Protecting Customers Sites from Bots and Malicious Actors

Successfully protecting ControlShift sites from bots and malicious actors requires multiple layers of protection. Many of these protections happen behind-the-scenes automatically. However, as online attacks increase, we think it’s important to remind organizations of the steps they can take to help protect their sites from malicious actors and keep member data secure:

  • Unique Passwords: One of the easiest steps for admins is to ensure that their ControlShift account is secured by a strong, unique password. Reusing passwords across various platforms makes accounts more vulnerable. Password managers can help to generate and maintain long, unique, and randomized passwords for various accounts.
  • Two-Factor Authentication: Two-factor authentication (2FA) is available to anyone with a user account. When 2FA is enabled, the user will need to enter a randomly-generated code after entering their password to gain access to their account. We strongly recommend that everyone, but in particular organization administrators and partner organization staff members, enable 2FA for their accounts to help prevent unauthorized access. Organizations can also require all administrators to enable 2FA via their organization’s settings.
  • Granular Permissions: Successful use of ControlShift is only possible through the work of organization administrators who provide strategic and technical help to petition, event, and group leaders, while also monitoring and moderating content. However, not every administrator needs access to everything in the platform. ControlShift allows creating teams of admins with specific sets of permissions, which allows organizations to limit the number of users with access to sensitive information.
  • Captcha: We recommend organizations enable captcha-based bot protections on their site’s public-facing forms. For many organizations, using Google’s free reCAPTCHA product is an easy solution. For organizations concerned about potential data privacy implications from using a Google product, we also we offer the option of integrating with hCaptcha. hCaptcha is a a paid tool that describes itself as a ”privacy-first” captcha. Both of these tools offer invisible-to-the-user protections for site forms.
  • Monitor Bounces: After completing ControlShift’s sender authentication process organizations can monitor email bounces in real time. While some bounces are always expected, a substantial increase in bounce reports can be an early warning that your platform is being targeted by spam activity.
  • Check Integrations: Admins with appropriate permissions can view all third-party integrations that have been added to their site. These integrations may include things like CRM systems and data analytics tools. While these integrations are less-likely attack vectors, ensuring that member data is only being sent to third-party tools that an organization is actively using is a good data privacy practice.

Securing ControlShift’s sites is our top priority. By working together with our customer organizations, and encouraging security best practices, we can help keep supporter data safe.