Welcome back, Saturday Campaign D-I-Y’ers! For those who tune in, welcome to the Nuts & Bolts of a Democratic campaign. Each week, we discuss issues that help drive successful campaigns. If you’ve missed prior diaries, please visit our group or follow Nuts & Bolts Guide.
It’s not often that I change track on Nuts & Bolts; I normally plan about 2-3 weeks ahead for our subject matter; this week was scheduled to be a discussion of the expenses related to TV and how we evaluate cost. However, since last Saturday, one topic has dominated a lot of the campaign discussion I’ve been involved in—that being the role of data security. With multiple campaigns reporting frequent attempts to hack their Twitter/Facebook and email, including successful hack attempts of sitting elected in a few states, now may be the time to address the role of data security in all of your activities.
If you’re running a campaign or advocating for policy in a state house, and you haven’t thought about data security, now is the time to start.
What risk is there, really?
Too many campaigns say to themselves: look, why bother going in with complex passwords, device security and other tools in my campaign? I’m only running for office XYZ, not the presidency! The world, however, is a very different place. Candidates and elected officials at all levels, from school board, state house and state senate, as well as congressional candidates, have all found themselves to be targets of hack attempts. In the last few weeks, more than once has someone made an effort as an example, to hack my social media feeds I’m connected to, for myself or others.
What exactly is at risk? Political campaigns keep a lot of data in their social media and email accounts. Whether it is direct communication with voters and donors, or internal messaging about the state of your campaign. As a result, making sure that you are using at least some basic security in your campaign is very important.
Passwords, MFA and secure hosts
If you haven’t already, one of the first steps you should commit to is multi-factor authentication. Securing your Facebook, Twitter, and email with multi-factor authentication makes hacking your accounts much more difficult.
Within Twitter, account security also allows for login verification. What does Multi-factor password security means? It means a login on one device, even with the correct password, is not automatically verified unless the user signals it is “OK” normally using a mobile phone, and either a code presented by text message or an on-phone application. This is the most secure method, by far. It means in order to crack your account someone would need not just your password, but also your mobile phone or a SIM card with its number.
Email is, of course, the source of more data breaches and potentially dangerous hack attempts. Keep these rules in mind:
- your passwords should be complex or generated through an outside app.
- your email host should provide for multi-factor authentication: Gmail, Yahoo, Office365 all offer this as a feature.
- AVOID putting any sensitive data of any sort in an insecure POP3/IMAP host. If you get free email with your hosted WordPress or website, think carefully about using it. Moving your email to a secured provider is often the right move.
Your best advice is always to use different passwords for every item on your list. Users frequently use the same clever password over and over and over again. This means that if one password, on one website is compromised, a large group of other passwords is compromised. To help simplify this process, most IT professionals, including the staff at Daily Kos, recommend in-browser or on-PC/Mac tools that keep track of your passwords and help secure them. Applications from companies like Symantec, Dashlane, and LastPass. These will all generate and store complex passwords for all of your applications and use multi-factor authentication to secure them, often with biometrics and secondary apps if your phone supports those tools.
Review who has access to your content
If you have someone managing your Facebook, Twitter, Instagram, or any other social media format realize that these rules apply to them as well. If they are going to be trusted with your data, you need to make sure their logins and accounts are also safe. The more entry points there are to gain access to your data, the more opportunity for your data to be compromised.
Mobile devices
Phones, tablets, and laptops that are mobile should be secured always with a complex password, encrypted file systems on laptops, and remote wipe services enabled. If a device is lost, prepare to change some passwords—but you can save yourself a lot of heartache if you are confident the data on that laptop can’t be easily compromised by simply opening them up.
Complex password requirements, like swipe codes or biometrics, can help protect your mobile devices.
In order to secure your devices, also make sure that you have “lock on screen saver” modes turned on, so that if you leave a sitting laptop or tablet somewhere for any amount of time it will lock and require your password to get back in. Leaving a laptop, phone or tablet in the open where someone can pick it up and go through your content is a bad idea, and could quickly expose all of your passwords and security.
Backups
Your campaign data is very important. If you don’t have a backup plan, get one. Keep in mind all of the security goals above—if you are just copying your items to an online storage provider like Amazon S3, Dropbox, OneDrive, GDrive or other provider make sure that you still follow the complex password requirement rules.
Local Access
Finally the level of security most miss—if you have an office for your campaign, and any volunteers, make sure computers used by volunteers and others to do data entry, VoteBuilder or other work isn’t authorized and logged into any of your accounts. The easiest hack possible is when someone opens up a web browser and your accounts are already logged in as active—there’s no hack needed at all. Computers available for use by volunteers in any party or campaign office should NOT be used, if possible, for secure logins to your accounts.
Major campaigns can provide on-premise security to protect equipment left overnight, and they know who goes in and out of your office. If you are running a smaller campaign, you may not always be aware of who enters your office, hangs out, does volunteer work, or runs your office while you aren’t there. Don’t make it easy for anyone to walk in, sit down, and access your private content.
Final thoughts
If security isn’t something you’ve thought about, you need to put it on your list for any campaign going forward. If you have communication with your county, state or campaign groups in your area, remind them to take data security seriously in their campaign. No matter how big or small, these tips can be critical advice for their well being, and even if they weren’t running for office, should be considered good practice.
Don’t always count on your IT staff to bail you out of every problem — and do them a favor by making it less likely you will get into trouble.
For those who tuned in this week for a discussion on the value of TV advertising, don’t worry! We’ll pick that up on February 10. Over the next two weeks, Nuts & Bolts will focus on what’s going on inside the Democratic Party.
Next week on Nuts & Bolts I’ll be in DC for the Rules & Bylaws Meeting for the Unity Reform Commission proposal.
Sunday, Jan 14, 2018 · 4:52:17 PM +00:00 · Chris Reeves
A minor update:
A minor update on this diary. Of course, we are going to have disputes on what creates great data security. For the record, in my day job before Daily Kos, I worked as Technology Director and IT CoS for two different multi-national entities, have been IT Management in companies with thousands of employees and contractors, and work frequently as outside consulting for data management. This diary, though, reflects not just my opinion. Nuts & Bolts, every entry, is assembled through the feedback of several others. In the case of this week, that includes IT professionals from data security firms, IT staff at Daily Kos, as well as IT Security Professionals. While there are always going to be different opinions, we have to realize the most important element of Data Security is to recommend steps which can actually be completed by those who are receiving the advice. There is no “perfect” security step, but there is as perfect as can be maintained by the end user. Traditionally, recommendations which cannot be implemented by a user for cost or functional concerns leave a user doing nothing — or putting forward a truly bad solution.
If you and your campaign could afford an IT department to handle localized data security and a mobile device integration strategy, then the advice would certainly be different. However, most campaigns are small budget, and advice needs to deal with the real-world application. Realize, users will come to you who already have established their social media and email accounts, and they will not abandon them for short term campaigns; even if they did, the data for years of use will remain there, so asking for security to be applied to them as available is prudent, and far more likely, than asking users to abandon their current platforms at every small campaign.
.
Nuts & Bolts: Building Democratic Campaigns
Contact the Daily Kos group Nuts and Bolts by kosmail (members of Daily Kos only). You can also follow me on twitter: @tmservo433
Every Saturday this group will chronicle the ins and outs of campaigns, small and large. Issues to be covered: Campaign Staffing, Fundraising, Canvass, Field Work, Data Services, Earned Media, Spending and Budget Practices, How to Keep Your Mental Health, and on the last Saturday of the month: “Don’t Do This!” a diary on how you can learn from the mistakes of campaigns in the past.
You can follow prior installments in this series HERE.