What risk is there, really?
Too many campaigns say to themselves: look, why bother going in with complex passwords, device security and other tools in my campaign? I’m only running for office XYZ, not the presidency! The world, however, is a very different place. Candidates and elected officials at all levels, from school board, state house and state senate, as well as congressional candidates, have all found themselves to be targets of hack attempts. In the last few weeks, more than once has someone made an effort as an example, to hack my social media feeds I’m connected to, for myself or others.
What exactly is at risk? Political campaigns keep a lot of data in their social media and email accounts. Whether it is direct communication with voters and donors, or internal messaging about the state of your campaign. As a result, making sure that you are using at least some basic security in your campaign is very important.
Passwords, MFA and secure hosts
If you haven’t already, one of the first steps you should commit to is multi-factor authentication. Securing your Facebook, Twitter, and email with multi-factor authentication makes hacking your accounts much more difficult.
Within Twitter, account security also allows for login verification. What does Multi-factor password security means? It means a login on one device, even with the correct password, is not automatically verified unless the user signals it is “OK” normally using a mobile phone, and either a code presented by text message or an on-phone application. This is the most secure method, by far. It means in order to crack your account someone would need not just your password, but also your mobile phone or a SIM card with its number.
Email is, of course, the source of more data breaches and potentially dangerous hack attempts. Keep these rules in mind:
- your passwords should be complex or generated through an outside app.
- your email host should provide for multi-factor authentication: Gmail, Yahoo, Office365 all offer this as a feature.
- AVOID putting any sensitive data of any sort in an insecure POP3/IMAP host. If you get free email with your hosted WordPress or website, think carefully about using it. Moving your email to a secured provider is often the right move.
Your best advice is always to use different passwords for every item on your list. Users frequently use the same clever password over and over and over again. This means that if one password, on one website is compromised, a large group of other passwords is compromised. To help simplify this process, most IT professionals, including the staff at Daily Kos, recommend in-browser or on-PC/Mac tools that keep track of your passwords and help secure them. Applications from companies like Symantec, Dashlane, and LastPass. These will all generate and store complex passwords for all of your applications and use multi-factor authentication to secure them, often with biometrics and secondary apps if your phone supports those tools.
Review who has access to your content
If you have someone managing your Facebook, Twitter, Instagram, or any other social media format realize that these rules apply to them as well. If they are going to be trusted with your data, you need to make sure their logins and accounts are also safe. The more entry points there are to gain access to your data, the more opportunity for your data to be compromised.
Phones, tablets, and laptops that are mobile should be secured always with a complex password, encrypted file systems on laptops, and remote wipe services enabled. If a device is lost, prepare to change some passwords—but you can save yourself a lot of heartache if you are confident the data on that laptop can’t be easily compromised by simply opening them up.
Complex password requirements, like swipe codes or biometrics, can help protect your mobile devices.
In order to secure your devices, also make sure that you have “lock on screen saver” modes turned on, so that if you leave a sitting laptop or tablet somewhere for any amount of time it will lock and require your password to get back in. Leaving a laptop, phone or tablet in the open where someone can pick it up and go through your content is a bad idea, and could quickly expose all of your passwords and security.
Your campaign data is very important. If you don’t have a backup plan, get one. Keep in mind all of the security goals above—if you are just copying your items to an online storage provider like Amazon S3, Dropbox, OneDrive, GDrive or other provider make sure that you still follow the complex password requirement rules.
Finally the level of security most miss—if you have an office for your campaign, and any volunteers, make sure computers used by volunteers and others to do data entry, VoteBuilder or other work isn’t authorized and logged into any of your accounts. The easiest hack possible is when someone opens up a web browser and your accounts are already logged in as active—there’s no hack needed at all. Computers available for use by volunteers in any party or campaign office should NOT be used, if possible, for secure logins to your accounts.
Major campaigns can provide on-premise security to protect equipment left overnight, and they know who goes in and out of your office. If you are running a smaller campaign, you may not always be aware of who enters your office, hangs out, does volunteer work, or runs your office while you aren’t there. Don’t make it easy for anyone to walk in, sit down, and access your private content.
If security isn’t something you’ve thought about, you need to put it on your list for any campaign going forward. If you have communication with your county, state or campaign groups in your area, remind them to take data security seriously in their campaign. No matter how big or small, these tips can be critical advice for their well being, and even if they weren’t running for office, should be considered good practice.
Don’t always count on your IT staff to bail you out of every problem — and do them a favor by making it less likely you will get into trouble.
For those who tuned in this week for a discussion on the value of TV advertising, don’t worry! We’ll pick that up on February 10. Over the next two weeks, Nuts & Bolts will focus on what’s going on inside the Democratic Party.
Next week on Nuts & Bolts I’ll be in DC for the Rules & Bylaws Meeting for the Unity Reform Commission proposal.