Assessing Risk in a Campaign (5 minute read)

Article author
Betty Fleming
  • Updated

Cyber risk is not stagnant. There are many factors that can increase risk over the course of a campaign. Since not all risks apply equally to every campaign or organization, the most effective way to protect a campaign from cyber attacks is to take a risk management approach.

Effective risk management does not require any special technical skills or knowledge. 

Campaign leadership engages in all kinds of risk management all the time. Maybe it’s managing financial risk. For example, if we staff up now, do we know we can sustain it? Or maybe the candidate's exposure is a risk. You might ask yourself, what are the pros and cons of appearing on a specific television show? 

Cybersecurity is also about risk management and is not so different. It’s keeping the potential for risk in your thought process. It's asking questions about whether doing something increases your risk and how to mitigate that risk.

Cyber risk comes into two varieties: general risks-- the ones every computer user and campaign must contend with, and specific risks--the ones that apply to an individual campaign. DDC’s The Basics for Every Campaign focuses on implementing cybersecurity to address the general risks faced by every campaign, such as protecting account credentials and reducing successful phishing attempts.

Specific risks mean taking your current and future operations and looking at them through the cyber risk lens. It also means building out your cybersecurity efforts by protecting the campaign’s most valuable assets first.

A simple approach to campaign cybersecurity is risk assessment.

You can’t address or mitigate a risk unless you know what it is, so the first step is identifying people, devices, and processes where risk might exist.

You can do that by answering, or tasking someone to answer, these questions:

  • What are the most important technology tools and services that, if compromised or unavailable, would most impact the campaign? These tools might include donation processing, voter data, email, or social media. It doesn't have to be all of these and could be something else as well. The point is, the top assets, the ones you can’t live without, are where you direct attention. You can build it out from there as needed.
  • What and where are the devices we use- phones, computers, printers, software? Knowing  the technology used in the campaign, even if it’s “bring your own device”, is important. For example, if malware was identified on one machine, you’d want to mitigate it on all. 
  • What are the most critical data assets that, if lost, compromised, or had access curtailed, would most hamper operations, be fodder for the media/opposition, or could be seen as a violation of trust by the public? Know where information and data assets—the intellectual property of your campaigns—such as internal polling data, donor lists, draft policy papers, voter data, media buying strategies, and communications (emails, texts) are being stored. Know who has access, and limit access only to those who need it.
  • Who are we identifying as being part of the campaign? Do we need to include family members other people close to the candidate, and key consultants? These are potential entry points for bad actors.
  • What kind of activities does staff engage in that change their risk profile? For example, are field staff checking in via unsecured wi-fi connections from coffee shops? Is any campaign work being done on personal email accounts?
  • Does the campaign have third-party risk?  Typically, campaigns use many outside firms. These could be pollsters, media buyers, strategy consultants, digital firms, data firms, or others. If they have access to important campaign information, any risks within their own organization, become a risk to the campaign. Ask them about their cybersecurity, and what forms of account protection they have (some have multifactor authentication that needs to be turned on).

Your campaign is in motion. Risks can change as the campaign process unfolds 

From the moment your candidate announces an intention to run until they take a victory lap, campaigns are in a constant state of change.

Here are some factors that can increase the risk from a cybersecurity perspective:

  • Your candidate and campaign are taking on a well-loved incumbent.  Is your campaign going to have strong opposition even within your own party that may cause people to be upset or try to thwart your effort?
  • Your candidate is from an underrepresented group and your community has a history of hostility toward that group. Are there people who want you to fail and are looking to find ways to sabotage your campaign, distribute false or misinformation about the candidate, or find other ways to embarrass the campaign- such as defacing a website?
  • Your candidate is an incumbent and has recently had to make tough votes or decisions that have evoked strong negative feelings in the community: For example, they voted on a major decision across party lines. Or, in a local or municipal election, voted for large, unpopular budget cuts.
  • Your candidate is in a leadership position that has made them known and unpopular outside your district: For example, your candidate doesn’t have strong opposition in the election, but is Chair of a House Committee that has taken on a tough issue, or conducted an investigation that has raised their national and international profile, and made them a target.

Even winning can increase risk. 

Good news, you have won a primary: During the primary, as one of many, your risk profile was not substantially different. Now you are the candidate and the spotlight is stronger.

It is generally agreed that overall risk increases as election day nears.

Opportunities to impact the outcome of an election increase toward the end of a campaign. For example, changing voter information on website on the eve of the election could send voters to the wrong polling place before the campaign becomes aware of the breach.


Questions to ask

  • Are you now on the national radar as opposed to only local? Now more people are looking at your campaign, your candidate, and the opposition is stronger and more widespread.
  • Does your race have national significance in terms of the balance of power? Will that increase your risk of attack or compromise attempts from outside forces?
  • Is the race a toss-up and any little thing could swing it? Would stealing internal information or bringing down your systems have an outsize influence on the results?
  • Is your staff going to grow substantially in size, maybe with help from the State Party or a National Committee? Bringing on new people quickly is a risk if they’re not properly outfitted with security tools and onboarding to the campaign’s cybersecurity basics.

 Learn more: The 5 Step Approach to Cybersecurity 

How To: How to Prepare for a Cyber Incident

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request



Please sign in to leave a comment.