Skip to main content

7 essential cybersecurity steps to secure your campaign online

October is cybersecurity month and it’s the perfect time to ensure your campaign has the right digital defense surrounding your team’s operations. From strong authentication to fostering a culture of security, discover the seven actionable strategies to help protect your team's operations and maintain voters' trust.

September 26, 2024
10 min read

In today’s day and age, the integrity of elections rely on robust cybersecurity measures. And the landscape of protections can seem confusing and hard to manage. That’s why we teamed up with Defending Digital Campaigns(DDC). DDC is a non-aligned, non-partisan, non-profit organization providing eligible campaigns with free cybersecurity tools, supplied by the nation’s leading technology companies, to help them combat the most significant threats they face. We’ve outlined seven indispensable steps every political campaign and their entire campaign staff must take to fortify their online protections: 

Whether you’re just getting started or are looking for tactics to add onto your cybersecurity efforts, these action-oriented steps will help your team build a strong defense. 

1. Equip Your team with strong authentication 

When it comes to cybersecurity, strong authentication is the foundation of any effective defense strategy. If you focus on just one thing, this should be it. Cybersecurity is all about managing risk, and the riskiest accounts need the highest levels of protection.

Start by identifying your most critical accounts—those that, if compromised, could cause your campaign the most damage. These might include your campaign’s social media accounts, financial systems, and email accounts. Once identified, ensure these accounts are protected with Multi-Factor Authentication (MFA).

Understanding MFA:
MFA is all about using different types of factors to confirm your identity. There are three key types of factors:

  • Something you know: This is typically something like your password or a SMS text.
  • Something you have: This could be a security key, a device like your smartphone, or even a passkey. 
  • Something you are: This could be something like your fingerprint or facial recognition,  which is becoming more and more common, especially on mobile devices.

Different Levels of Protection:
Not all authentication methods are created equal. For example:

  • Passwords are not very strong and can easily be compromised.
  • SMS and voice text codes are better but still vulnerable, especially if an attacker has already compromised your email or phone.
  • Authenticator apps provide temporary one-time passwords (TOTP), which are more secure as they are device-centric and expire.
  • Mobile push notifications are an affirmation of whether or not you signed into a device. This is a notification where you can accept or deny a login from your phone. This method leverages the “something you have” factor, adding an additional layer of security.
  • Passkeys and physical security keys are the gold star for authentication, particularly for those for your main accounts. These physical devices or software-based keys are designed to make unauthorized access nearly impossible.

Implementing strong authentication isn't just about protecting your campaign's data but also about ensuring the legitimacy of your operations and maintaining the trust of your supporters.

2. Harness the power of password managers

Political campaigns are undoubtedly working in fast-moving environments. It’s key that in the evolving landscape of cybersecurity, we're moving towards a safe and passwordless future. Your team can effectively move through bulky processes with powerfully secure technologies like password managers.

Password Managers: Built-in browser password managers, like those in Chrome or Edge, are secure, encrypted, and commonly integrated with passkey support. You can also see password managers incorporating key factors like “something you are” with biometric data like a fingerprint. Everyone on your team should be using a password manager.

By adopting this step you can significantly enhance your election system’s online security and bolster up your protection of sensitive information. 

3. Fortify your website protections 

Your website is more than just a public facing presence—it’s the forefront of your campaign. It’s where supporters get their information, volunteers get involved, and voters learn how to get out the vote. Because of its importance, your website needs to be protected from a range of cyber threats and malware.

Defacements can be uniquely damaging. Imagine a cyberattacker altering or completely changing your campaign’s website to spread false disinformation or post objectionable content. This could confuse your supporters, undermine your messaging, and even impact voter turnout.

DDoS (Distributed Denial of Services) Attacks can flood your website with an overwhelming amount of online traffic, often generated by bots ruining online traffic data, and can cause your website to become inaccessible to your new and existing supporters.

To protect against these threats, consider the following:

  • NationBuilder Website Hosting: The choice of hosting provider is crucial. Website hosts, like NationBuilder, offer built-in security features and reduce the burden of maintenance and updates. They ensure robust protection against DDoS attacks by partnering with Cloudflare, providing an extra layer of security by helping to maintain uptime and guarding against malicious traffic.
  • Cloudflare: Offers free DDoS protections that are accessible to any websites. For campaigns and organizations, Cloudflare provides heightened security measures, including advanced protection against large-scale attacks.
  • Google’s Project Shield: Available to certain eligible organizations, provides DDoS protection along with various security tools. It’s designed to safeguard websites from malicious attacks and is a valuable resource for many.

Be sure to involve your website development team to ensure your website is equipped with the protections your campaign needs. By incorporating these tools and services, you can reduce the risk of website disruptions significantly and keep your online presence secure.

4. Ensure secure communications

Keeping communication secure is critical for political and advocacy campaigns. From collaborating with your team to connecting with supporters, protecting your communications prevents leaks and maintains the trust you’ve built with your voters. 

Implement DMARC for email security: A critical step in ensuring your campaign’s email domain is authenticated is by using DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent your website domain from being imitated or from phishing attacks. Without adding this step into your plans for secure communications, major email providers like Google or Yahoo may mark your communications as spam, or worse, not deliver them at all. For NationBuilder customers, DMARC is automatically offered for your domain. 

Encrypted Communication Tools: To ensure your conversations are secure, use encrypted apps like Signal or Wickr. These tools will mix up messages between senders and receivers, making it more challenging for anyone to access your information.

