In this day and age, I'd recommend consulting with actual security professional for organizations as public as political parties.<p>Short of that, make sure to (at least) cover the basics:<p>- Ask everyone to use a trusted password manager and strong, unique password for everything. Avoid shared accounts and shared passwords.<p>- Enable 2FA everywhere, strongly prefer authentication apps or even better, hardware tokens over SMS. Use SMS 2FA only as a last resort.<p>- Have everyone go through cyber security awareness training. Many attacks start off as (spear) phishing emails and/or various social engineering shenanigans.<p>- Update every piece of software <i>obsessively</i>. That includes everything from workstations and phones to servers, VPNs, routers and printers. Do not use any device which isn't supported anymore.
Use NextCloud.<p>It's going to be worth doing threat modeling for different things, but a lot of operational problems can be solved with this and it is self-hosted