The Risk of Bad Security to Marketing Agencies

Keeping customer, employee, and agency data secure is more challenging than ever before. Big companies that spend a lot on security are getting breached, but they’re not the only target. Marketing agencies are under attack as well so we need to focus on nailing the basics of security and beyond.

In the event of a breach or security issue, your agency could be annihilated by CCPA or GDPR fines and by clients suing your company. A professional security framework can also help ease clients’ minds when you need to get sensitive information from them to do your work, so it can be used to help sell work to new and existing clients. At the very least, good security adds to the sense of overall professionalism that clients will have of your agency.

First, talk to your IT provider. IT companies are great at security because they typically handle the fallout of security emergencies with their clients so handling security is their bread and butter. This article is mostly going to focus on what practical changes you can make at your company to get better security in place.

Security Meetings & Responsibilities

One of the first steps you should take is to have some initial meetings, assign responsibilities, and find the glaring holes in your defenses. It should be easy to figure out who is responsible for security, there should be clear buy-in from every level of management, and it should be easy for any staff to raise a security concern and have action taken on it. At an agency, an Operations Manager would typically head up this kind of responsibility, but this may vary depending on the agency.

Setting up these first meetings, as well as recurring check-ins, are the first steps in building a culture of security. If you don’t build security-mindedness into corporate culture, this will all just be a flash in the pan, and people will quickly revert to their bad, un-secure habits. To affect culture:

  • Set up an in-house Slack channel where people can bring up security concerns or make recommendations
  • Praise people when new, unknown security issues are brought up and addressed
  • Cover security at quarterly and yearly meetings
  • Security is an ongoing process, so treat it that way in how periodic check-ins are performed

Managing People

Security these days succeeds or fails based on people. Policies that can be enforced and checked are essential to put in, such as:

  • Require that employees keep their PC or Mac on the latest OS.
  • If they use their phone to access company data, require that employees keep their phone within 2 versions of the most recent OS (it’s impossible to require that they have the most recent version if they’re on Android, but this is easier on iPhones)
  • Don’t make security exceptions for VP and C-suite. They’re the ones that are going to be targeted.
  • Use granular permissions. The new intern shouldn’t get the username+password to your biggest client’s Google Ads account. They should start with read-only on the accounts they need access to and nothing more.
  • Take time to educate your employees on common security scams and what to look out for. Your security against phishing is only as strong as your most gullible employee.

Managing Passwords

Digital Marketing Agencies have to manage a LOT of passwords. In-house passwords for advertising, CRO, and analytics platforms, as well as client passwords for domains, website server access, CMS, CRM, client ad platforms, client Google Analytics access, etc. Because of the volume of passwords in each company, a couple of recommendations may help.

Password managers like LastPass and Keeper help agencies manage lots of impossibly complex passwords AND securely store the passwords. They can also check and enforce password complexity, and are a great way to securely share passwords only with those people who should have access.

Password policies help reduce risk and increase consistency. Some example password policies:

  1. After an employee departs, any shared accounts that they had access to will have their password reset to a new, secure password.
  2. Auditable offboarding checklists should be used to ensure all appropriate accounts are disabled/archived/etc.
  3. 2-factor authentication (2FA) should be used for the most critical, or admin-level accounts. We recommend that any ActiveDEMAND login that has admin access to multiple client accounts should use ActiveDEMAND’s 2-factor authentication.

Managing Assets

Many marketing agencies hoard old client digital assets for far too long because they don’t recognize the massive liability that they are. If your file storage is hacked, or a rogue employee takes client assets, you may be required, by law, to disclose to those clients that their assets were taken. That can be an awkward, damaging call to make. Just imagine:

“Hey ex-client, remember that brochure you asked us to make 10 years ago, but we convinced you not to release it because it was in bad taste? An old employee downloaded it and shared it on Reddit. It’s currently at 1 million views, and we really need you to submit a DMCA claim to take it down and prevent further damage.”

If you feel your butt clench at the thought of making that call, you can probably realize how much of a liability client assets can be. You must create policies and procedures around handing over and deleting old client assets. The same thing goes for old client passwords. If an angry client fires you, part of the process should be handing over assets and passwords and notifying them that you’re deleting your copies. Yeah, they might lose those passwords and come to you in a panic to see if you can save the day, but that’s their dumb move, not yours. Old client assets must be pruned on a periodic basis to reduce the amount of damage that a breach could cause to your agency and your clients.

Company physical assets like computers, phones, and other hardware should be tracked using a tracking system. Unless you like giving ex-employees free laptops, you should know what hardware they have and what must be returned when they leave the company.

Company digital assets should be stored somewhere that is backed up and secure. Having employees store files locally should only be a temporary measure when they’re on the road or working with large files like HD video editing. Run backups on digital assets so that you have some recourse after a ransomware attack. The result of a computer getting hacked and ransomware installed, should not be catastrophic if you’ve been backing up and using secure file storage.

Security is a Focus for ActiveDEMAND

Here at ActiveDEMAND, security is a top priority. We use many layers to keep our client’s data safe, such as:

  • We have a dedicated security officer
  • We have strict account access policies (clients have to grant us access to their account if they need direct assistance, and that access always has an expiry date)
  • We have strict processes for helping clients get access if it was lost
  • We have internal processes for managing passwords/access and keeping passwords strong and changed regularly
  • We have regular security review meetings with staff
  • We perform regular security audits
  • We employ data retention policies to comply with international regulations like GDPR, CCPA, CASL, etc.

These layers help build redundancy and drastically increase our defenses against attack. If you run a marketing agency, you should seriously consider how you treat your security because it could mean the sudden end of your business.