This article will help to provide a single location where campaigns and high risk users in the political sector can easily find Google offerings to better secure their environment. Reduce friction to adoption for campaigns. Improve accessibility.
High risk users require an elevated level of protection for their Google Workspace and personal Gmail accounts. You are a target and high-risk computer user if you:
- Work or volunteer for a campaign
- Work for a vendor that serves campaigns, such as a digital, data, or polling firm
- Are or work for an elected official
- Work for an advocacy organization, a PAC, or a nonprofit engaged in the election process
- Are you a family member, friend, or associate of a candidate
Why are you at higher risk than other computer users?
Your typical computer user is primarily at risk of cybercrime and attempts to steal money. Cybercrime is serious; however, high risk users additionally face threats from nation states and hacktivists, whose goals extend beyond financial gain. They may seek to interfere in our elections process, including campaigns, conduct espionage, and steal and release sensitive information to embarrass candidates or influence the public.
If you are a high risk user and use Google for personal or work purposes, you MUST add precautions and implement protections!
Protect your individual Google/ Workspace account:
- Set up a passkey on your Google account (available on Workspace and personal Gmail accounts)
What and why: Passkeys are the strongest form of account authentication that you can use to protect your accounts. Passkeys are phishing resistant digital credentials that reside on your device and legitimizes account access.
More info and how to: https://www.google.com/account/about/passkeys/
Available for: Google personal accounts, Google Workspace users
- Turn on Google Advanced Protection Program (APP) (available on Workspace and personal Gmail accounts)
What and why: Advanced Protection Program is specifically designed to protect high risk users through safeguarding users across the Google platform from targeted online attacks.
More info and how to: https://landing.google.com/advancedprotection/
Available for: Google personal accounts, Google Workspace users
- Note: for Workspace users, their Workspace administrator must have Google APP enabled within the admin settings. Instructions to do so can be found here: https://support.google.com/a/answer/9378687?hl=en&ref_topic=9376233&sjid=13028205987648785957-NC
- Use the Chrome password manager (available on Workspace and personal Gmail accounts)
What and why: The password manager can create and store complex passwords as well as store passkeys for all your accounts. Your login credentials are securely stored in your Google Account, available across all your devices, and easy to manage
More info and how to: https://support.google.com/chrome/answer/95606?hl=en&co=GENIE.Platform%3DDesktop
- Perform a periodic Security Checkup(available on Workspace and personal Gmail accounts))
What and why: Google Security Checkup is a tool that helps users protect their Google accounts by identifying security issues and providing recommendations for improvement, including checking password strength and devices attached to your account.
More info and how to: https://support.google.com/accounts/answer/12629482?hl=en
- Perform a periodic Privacy Checkup(available on Workspace and personal Gmail accounts))
What and why: A Privacy Checkup lets you choose what types of data are saved to your Google Account, update what you share with friends or make public, review apps you are sharing data with, and adjust the types of ads you would like to be shown.
More info and how to: https://support.google.com/accounts/answer/12629483?hl=en
- Remove personal information from Google search (available on Workspace and personal Gmail accounts)
What and why: Periodically search for yourself and easily request removal of personal information (phone number, email) and bad search result information
More info and how: https://support.google.com/websearch/answer/12719076?hl=en
- Turn on Dark web monitoring for personal accounts only
What and why: Set up a profile to monitor the dark web so you can learn if your information has been compromised in a data breach and on the dark web.
More info and how to: https://support.google.com/websearch/answer/15191143?hl=en&co=GENIE.Platform%3DAndroid
- Use a security key (available on Workspace and personal Gmail accounts)
What and why: A physical security key is a small hardware device used for authentication to verify a user's identity when accessing online accounts or systems. It is the strongest method of two factor authentication. Even with the use of passkey, security keys can play an important role in storing passkeys and aiding account recovery
More info and how to: https://support.google.com/accounts/answer/6103523?hl=en&co=GENIE.Platform%3DAndroid
- Use federated logins (available on Workspace and personal Gmail accounts)
What and why: A Federated login is using your Google account and credentials to “sign in with Google” on other accounts. If you have strengthened your Google account with APP and a passkey, you can use that strong credential across the internet as you login. The authentication you use with your Google account may be better than provided by the service provider where you are opening an account.
