In less than one week, the campaign will be over. Your months of hard work have hopefully led to a victory for your candidate. Win or lose, your staff will soon be departing, and the campaign will be on hiatus or closing down.
Cybersecurity doesn’t end on Election Day. You want to be sure your campaign’s digital assets are secure and not left open to abuse. Regardless if your candidate is running again, there are valuable data and assets to protect. The following will help keep the campaign secure:
Secure and store credentials (logins and passwords) to key accounts and services: Many campaigns have staff quickly leave once election day passes. They may have created accounts on behalf of the campaign during their tenure. Someone like the campaign manager might be the admin on the Workspace or M365 platforms. These credentials will be critical to new staff when the campaign reboots for the next election. Make sure someone who will remain around the candidate–a permanent staffer, counsel, or family member–has access to those credentials and changes account ownership as needed. Some password managers have vault options for storing passwords that need to be shared later
Manage the digital departure of people: Deleting accounts no longer in use is a critical cybersecurity function. Dormant accounts are a common attack vector for bad actors. It’s easy for them to fly under the radar inside your system if they have accessed an account that exists but is no longer used. Depending on the platforms you use, there may be ways to share or automatically move files staff have created to an existing user or store in a shared drive.
Secure the website between campaigns: Out of site shouldn’t be out of mind when it comes to your website. Periodic monitoring for content changes should be conducted. Additionally, be sure that campaign domains are renewed so they can’t be taken over by someone else, and ensure security certificates (https) are up-to-date. Any people who no longer need access to the content management system should be removed from the site. Finally, if your website is not protected from DDoS attacks, you should implement Cloudflare or Project Shield from Google. If your website has names of staffers and contact information that are no longer working, delete those as well.
Remove access to social media: Throughout the campaign, you may have granted access to a candidate's or campaign's social media presence. This could include staff who are posting and responding and ad buying privileges. Revoke all privileges for all that are no longer needed. Change passwords on the accounts as needed as well.
Remove campaign data from personal devices: Most campaigns are “bring your own device” (BYOD). As staffers or key volunteers leave your campaign, they may have valuable and sensitive information on those devices. Purging them and any app access they may have will prevent any data leakage post-election.
Purge: Campaigns amass reams of data some of which can be highly personal in nature or considered personally identifying information, including personnel information. Delete all unneeded files containing sensitive information or give them to someone else, like an attorney for the campaign or another trusted entity, for safekeeping until the next campaign
If you want to stay up to speed on cybersecurity, subscribe to our newsletter. During the off-season, our newsletter frequency is about once per month with possibly an announcement or two in between.
If you have taken advantage of any free services from DDC, such as Cloudflare, be on the lookout for an email about how those services are maintained between election cycles.