The votes have been cast. Campaigns that have been in motion for the last many months growing quickly, adding people, technology, and data, are now winding down. Every campaign has digital assets that need to be secured when the election is over. In many cases, the campaign’s tech infrastructure will be used again. How you close your campaign and maintain it during the “off” times should be on your radar. Done right, you can keep the campaign’s assets secure and be ready to ramp up quickly when the time comes.
Here’s some advice from DDC and our partners on a secure wind down.
Secure and protect key campaign credentials: Similar to during the campaign, protecting credentials is critical. Someone--the candidate, legal counsel, trusted third party--needs to retain access and/or know how to access (by having credentials) the campaigns legacy technology portfolio. These could be things like your GSuite or Office 365 administration accounts, website, Dropbox, communication tools like Wickr, accounts with third parties for fundraising, data, etc. These credentials should be stored somewhere safe. If they need to be written down, just make sure they are kept in a secure location.
Some campaigns may choose to designate a person as the ‘Security & Credential Manager’ (SCM). This person will be responsible for retaining campaign login credentials across services and profiles, preserving security protocols, and maintaining ownership over vital campaign data. This person could be the candidate, a trusted staff member, or the campaign’s attorney.
Campaigns likely have many shared accounts where multiple staff members have access. That access should be changed following the campaign. Below are some site specific information for popular services. In general, you can restrict access going forward by changing the password if it is a shared account with a single password, or managing users in the account section of a service that has registered users. Of course any password changes should follow good practices making passwords long and strong and unique, or better yet using 2 factor authentication like a Google Titan or Yubico Security Key.
Removing Access to Campaign Social Media Accounts: It is highly likely that during the campaign a number of different users have been given access to various social media accounts with posting and other privileges. Here’s some tips to securing popular social media sites:
Facebook: Identify who has access to the candidate’s page and remove people as needed. Go to the candidate/campaign page and under settings click Page Roles. Here you will see all people associated with the page and their privileges (administrator, editor, etc.) Remove or edit privileges for everyone who is no longer working for the candidate.
Make sure to have at least one remaining person that is either the candidate or their designee with administrative privileges. .
Twitter: Offboarding Considerations:If users have connected to a Twitter handle, the fastest way to remove access is to change the password for the account. If users have connected via a tool like Tweet Deck, their access will be canceled. Of course any new password should be long and strong and again stored in safe keeping with the appropriate person(s)
Instagram: Similarly to Twitter, the best way to eliminate someone’s access to an Instagram account, business or personal, would be to change the password. If someone else is managing your account, like a Social Media Manager, and they will no longer be with the campaign, be sure to get the password from them when they go. Then, you can log in and change the login email address to one you have access to, and change the password as well.
G Suite
A large number of campaigns use GSuite to manage their email, documents, and other communications.
There are a number of steps to be taken to manage the G Suite account post campaign. Below are some actions that G Suite Admin should take:
Connected devices: during the course of the campaign, people with email accounts will have connected devices to the G Suite account. These will include a PC/laptop, phones, and possibly tablets. As part of the wind down process, someone should review a list of devices currently accessing G Suite Data: From the Google Admin Panel go to Devices > you will see boxes for Mobile and Endpoints (these are the PC/laptops)> Devices
You can Manually remove the G Suite data from any device by selecting it and clicking the “Wipe Accounts” icon in the upper right of the table and if you want to delete the device click on the three vertical bullets to see that option. Also, good time to check if there are any legacy devices such as phones no longer in use by the candidate or others and delete them as well.
Manage Users: You likely are going to want to delete or suspend users. You manage users via the Admin Console >Users. If you are a super admin, you can transfer files to another user that will remain active, if needed. You will get this option in the deletion process. There may be some users you want to suspend so you can reactivate the account later. This will disable login & therefore email/document access. You will still be billed for suspended users.
Shared Email accounts: Most campaigns will have at least one shared account where multiple users can access the inbox. Typical examples of these might be an info or press email. Some may be emails connected to the website. These accounts could have been set up in a number of ways.
Email Forwarding: A lot of times emails that come into these accounts are auto forwarded to other accounts. In these cases you would need to go into the inbox for that account (reset the password if you don’t have it in the admin console). Once in the inbox go to settings> see all>forwarding. Here’s where you can edit where the emails get forwarded.
Shared Password: People access the account via a shared password. Change the password. If you are suspending or deleting users there access will be terminated.
Auto Response: If the accounts are going to remain active, it might be good to add an auto response to any incoming mail. This would be good if they are attached to a website that’s still live. Just let people know if the email will be responded to or not or any other pertinent information like email us or call us. You can create this process from the inbox under settings>see all>general (first tab) vacations will be toward the bottom of the page.
