Much like you don’t need to know brain surgery to save someone in an accident, there are easy steps that you and your organization can take to lessen both the chances of a cybersecurity-related incident and the damage if one occurs.
Cybersecurity is too often considered a purely IT-oriented issue when in reality it’s also a training and human resources one.
In fact, some of the biggest vulnerabilities can be solved by having top-down policies and protocols. I should note that in many states, you’re actually required by law to have them.
First, if your organization’s policy is to make basic cybersecurity practices optional, and not a mandatory—and enforced—condition of employment, then you’ll never be adequately secure.
Good policy starts from the top and must be treated similarly to sexual harassment training. You can’t assume your staff, vendors, or consultants know how to conduct themselves in a secure way, and even if they do, that they’ll take the time to do what you’re asking. Your organization’s rules must be codified and understood and agreed to, and someone needs to be responsible for compliance. Moreover, there needs to be a channel for management to react to incidents.
Everyone that has access to important or private information should understand, and agree to, at least these basics:
- To use two-factor authentication on any emails where political business is discussed and social media accounts.
- To use complex passwords and an encrypted password manager.
- To use VPNs (virtual private networks) whenever on public wifi, or avoid public wifi entirely.
- To have anti-virus software on their computers.
- To keep all operating software on every device they use updated.
- To keep older data offline and securely stored.
- To avoid using the same devices for work and personal use, and where that can’t be avoided, use the same security settings for personal accounts as are required for campaign ones.
- To delete or archive in cold-storage anything non-essential to the work you’re doing (or anything potentially embarrassing).
- To immediately notify a superior of any irregularities, loss of devices, or known incidents.
Organizations themselves must have their own protocols in place, including:
- To restrict access when someone gets fired or leaves.
- When the campaign ends, to close accounts and archive old data.
- To update website security and plug-ins.
- To have an incident response plan in case of a problem.
- To educate and train new incoming staff and volunteers.
- To understand their current security status.
- To have someone dedicated on staff who’s responsible for reporting on (and aiding with) your staff’s compliance.
- To impose these and other key standards on your vendors.
That last bullet is of particular importance: It’s likely that only a small minority of even your tech-savvy people are currently taking cybersecurity seriously, and some of the rest are making potentially disastrous decisions that could affect your campaigns (or the ones you’re supporting).
These can’t be “recommendations” or “best practices.” They need to be part of doing business.
One political party we worked with took these recommendations to heart. We helped them understand their issues and how to solve them, and, made a top-down commitment to change. In only a few short weeks, they instituted new standards of security up and down the organization. And if there ever is an issue, they’ll know better how to react and what to do.
If you do have an incident, take it seriously—particularly if there might be a potential breach of credit card numbers, social security numbers, or user names/passwords.
Don’t assume you know the scope of the breach. You’ll immediately want to talk to an experienced cybersecurity attorney and forensics team to figure out both the extent of the breach and the potential legal liabilities. (Don’t just restore from backups! You’ll overwrite the logs, which may be evidence, and the backups may be corrupted, too.)
As you might imagine, the cost of these teams can be much higher than the cost of training your staff and instituting protocols.
Most of these policies and procedures would be part of what’s called a Written Incident Response Plan (a WISP), which is also expected to be part of the reasonable precautions most states require.
In the end, if you’re not addressing the human resources aspect of cybersecurity, you’ll have trouble implementing even the most basic technical ones.
By Brian Franklin
Also published in Campaigns & Elections