10 things you and your grassroots organization can do to improve your digital security

If we’ve learned anything over the past few years, it’s been that the threat of a foreign cyber attack — against an individual, a campaign, an organization, or even municipalities — is both real and potentially very dangerous. But the risk is not just from other countries attempting to interfere with our work or our democracy; smaller groups or even lone individuals taking over email accounts, wiping computers, or otherwise causing havoc can be disastrous both personally and professionally.

Thankfully, there are a few simple steps we can take to prevent this from happening — or at least make it more difficult for the attacker(s).

I’ve been responsible for some pretty big websites and social media accounts over the past few years, and a large part of that responsibility is to keep an eye out for ways that staff, organizers, volunteers, and community members can be more secure as we work together and communicate with one another on the same digital platforms. As part of that work, we’ve identified 10 rules every organizer and organization should follow — both in their organizing work and while simply browsing around the web — that will improve security.

Rule #1: Keep your operating systems (Windows, Mac, iOS, and Android) and applications (such as Chrome, Firefox, and Microsoft Office) up-to-date.

This is the easiest step for organizers to follow, and one of the most important. The software updates to your computer and phone operating systems and applications not only add new features or change the way things look, they also patch security holes that companies such as Microsoft, Apple, and Google have found on your device. Be sure to turn on automatic updates when available. Phones usually update by default, but instructions are available for both Mac and Windows to make sure you’re protected.

Rule #2: Use two-factor authentication whenever it’s available.

One of the biggest digital security risks we face is someone stealing the password to an account. Using the same password across multiple sites makes a hacker’s job much easier, especially if one of those sites has already been hacked or if you fell victim to a “phishing” attempt, where you unintentionally provide the attacker the password by clicking a malicious link in an email that appears to come from a coworker or even a third party (Gmail, Amazon, etc.).

“Two-factor authentication” means that in order to log into an account or device, you need two of the three “factors.” The three factors include: (1) something you know (like a password or PIN), (2) something you have (like your mobile phone), and (3) something you are (like your thumbprint or a scan of your face). You need to verify your identity using two of those three in order to gain access.

When we talk about security for platforms such as your email, bank account, or social media, we’re usually talking about using the first two, something you know (your password) and something you have (your phone). Even if an attacker does get your password (the “first factor”), if you have two-factor authentication, they’d still need to access your physical device to get into your account (a “second factor”).

Check out https://www.turnon2fa.com/ and https://twofactorauth.org/ for step-by-step instructions.

The best places to get started with two-factor authentication are your email and Apple ID (if you use a Mac/iPhone/iPad). Use an app like Google Authenticator or Authy, or a physical device like a YubiKey, where it’s offered as an option — it’s even more secure than getting authentication codes sent to you via text messages!

Rule #3: Be careful “authorizing access” to your accounts

If you’ve ever installed a plugin or 3rd party application, you may have seen a pop-up asking you to “authorize access” to different parts of your accounts. Here’s what it looks like for Google:

Many 3rd party services such as Google, Facebook, Twitter, and LinkedIn have similar pop-ups, and most detail what exactly is being authorized. In this case, by clicking “allow” you’re authorizing the service to download your entire email inbox and store it, and they may never need to ask you for permission again or need your password.

If you’re not familiar with a plugin or service, or you don’t expect this pop-up, never click “allow.” It’s also worth noting many “free” services that offer features such as automatically unsubscribing you from email lists or automatically tracking packages are actually downloading your email in order to provide analytics services to businesses — meaning if they get hacked, so do your emails. So if you don’t trust the maker of that plugin or app with all your email, don’t give them access to all your email!

Most websites list in your “settings” what services have access to your content. Services such as Facebook, Google, LinkedIn, and Yahoo all provide documentation on how to list and remove these applications. But just a bit of a heads up: Disabling an app may change its behavior. So if you rely on a service daily (such as the email app on your phone), think twice about denying access. Only remove ones you know you no longer need or don’t trust!

