Core Protections for Every Campaign

Cybersecurity is not about protecting from every possible thing that can happen. You build your cybersecurity posture by starting with protecting against what's most likely to happen and your most valuable data, and mitigating against the vulnerabilities bad actors attempt to compromise. 

In other words, you focus on what we at DDC call the core protections–the minimum cybersecurity measures every campaign MUST implement to avoid disruptions that prevent you from doing what you do best - campaigning.

We have laid out for you the why, what and how to implement core cybersecurity protections in the political sector. Getting to “core,” as we like to say, is neither time nor money consuming. 

In fact there are no technical or monetary barriers to implementing these protections. These are the core protections:

Core Protection #1 : Protect Accounts

The Why: Unauthorized access to accounts is the primary online threat everyone faces. Campaigns and political organizations are most likely to be compromised by attackers attempting to steal  credentials through phishing or other hacking techniques. They are seeking to compromise organizations to steal sensitive information to leak or for espionage, or steal money. 

The What: People and organizations in the political sector must avail themselves of the strongest multi-factor authentication available - protecting all primary accounts–email, cloud, social, financial. This means fortifying logins with more than just a password or a code sent to a phone or via email.

The How: It’s actually quite easy to harden accounts with strong multi-factor authentication. Passkeys, a digital credential, now widely available are the strongest account security available. Passkeys reside on a device and grant account access, without a password, once you have gained access to the device using a biometric or password. Passkeys can’t be stolen or copied and are available on most major platforms, including Google and Microsoft. Security keys are also highly recommended. They are physical devices that plug into a PC or phone that act in a similar fashion to a Passkey.  One key can be used on multiple services.

Supersize your security: Google and Microsoft both provide heightened security for high risk users in the political space. Google offers an Advanced Protection Program. Microsoft offers Account Guard. Both are FREE and offer enhanced protections from phishing.

Watch our Director of Onboarding explain how simple it is to turn on passkey for Google and Microsoft:

Core Protection #2: Protect Websites

The Why:  Because of their importance to campaigns and organizations and the ease with which bad actors can launch attacks, websites are in the crosshairs. If a site can be taken down, defaced, or content changed it will be a public event that could result in donations not being processed, reputational harm to a candidate or organization, or the proliferation of disinformation. The most common website cyber incident is a Distributed Denial of Service attack or DDoS that uses bots (armies of infected machines) that overwhelm sites and make them inaccessible. In other attacks, bad actors gain access through weak or stolen credentials to change the website content.

The What: Websites need to be protected from DDoS attacks and strong multifactor authentication must be used on all accounts that have access to content management systems and website administration.

The How: Cloudflare offers free DDoS Protections for any website and Google’s Project Shield provides free DDoS protections to websites of high risk organizations including campaigns. Check out DDC’s Knowledge Base for information on how to apply for Project Shield.

What DDC Offers for FREE for Eligible Campaigns: Campaigns can get Cloudflare for Campaigns, a business version of the product with increased protections, customer support and other services, and assistance from DDC getting their Cloudflare account set-up. 

Core Protection #3: Protect Inbound and Outbound email

The Why:  Email has always been a primary target for attacking organizations via phishing. Additionally, bad actors seek and exploit the reputation and relationships with supporters by spoofing and impersonating campaigns and organizations to steal money and gain account access.

The what: Campaigns, committees and political organizations need to protect the inboxes of their staff and authenticate the emails they send in order to prevent phishing and bad actors from impersonating your campaign or organization

The How: Protecting from phishing starts with strong account security (Core Protection #1) that makes it difficult if near impossible to steal credentials. Protecting campaign domains from being spoofed or impersonated is achieved through implementing DMARC, an email authentication standard, and ensuring the services you use to send email are properly configured. You can easily check your DMARC status here. Valimail also has a free DMARC tool for anyone.

What DDC Offers for FREE for Eligible Campaigns: Valimail for Campaigns helps you get your DMARC and sending services properly configured to protect your domain and improve deliverability. DDC’s  onboarding assistance can help you get the services you use to send properly configured.

Cloudflare’s Email Security or Sublime Security  helps campaigns and committees protect from phishing attempts. 

These are the core and minimum protections every campaign and committee should adopt. Some campaigns face or may experience higher risks in other areas, such as on social media or mobile devices. DDC has products to help address those risks too. Feel free to book a consultation with our onboarding team to discuss your concerns and needs. Reach out anytime info@defendcampaigns.org.

Check DDC’s campaign eligibility page to know if your campaign is eligible to receive free DDC tools.