Lock It Down: 6 Things Your Org Can Do Right Now to Boost Technology Security
The security of technology infrastructure for the progressive movement has unfortunately been in the news recently due to the Russian government’s apparent hacks into the DNC, DCCC, and other organizations. Private communications have been pushed into the public eye, and personal data has been exposed. For a generation that sees email more like a phone call and less like a letter, this means the whole world has access to un-contextualized “sausage-making” communication that doesn’t paint a complete picture. Needless to say, organizations are asking themselves what they can do to protect themselves.
Below are 6 things your organization can do right now to improve your technology security. If you have specific questions or thoughts that you want to discuss privately, please feel free to email me directly at mike@mikesager.net.
- Use a Hosted Email System With a Professional Security Team Like Google Apps or Microsoft Office 365
Both Microsoft and Google invest a substantial amount of money into securing their products, and both have warnings if state actors attempt to breach accounts. Extremely important is that both apps support two-factor authentication, which helps prevent individual staff accounts from being compromised. Additionally, the anti-virus and anti-spam functionality in these services will scan files that are sent via email, and prevent your staff from downloading malicious documents that could compromise your system (see item 4). Finally, because the actual data is hosted outside your servers, a network intrusion is far less likely to be able to capture your full mail store.
2. Hire a CTO
Technology needs to be treated as a vital part of your organization, not an after-thought. The best way to do this is have someone at the senior leadership level who’s sole role is to make sure that infrastructure is in working order. They’re going to need some budget, and they need to be fully plugged into the organization so the should be part of the leadership team. The benefit is by getting your infrastructure humming, your org is far less likely to fall victim to a crippling attack; whether that’s ransomware, unauthorized access, or a state actor. A CTO will ensure a secure technology strategy. (Note: I can help you find one.)
3. Run EVERY Update for Windows, OSX, iOS, and Office
Yeah yeah, updates are annoying. The pop up and make you reboot when you’re in the middle of something. STOP COMPLAINING. Updates often times are patching known security vulnerabilities.
Better yet, have a managed IT infrastructure where your CTO or IT Director maintains updates and builds for all the computers in your organization. This means they buy the same computers, negotiate bulk pricing, and ensure that every machine is kept up to date.
4. Don’t Use Macros on Office Documents, and Disable Office From Using Them
Macros on Office documents is a giant security hole. It’s basically a window for anyone with a nefarious purpose to download code to your machine and execute it while bypassing most of your security. You will save yourself a substantial amount of headache if you use your domain’s policies to prohibit this.
5. Don’t Make Your Security Requirements So Onerous That Users Create Their Own Systems
Now that I’ve outlined all these things you need to do to lock up your systems, don’t go so overboard that it becomes unusable. If your users decide that your email system is too difficult to use, they’ll just start using their GMail accounts. If your users decide that your file sharing application is terrible, they’ll make their own Dropbox. If your users don’t like the restrictions your CRM puts in place on handling data, they’ll just use Google Docs. If your users can’t install their favorite web browser or do what they need to do on the computer you assign them, they’ll start bringing in their own computer. In some cases, this is not the end of the world, but it means that instead of securing one point of vulnerability you’re now at the mercy of each of your individual team member’s technology security abilities. If that team member is an experienced technologist, not a big deal. If that team member is a self-proclaimed luddite who just wants to use Chrome because that’s what they know, you’re setting yourself up for trouble if you don’t let them.
6. Make Sure Everyone Has Their Own Accounts
The shared credential and password is the scourge of technology security. It’s a great way to ensure that you have no idea who has access to your files and systems. Make sure each person on your team has their own account on any systems and services you use, and take advantage of those systems sharing features. That way, if a single account is compromised not every single user is compromised.
Information security is a complex field, with many experts and approaches. Sometimes you see frustratingly obtuse technology policies inside organizations that exist purely as a response to security concerns, that ultimately create such a bad user experience that staff seek other solutions. Other times, security isn’t given much of a thought; computers are bought individually, and an org just kind of ignores it. Ultimately, a balance must be achieved.
One quick note: other than the first item, there is very little organizations can do to protect themselves from a determined state actor such as Russia. Large corporate entities invest millions of dollars into their technology security on an annual basis, with many full time staff, and still run into issues. It is not reasonable to expect even the largest campaigns or non-profits to have a full time technology security staff. However, that doesn’t mean you can’t make your infrastructure more secure than it is, or that you shouldn’t do everything you can to button up what you have.
These are just a few steps you can take to help improve your organizations technology security. It’s unfortunate that it took such a large event for folks to recognize the vulnerabilities in our technology infrastructure and the damage an attack can have. However better security is possible, and the cost of having security is much lower than the cost to recover from a breach.
