The ways that people associated with a campaign protect their personal accounts and devices directly impacts cybersecurity of a campaign or an organization.
Campaigns differ from traditional organization in many senses, like how long they exist, and the different ways people connect with the operation. Campaigns have a broad variety of people that they interface with, including staff, volunteers, trusted advisors, the candidate’s family, consultants, third parties, and other vendors.
There is often a thin line between people’s campaign accounts and their personal accounts.
In some cases with volunteers, consultants, and vendors, their personal accounts may be where most or all campaign business gets conducted. And even if staffers and volunteers have an email account provided by the campaign, they may have brought their own device to the campaign.
All of these factors are a cybersecurity challenge for campaigns. Bad actors look for the easiest exploitable route in and will assume that personal security is weaker than campaign security. Therefore, hacking the personal accounts of someone they know is associated with the campaign is natural place to start.
Everyone who is publicly associated with a campaign is at greater risk.
The bad news is that it is unlikely that you can force cybersecurity on people’s personal accounts, so you will have to conduct some education, and perhaps some cajoling, or pleading, to get it done. The good news is that many of the tools you use to make the campaign cyber secure can also be used to secure personal accounts, and most others have no cost.
How people can strengthen cybersecurity on personal accounts:
- Use a passkey and/or security keys: Passkeys can be created for most online accounts, and the same security key you're using to secure your campaign email and social accounts can be used to protect personal accounts as well. This is strongly encouraged. Gmail users can also turn on Advanced Protection Program on their personal accounts.
- Turn on multifactor authentication: Multifactor authentication should be available for most personal email, social, and financial accounts. These core accounts should have the strongest protections available.
- Password managers: Like keys, if a campaign distributed password manager is being used on a personal device for the campaign, it can be used on personal accounts as well. If the campaign doesn’t have or use a stand-alone password manager, encourage the use of strong passwords and the browser-based password managers in Chrome, Edge, and Firefox.
- Protect Social: In addition to strengthening account access through multifactor authentication, people on campaigns need to be careful what they post about the campaign and themselves that might be used to gain access to accounts.
- Keep software up-to-date: Updating software fixes known security issues. So running the most recent version of programs is an important security function. A lot of software updates automatically. Some you need to set up to do so. Use automatic updates where available, and don’t put off manual updates. Phones and tablets are just like any other device. Mobile operating systems and apps should be kept up-to-date as well.
Learn More: Who Needs to be Protected?, DDC's Account Protection Hierarchy
How To: How to Turn on Google APP with your Keys, Protecting Your Facebook Account, Protecting your Instagram, Twitter, and TikTok Accounts
Comments
0 comments
Please sign in to leave a comment.