Online Security: A Checklist for Marketing Agencies
As marketing agencies, we're not saving babies here. We're not financial institutions or the NSA or a high-security entity that requires paranoia-level lockdown.
However, that being said, we do have a responsibility to keep our data secure. After all, we handle sensitive information from many different clients and we have access to mission-critical assets like client websites, client email marketing programs and client social media. A breach in any of these areas can lead to significant PR disasters and loss of revenue for our clients.
With this in mind, we have some pretty specific opinions on security here at Inbound Back Office and we also encourage our clients (marketing agencies) to follow similar practices. Keeping data secure is good business for everyone.
So here is our checklist of security practices for marketing agencies.
Use a password manager like LastPass
I have a bone to pick with many agencies because they store client passwords in a spreadsheet. In plain text. Stop the madness!
The best way to keep track of passwords at an organizational level is with a password manager like LastPass. This service keeps all password encrypted in a central database and allows you to control who has access. No more passwords in spreadsheets or on post-it notes.
Additionally, if you are using the enterprise version, you can quickly "detach" team members when they leave the agency so that they no longer have access to agency-wide passwords.
Use strong passwords (longer is better)
One of the best ways to avoid breaches is to understand what makes a password secure. Many people have been trained to think that weird combinations of letters and numbers make a password secure but in reality, it's the password length that matters.
LastPass recommends that a password "should have a mix of characters (uppercase, lowercase, symbols, and numbers) and avoid words straight out of the dictionary" and should be as long as possible, and no shorter than 14 characters."
So a mixture of characters is good, but 14+ characters is the goal.
Worried about remembering a bunch of really long passwords? Don't fret! You're using LastPass, right?
Don’t use the same password on multiple sites
Most people are guilty of this one. After all, who wants to remember a bunch of passwords when you can use the same one for everything? The problem is, if an intruder gets access to one password then they get access to a lot of sites at once. Use unique passwords.
Don’t write passwords down
This should be a no-brainer but many people still write passwords on sticky notes out of convenience for all to see, including the cleaning staff, clients that come in the office, and anyone else that may walk in. Not to mention anyone that goes through the trash after they get discarded. Don't ever write passwords down on paper.
Use a VPN on public networks like Hotspot Shield
Many people work outside the office at coffee shops, co-working spaces, airports, and other public locations. This opens them up to intrusion by others on the same network.
To prevent breaches, all team members should use a VPN when outside the office, home or a trusted private wifi network. My favorite VPN is Hotspot Shield. It's fast, secure and easy to use. And very affordable.
Keep software up to date (OS, web browsers, etc.)
Keep your computers and all software up to date. Enough said.
Activate 2-step verification on all accounts (email, social media, etc.)
2-step verification is a hassle. I get it. Everyone hates it. But you know what's more annoying? Getting hacked.
Many breaches are easily preventable by activating 2-step verification on all accounts. This means email accounts, social media accounts, apps, and literally everything that has the option. This goes a long way toward preventing the vast majority of possible intrusions.
At Inbound Back Office, we require all team members to use 2-step verification for security.
Use a strong password on your computer and set a screensaver lock after 15 minutes
Many people don't think about the most basic point of entry to their data: their laptop. A lot can happen when you go to lunch and leave your computer unattended. Or what if your computer gets stolen?
Make sure that you have a strong password set on your computer and that the screen saver kicks on in a short amount of time and requires a password to unlock.
Don’t send sensitive information over email
This one drives me crazy. We love our clients but I've had many of them email me credit card numbers in plain text. Email is inherently insecure. It sends data in plain text and can be intercepted very easily.
If you need to send files securely, use a secure service like Sendinc or Firefox Send.
Back up your data
Not only it is annoying to get hacked, but it's extra annoying to not be able to get your data back. Make sure your data is backed up using a service like Backblaze or Carbonite. These cloud-based services are inexpensive and worth the money.
Be alert for phishing
Fun fact: most security breaches succeed through social engineering. Also called "phishing," this occurs when an attacker tries to fool an employee into giving up personal or sensitive information by pretending to be a person or entity that the employee trusts.
Examples include sending them an email that looks like an official Microsoft email asking them to log in to their account to confirm something. When they click the link it takes them to a site that looks like the official Microsoft site but is designed to collect their password when they attempt to log in.
Other variations include sending spoofed emails from "the boss" asking an employee to send money or passwords because they are in an important meeting.
Not everyone is vigilant about this and so it's important to train your team members to understand what to look for to avoid being the victim of phishing.
Set policies and train your team
While this is a strong checklist, it is only as effective as it's enforcement. We recommend that all agencies create a security policy for their business and train their team members to follow it. Regular education and review can make all the difference.
Most people haven't developed good security habits so it's up to you to instill these habits in your agency. With this checklist, you will have peace of mind knowing that you are handling your data and your clients' data securely and responsibly.