More info and how to: https://cloud.google.com/architecture/identity/best-practices-for-federating
Top Security Tools for High Risk Organizations Using Google:
Cybersecurity is about understanding your risk and managing it.
If you are an Admin or responsible for operations of an organization on Google Workspace you need to configure your environment to protect your staff.
Organizations in the political sector are considered to be at high risk. Organizations at high risk in the the political sector include:
- Campaigns, and state and local parties
- Advocacy groups
- Vendors to campaigns or political organizations, such digital firms, payment processors, political tool providers, compliance and legal service providers, and IT providers.
- Organizations that recruit and train candidates to run for office
- PACs
- Think tanks
Most organizations are primarily at risk of cybercrime and attempts to steal money. Cybercrime is serious; however, high risk organizations additionally face threats from nation states and hacktivists, whose goals extend beyond financial gain. They may seek to interfere in our elections process, including campaigns, conduct espionage, and steal and release sensitive information to embarrass candidates or influence the public..
If you are a high risk organization and use Google for personal or work purposes, you MUST configure your workspace environment to protect your staff and the organization.
- Enable Advanced Protection Program and strong authentication
What and why: Advanced Protection Program is specifically designed to protect high risk users through safeguarding users across the Google platform from targeted online attacks.
What you need to do: Your users’ access to Google’s Advanced Protection Program is not turned on by default. You need to enable it via settings in the Admin panel of your workspace.
More info and how to: https://support.google.com/a/answer/9378687?hl=en&ref_topic=9376233&sjid=13028205987648785957-NC
- Project Shield
What and why: Websites in the political sector are major targets of bad actors. Google’s Project Shield is a free service designed to protect websites from attacks, such as Distributed Denial of Service (DDoS) attacks, ensuring they remain accessible. It shields websites from malicious traffic intended to overwhelm servers and make them unavailable. Project Shield also helps serve legitimate traffic spikes, such as increased viewership during election season.
More info and how to: https://projectshield.googlehttps://projectshield.withgoogle.com/landing
- Use Security Advisor
What and why: Google Workspace's Security Advisor is a set of tools and insights that help businesses improve their security posture. It includes features like threat defense, account security, and data protection.
- More info and how to: https://support.google.com/a/answer/14914403
*Only available in Workspace Business edition
- Verify your candidate and claim their knowledge panel
What and why: Verify your candidate’s search results for accuracy, including biographical information.
More info and how to: https://support.google.com/knowledgepanel/answer/7534902?hl=en
- Use a security key (available on Workspace and personal Gmail accounts)
What and why: A physical security key is a small hardware device used for authentication to verify a user's identity when accessing online accounts or systems. It is the strongest method of two factor authentication. Even with the use of passkeys, we encourage the use of security keys for administrators for added protection. They can also aid in account recovery or when remote login is needed. Plus, the same key can be used for multiple services, such as social media and financial accounts.
More info and how to: https://support.google.com/accounts/answer/6103523?hl=en&co=GENIE.Platform%3DAndroid
- Encourage staff to use Use federated logins
What and why: A Federated login allows your staff to use their Google account and credentials to sign in to other accounts. If staff have strengthened their Google account with APP and a passkey, they can use that strong credential by signing in with Google where it is offered by other services. The authentication used by your Google account may be better than that provided by the service provider.
Additionally, federated logins offer other advantages. First, users create fewer logins and passwords for services they use, reducing the potential for compromised accounts at third parties. Second, when a staff member leaves and you disable their workspace account, you automatically end access to any accounts created on behalf of the organization with their work credentials.
More info and how to: https://cloud.google.com/architecture/identity/best-practices-for-federating
Comments
0 comments
Please sign in to leave a comment.