Protected Voices: Information Security (InfoSec)

The FBI’s Protected Voices initiative provides cybersecurity recommendations to political campaigns on multiple topics, including InfoSec, to help mitigate the risk of cyber influence operations targeting U.S. elections.

Video Transcript

Hi, I’m Jason, a special agent with the FBI.

Information Security is the protection of your data. When we refer to InfoSec, we’re also referencing your policy detailing responsibilities and expectations of your campaign’s employees.

Humans are almost always the weakest link in any computer network. Even the strongest security measures can be rendered useless when users don’t follow good InfoSec practices. However, with proper training and a well-written policy, your network’s users can be your best allies in securing your campaign against cyber attacks.  

Information security is not just a policy; it’s a mindset.

One of the best ways to foster an InfoSec mindset is to train all campaign personnel on cybersecurity standards, with a high expectation that those standards will be followed. Your cybersecurity standards should include the fundamentals discussed in other videos within this series, such as not opening attachments from unknown senders. Training should be ongoing and evolving, both to refresh your employees’ awareness and to build on previous information to address new threats. Whenever you offer training on any topic to campaign employees, try to add InfoSec tips, too. 

A well-written policy makes your InfoSec standards clear and objective. No one in a campaign should have to guess what to do when confronted with a potential cybersecurity issue. All campaign personnel, especially new arrivals, should be given access to your campaign’s comprehensive InfoSec policy. Is your InfoSec policy easy to find? Do your campaign coworkers know whom to contact for help with a cybersecurity issue? If you haven’t already done so, consider creating a marketing tool to tell campaign staff where to find your InfoSec policy and whom to contact with questions.  You could also add a few InfoSec tidbits to that marketing tool.

Every person who works or volunteers for the campaign has to protect the campaign’s mission. Senior campaign personnel should be mentors and leaders in nurturing an InfoSec culture; they should show, by their personal involvement in infoSec training, that such training is critical for securing the campaign’s networks and activities. For campaign staffers with more sensitive roles—such as press liaisons, senior officials or those with elevated network privileges—you might provide extra training about cybersecurity issues specific to those roles. You should also more closely scrutinize those staffers by reviewing their cybersecurity practices, their security settings, and events on their networks for any accounts they manage.  

Remember that good infoSec practices are important not only for campaign-related accounts and equipment, but also for your staff members’ personal accounts and equipment, because attackers might try to infiltrate the personal accounts and devices of people related to a political campaign. 

Another way to emphasize InfoSec best practices is to involve your campaign personnel in defining and improving those practices. Campaign personnel should know how and with whom to share their ideas about better InfoSec. Openly praise your coworkers’ InfoSec efforts and reiterate how those efforts are protecting your campaign’s mission.

Define what information is sensitive for your campaign, and establish clear rules for handling and accessing it. Handling rules should include setting up secure channels of communication and delivery, such as encrypted messaging and media extensions.

When you’re hiring a new staff member for the campaign, ask that person about their InfoSec experience, and assess their InfoSec mindset as part of your interview of him or her. Are your new hires aware of social engineering techniques? Might your new staffers be presenting any sort of insider threat to the campaign? The onboarding process for new staff members is an excellent time to introduce newcomers to your InfoSec mindset and set your expectations of compliance.

Another great way to reinforce and assess your campaign’s InfoSec culture is to test your campaign personnel. Consider sending a simulated phishing or social engineering attack, assess your staffers’ responses, and provide feedback to them. During your periodic group training, discuss the overall results of these exercises, and share your accolades for strong group or individual performance.

Your campaign’s personnel can be your greatest InfoSec assets or weaknesses. Without the cooperation and support of your campaign personnel, none of the other measures you put in place will be effective. Building a strong culture of InfoSec compliance and improvement is key to keeping your personnel engaged as allies in securing your campaign.

Remember, your voice matters, so protect it.

Video Download

Video Source