Rule #4: Use a password manager for all your passwords, and encourage all of your coworkers and volunteers to use it for both their work and personal accounts.

We chose LastPass because it was competitively priced, has two-factor authentication, and allows users to easily and securely share passwords between teams. Other good options include Dashlane, KeyPass, and 1Password. Make sure to install the web browser extension offered by your password manager. One of the easiest way to spot phishing sites is when your browser extension doesn’t offer to auto-fill your username and password like it usually does.

Rule #5: Use strong master passwords that are hard for computers to guess but easy for you to remember.

Your password manager should have the ability to generate long and complex passwords for you to use on individual sites. But your password manager is only as secure as the password you use for it! I like to follow the advice of this XKCD comic and use a set of random words strung together that are easy for me to remember but are hard for computers to guess.

Rule #6: Never reuse passwords, and never use passwords that are similar to ones you’ve used on other sites.

If a website leaks your password (a very common occurrence), attackers will immediately gain access to all your other accounts that use the same password and don’t have two-factor authentication enabled. This is one of the most common ways accounts are compromised.

Password managers like LastPass can store passwords that are long lists of random numbers, letters, and symbols, and will offer to pre-fill login forms with those random passwords. Use a password manager.

Rule #7: Only give account access to those employees and volunteers that actually need access to that account.

As an organization, we’ve done everything we can to compartmentalize access to passwords only to those who are most likely to need them. And when the passwords are no longer needed, or a person is no longer working with the organization, then we immediately revoke access in LastPass.

In the same vein, be sure to include password revocation in your organization’s offboarding checklist, and immediately disable accounts when people leave your organization.

Rule #8: Never share passwords via unencrypted email.

It may be common knowledge now, but it’s worth repeating: Email is just not secure, and you should assume someone, someday, is going to be able to read what goes through your inbox. Either your account could be compromised, or the person or people you’re emailing could be compromised. So definitely don’t send your passwords to other people via email.

If we need to share access to an account with new team members or volunteers across the country, we all use LastPass’ Sharing Feature. As an absolute last resort, I might call the other user, or use an encrypted messaging app like iMessage or Signal to share the password.

Rule #9: Cybersecurity and physical device security go hand-in-hand. Secure your devices!

If your phone or computer are lost or stolen, so is all the data held on them. In order to limit the risk to your entire organization, enable disk encryption (FileVault for Mac, BitLocker for Windows) on your computers. This makes it impossible to access files on your computer without your computer’s password. And make sure features such as “Find My iPhone” (iPhone/iPad) or “Find My Device” (Android) are enabled on your devices, so you can wipe your devices remotely even if they’re gone forever. At least that way you can protect your data from being stolen, even if you can’t get your device back.

Make sure that your computer/phone locks itself when it’s put to sleep or left idle. Encryption is far less effective at protecting your files and operating system if your computer is left unlocked, making it easy for a nefarious person to get physical access to your data.

Rule #10: Install an ad-blocking plugin to your browser such as uBlock Origin.

Many people already do this, but block advertisements on websites you aren’t familiar with. Ads are very a common transmission method for viruses and malware. Their goal is to get you to click on something you might be interested in, but is actually harmful malware in disguise.

BONUS RULE: Use a VPN when you’re on a public wifi network.

If you’re like me, you do a lot of your work on the wifi in coffee shops, hotels, and airports. The convenience of being able to do your work from anywhere is freeing, but not without risk. Accessing unencrypted content over public wifi networks leaves it open to snooping by third parties. Thankfully there is a simple solution: use a virtual private network (or VPN). A VPN will encrypt and route all your web browsing through a secure server away from the coffee shop or hotel, leaving what looks like random noise for nefarious individuals to scoop up over the airwaves. Some of my favorite VPN services are Encrypt.me and TunnelBear.

Cybersecurity is something everyone should be concerned about, no matter if you run Twitter and Facebook accounts with millions of followers or just talk to your friends over email.

If you follow these rules, both you and your organization will instantly be more secure. Keep safe out there!

Thanks to Paul Schreiber for his assistance in compiling this list.