Establish Clear Policies: From the jump, you need to ensure your team understands the expectations and policies around securing these channels, even if it’s not formally documented. Not every piece of information needs to be encrypted, but sensitive data like personal information or confidential campaign tactics should always be handled with caution. For example, you wouldn’t want to send donor information via email. Instead, you should utilize encrypted messaging apps to ensure that information remains secure.

Luckily for NationBuilder customers, secure communication is a part of your campaign package. NationBuilder ensures all supporter data and campaign activities are safe. However, your team’s communications may happen outside of our software. In this case, relying on encryption tools like Signal will support your efforts to keep your conversations confidential. 

5. Protect shared accounts wisely

Shared accounts have become increasingly common, especially for political and advocacy campaigns. This can include things like email addresses or social media accounts where various team members may need access. While these accounts may be necessary for your operations, they also open the door to security risks. Here’s how you can protect your shared accounts wisely:

Use only when necessary: Shared accounts should only be used when necessary. For example, your team may require an info email for your processes. But whenever possible, each person who needs access should have their own secure login. 

Strengthen your security: For all of your shared accounts, be sure to use the strongest authentication processes possible. Passkeys and security keys are a great solution but you also must ensure that good password practices are in place as well. This is essential as shared accounts increase the number of entry points where cyber criminals could potentially access your information. 

Manage Access: Leverage digital tools that offer management of shared content without needing to share login information. Tools like NationBuilder allow for political and advocacy campaigns to distribute leadership around website, communications, fundraising, advocacy, and your people management features with individual accounts. This way, teams can share responsibility without needing to share credentials. 

Granular Permissions: Tools like NationBuilder allow for options when setting permissions to ensure each role has access to responsibility that makes sense for them. This means that you can assign permissions to dictate what level of access each individual team member takes on to mitigate any unnecessary risk to digital vulnerabilities. 

Regularly Review and Update Access: You can regularly review and update your team’s access to the various controls within your campaign. This is a basic practice that your campaign should feel secure in leveraging as regularly as team members move on from your campaign or change roles to ensure that your permissions are as up to date and secure as possible.  

While there are still risks around sharing accounts, leveraging these practices will help minimize them and better protect your campaigns communications and data. 

6. Prepare for cyber incidents 

While no campaign wants to have to prepare for cyber incidents, the best time to prepare is before it happens. In 2024, your campaign may be judged more on how you handle a breach in security than the incident itself. Here’s how you can be prepared: 

Plan ahead: As you can imagine, the worst time to prepare for a cyber incident is when one is occurring. Your team needs to have an established plan ahead of time that includes established leaders, IT, any vendors you’re using, and even your legal counsel. Having a plan of who is responsible for what, is going to make all of the difference to handling an incident with efficiency.  

Continuity of operations: Especially during critical windows in your campaign, when cyber incidents are most likely to occur, you need to have a plan that allows your team to continue operations as normal as possible. For example, if your website is compromised, do you have alternatives or back up operations available? Make sure to add this step into your preparations ahead of time. 

Legal considerations: When cyber incidents happen, it often is paired with data breaches. Many, if not most, states have laws that require you to notify an individual when their data has been compromised. If your campaign is working across state lines, you would need to work with the state where the individual impacted resides. This is where many leverage their legal counsel to ensure your team has a voice that understands various regulations and can lead you through the case of a cyber incident. 

7. Foster a Culture of Cybersecurity

In order to protect your political or advocacy campaign, you need to foster a fortified culture of cybersecurity. Here’s how you can make it a priority for your entire operation: 

  1. Connect cybersecurity to success: People don’t work in the political sector for big paychecks. They do because they support the candidate or the cause and the work that you're trying to achieve. It is your job to ensure that cybersecurity is directly tied to the success of your campaign and your supporters so that you all get the opportunity to achieve your goals together. 
  2. Set clear expectations: From the beginning of your campaign, it is essential that you communicate the importance of cybersecurity. From formal policies to choices to everyday conversations, ensure your team understands what you expect from them. For example, if your team would like your volunteer to utilize security keys, you need to talk to them so they can understand how to use them and why it is so important. 
  3. Provide practical training: As you have volunteers and supporters joining your campaign, it’s essential that you provide training to your team to ensure they understand your expectations. Cybersecurity training doesn’t have to be formal- it can be done as a group, through virtual presentations, done one on one in onboarding, etc. The key is to ensure everyone leaves the training with a clear understanding of how to leverage the tools you have in place.  
  4. Foster an open environment: No one wants to be responsible for a cyber incident. However, it happens and it is your job to ensure that you have a safe environment for anyone to be able to report if they’ve made a breach in your cybersecure precautions. Be sure to create a blame-free environment so that you can efficiently handle a potential cyber incident, without the fear of anyone getting in trouble.   
  5. Encourage asking questions: There are no dumb questions when it comes to securing your operations. Your campaign should foster an environment where anyone feels comfortable to ask any question, ask for clarification, or ask for help. Whether a leader is unsure how to spot a phishing email or where to keep their security key, all questions should be welcomed to ensure everyone stays secure. 

Equipping these seven essential cybersecurity steps protects your operations and the trust of your electorate. At NationBuilder we understand the critical importance of securing your campaign online. That’s why we built our software to meet the unique challenges that political and advocacy campaigns face, to ensure all data is protected and safe every step of the way. Connect with our team at a live demo to witness firsthand how you can fortify the practice of secure campaign operations, or get started with a free trial today. Whether your campaign is just getting started or you’re looking to enhance your practices, we’re here to support your efforts.


Erica Rissi

Erica Rissi

Hi, I'm Erica! 👋🏼 I am NationBuilder's Community Manager! I work towards building, growing, and managing NationBuilder’s online communities. Keep up with me by following NationBuilder across our various social media platforms 🎉

View Profile