For more information regarding managing your GSuite account, please see the Google Help page dedicated to supporting Admin GSuite users here: https://support.google.com/a/?hl=en#topic=4388346
Personal devices staff have used: In most campaigns, staff use personal devices for their campaign related activities. To the extent possible, it is advised to remove as much campaign data as possible from those devices. It may not be possible to force staff to change personal devices. That’s why doing some of the other measures of deleting users and changing passwords on accounts is so important. Here’s what you should aim to have staff do:
Uninstall any campaign-provided software or endpoint protection sensors ( unless they can be converted to personal use)
Oversee the removal of any campaign data on phones, tablets, computers, etc.
If possible, it is recommended to wipe personal devices before departure (as above this can be done via GSuite for Google account data).
Website: Securing your website is important. There are a few issues to be aware of and addressed:
Domain registration: Your web address can expire. Like other key accountants, the account where the domain is registered should be on the list of accounts and credentials. If your domain is managed within Google it will be accessible through the Admin Console. If the domain is registered via another service like GoDaddy, you will want to be sure to review the account and validate that the right contact person and email are associated with the account. This will insure that any notifications go to the proper person, such as any upcoming renewals. In most cases, setting up auto renewal is the easiest way to stay current. You will need to be sure you are doing this for all domains. Many campaigns have variations like Janedoeforcongress.com ( and maybe other extensions like .info or .us all need to be preserved), JaneDoeforAmerica.com, Janeforanystate.com. These domains should be preserved for the next cycle and have likely been set up to auto forward to the primary campaign domain. Through the registrations service, you can manage forwarding.
Certificates: SSL, etc: SSL certificates are what enable websites to move from HTTP to HTTPS, which is more secure. A website needs an SSL certificate in order to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust. To get a free SSL certificate, domain owners can sign up for Cloudflare and select an SSL option in their SSL settings. This article has further instructions 0n setting up SSL with Cloudflare: https://support.cloudflare.com/hc/en-us/articles/360024787372-How-do-I-add-SSL-to-my-site-. You can also check to make sure SSL encryption is working correctly on a website with the Cloudflare Diagnostic Center: https://www.cloudflare.com/diagnostic-center/. The registrar of your account or your web developers should also be able to help with certificates.
A few other considerations:
1. GOOGLE TITAN KEYS/ YUBIKEYS- If you ordered Google Titan Keys or Yubikeys via DDC, they are yours to keep, and we strongly encourage you to continue using them. If you do not have them set up to secure your personal email account, we highly recommend it.
For Google users, we also recommend enrolling your personal Gmail accounts in Advanced Protection Program using your Titan Keys. You can do this by logging in to your personal email account and visiting this URL, which will take you through enrolling in APP: https://landing.google.com/advancedprotection/. Please let us know if you need any assistance with this.
And bring the keys to your next campaign to get off to a secure start!
2. LASTPASS TEAMS- If you signed up for LastPass Teams, the account is only free for 1 year, so when that period is over, staff will no longer have access to the team vaults or any shared folders of passwords (unless you pay to continue with LastPass Teams). For a smooth transition away from Teams, we recommend “removing” their accounts from the Teams account. Doing so will transition their account from being a Teams User to being a Free User. They’ll retain all account data.
For an admin to remove a user: Go to the LastPass admin console > Users > select the desired user(s) > More Actions > Remove selected users from company.
It's also important to remember that if a LastPass account is connected to a user's campaign email address, they will lose access if the campaign email address is suspended. To resolve this issue and keep accounts in tact, staff who are using a campaign address must:
Create a new account with their personal email
Export their passwords (instructions found here: https://support.logmeininc.com/lastpass/help/export-your-passwords-and-secure-notes-lp040004)
Import them into the new account (instructions here: https://support.logmeininc.com/lastpass/help/how-do-i-import-a-lastpass-encrypted-file-that-was-exported-from-lastpass)
3. CLOUDFLARE- For those of you who took advantage of the free campaign upgrade of Cloudflare, Cloudflare has let us know that they plan on downgrading the domains in December, and will provide ample notice in advance. When they send out the notice, it will include an option to continue with the upgraded features, for a cost that they haven’t determined yet. If you don’t decide to pay to continue, that’s ok- you’ll remain on the free tier of Cloudflare, which is a great service as well.
4. WICKR- As for now, WickrPro will continue to allow 30 free users per account. They are considering rolling it back to 10, but will be sure to give everyone advanced notice if this happens.
For offboarding staff and removing a user from WickrPro - Wickr Pro Network Admins can simply open up the Admin Controls > Team Directory > Manage and delete the user who is leaving the campaign.
If you have any additional questions about offboarding, or would like to set up a call to discuss an offboarding plan for you and your campaign team, please send an email to info@defendcampaigns.org and we’ll get right back to you with some options.