery to save someone in an accident, there are easy steps that you and your organization can take to lessen both the chances of a cybersecurity-related incident and the damage if one occurs.

Cybersecurity is too often considered a purely IT-oriented issue when in reality it’s also a training and human resources one.

In fact, some of the biggest vulnerabilities can be solved by having top-down policies and protocols. I should note that in many states, you’re actually required by law to have them.

First, if your organization’s policy is to make basic cybersecurity practices optional, and not a mandatory—and enforced—condition of employment, then you’ll never be adequately secure.

Subscribe for Industry News Plus the Latest in Campaign Strategy & Tactics

Hidden
This field is for validation purposes and should be left unchanged.

Good policy starts from the top and must be treated similarly to sexual harassment training. You can’t assume your staff, vendors, or consultants know how to conduct themselves in a secure way, and even if they do, that they’ll take the time to do what you’re asking. Your organization’s rules must be codified and understood and agreed to, and someone needs to be responsible for compliance. Moreover, there needs to be a channel for management to react to incidents.

Everyone that has access to important or private information should understand, and agree to, at least these basics:

  • To use two-factor authentication on any emails where political business is discussed and social media accounts.
  • To use complex passwords and an encrypted password manager.
  • To use VPNs (virtual private networks) whenever on public wifi, or avoid public wifi entirely.
  • To have anti-virus software on their computers.
  • To keep all operating software on every device they use updated.
  • To keep older data offline and securely stored.
  • To avoid using the same devices for work and personal use, and where that can’t be avoided, use the same security settings for personal accounts as are required for campaign ones.
  • To delete or archive in cold-storage anything non-essential to the work you’re doing (or anything potentially embarrassing).
  • To immediately notify a superior of any irregularities, loss of devices, or known incidents.

Organizations themselves must have their own protocols in place, including:

  • To restrict access when someone gets fired or leaves.
  • When the campaign ends, to close accounts and archive old data.
  • To update website security and plug-ins.
  • To have an incident response plan in case of a problem.
  • To educate and train new incoming staff and volunteers.
  • To understand their current security status.
  • To have someone dedicated on staff who’s responsible for reporting on (and aiding with) your staff’s compliance.
  • To impose these and other key standards on your vendors.

That last bullet is of particular importance: It’s likely that only a small minority of even your tech-savvy people are currently taking cybersecurity seriously, and some of the rest are making potentially disastrous decisions that could affect your campaigns (or the ones you’re supporting).

These can’t be “recommendations” or “best practices.” They need to be part of doing business.

One political party we worked with took these recommendations to heart. We helped them understand their issues and how to solve them, and, made a top-down commitment to change. In only a few short weeks, they instituted new standards of security up and down the organization. And if there ever is an issue, they’ll know better how to react and what to do. 

If you do have an incident, take it seriously—particularly if there might be a potential breach of credit card numbers, social security numbers, or user names/passwords. 

Don’t assume you know the scope of the breach. You’ll immediately want to talk to an experienced cybersecurity attorney and forensics team to figure out both the extent of the breach and the potential legal liabilities. (Don’t just restore from backups! You’ll overwrite the logs, which may be evidence, and the backups may be corrupted, too.)

As you might imagine, the cost of these teams can be much higher than the cost of training your staff and instituting protocols.

Most of these policies and procedures would be part of what’s called a Written Incident Response Plan (a WISP), which is also expected to be part of the reasonable precautions most states require.

In the end, if you’re not addressing the human resources aspect of cybersecurity, you’ll have trouble implementing even the most basic technical ones.

Brian Franklin is co-founder of Campaign Defense, Inc, a cybersecurity training firm.

Share:
FacebookTweetLinkedIn
Filed Under:
Cybersecurity

Primary Sidebar

By
Brian Franklin
05/22/2019 12:20 PM EDT
FacebookTweetLinkedIn

C&E Creative Summit 2023 Countdown:

Get Tickets

Most Read

  • Digital Organizing

    How Digital Can Help Thread the Needle in Virginia

  • Sponsored

    Combine Digital Advertising With Direct Mail, The SMART Way

  • Sponsored

    Political Comms Is The Premium Peer-To-Peer Texting Platform

Subscribe for Industry News Plus the Latest in Campaign Strategy & Tactics

Hidden
This field is for validation purposes and should be left unchanged.

Become a member and get access to exclusive content.

Join Today

Footer

Upcoming Events

  • September 21

    Campaigns & Elections Creative Summit

Subscribe To Our Newsletter

For the latest in campaign strategy & tactics plus industry news and analysis, subscribe for free today.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Follow us

Follow Campaign and Elections for more daily content.

  • Facebook
  • LinkedIn
  • Twitter
  • About
  • Privacy Policy
  • Terms & Conditions
  • Contact

Copyright © 2023 Political World Communications, LLC

Advertisement

Subscribe for Industry News Plus the Latest in Campaign Strategy & Tactics

Hidden
This field is for validation purposes and should be left unchanged.