It seems like we hear about data breaches and customer data being leaked by hackers on a daily basis. It's no wonder public skepticism is on the rise and services like Lifelock and Lastpass have become increasingly popular.
As a business, you are not just responsible for your own personal data, but for that of all your clients, employees, and vendors. To secure this kind of data on a commercial scale, you need services that offer better encryption, require two-factor authentication, and have been truly tested by ethical hackers.
With so much risk and skepticism, is it really safe to trust a marketing agency with the keys to your website?
Working with an agency generally requires you to share sensitive information like login credentials. So, when an agency you are working with requests these credentials to your CMS or CRM system, what should you do?
The answer is that it depends.
It depends on what security measures the agency has in place, it depends on their reputation, and it depends on what method they use to request your sensitive data.
Giving your passwords to an agency
Here are some of the most common transmission methods an agency may use to request sensitive information:
Email is the most commonly requested delivery method. Usually, the agency will send you an email requesting login credentials and asking that you respond to that email without hesitation. Please don’t ever do this!
Email is not secure, and it doesn’t take much for a hacker to get a hold of your information. If you must use email for delivery, there are secure services like ProtonMail that offer end-to-end encryption and anonymous email. The data you send can’t even be seen by ProtonMail itself. Messages are stored on and transmitted between servers and user devices in an encrypted format.
Messages between users are also transmitted in encrypted form within a secure server network. Because data is encrypted at all steps, the risk of message interception is largely eliminated, thus providing a safer solution.
Texts are even less secure than email. They can be intercepted, but even if they’re not, the information that is shared usually stays on someone’s personal phone.
With the ability to sync your devices to the cloud and cross-device sharing, the security risk is increased. When someone switches phones they often forget to delete data.
The government and the phone company also have access to this information. Text is generally not an official communication method for most companies, so be wary if you are being asked to send your login credentials this way.
If an agency asks you to send sensitive data over a fax line, RUN! Not only is it antiquated, but a fax machine creates a physical copy of whatever document you send that can roam around the office for everyone to see. Usually, fax machines are located in a public area of the office, too, which means anyone can see it — or worse, take it.
Password management services:
Services like LastPass are a good way to send your credentials. We at IMPACT use LastPass, which uses multi-encryption security and does not store data locally, meaning the information will never exist on an employee’s computer or anywhere in their offices.
LastPass stores your encrypted data in the cloud so it does not reside on anyone's device, and password management is the company’s only business. If you sign up for a free account you can store your passwords and share them with an agency via the platform.
A comparable service is 1Password. 1Password started off as a Mac-only product but now is available on most platforms. 1Password also has a slightly more secure login process, requiring not only a master password but a secret key as well.
LastPass works virtually anywhere with any device and browser and does not require you to install an app locally as 1Password does. LastPass also has an Emergency Access option, for cases when you may be very ill or die, then someone else can take it over and you don’t lose everything.
LastPass for business starts at $4 per user per month, and there are several plans that will fit different business needs. 1Password has one business plan, $7.99 per user per month. Asking your agency what it uses and why can also be helpful in determining what service to use.
Data security may seem like a foreign language to many, but arming yourself with the right information is key to making an educated and informed decision. Here are some definitions to help you when asking questions and doing your research.
Geo-Fencing: a virtual perimeter for a real-world geographic area. Some services use this to determine where you are logging in from to prevent logins from anywhere outside this area.
Data Encryption: a security method where information is encoded and can only be decrypted and accessed by a user with the correct encryption key. There are different levels of encryption. AES-256 is considered the most secure encryption method today.
Encryption takes place at the device level, then data is sent to TLS (Transport Layer Security), a cryptographic protocol that provides end-to-end communications security over networks, avoiding any middle-man attacks. AES-256 is widely accepted as impenetrable – it’s the same encryption type utilized by banks and the military.
Brute Force Attacks: (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring and eventually finding the right one. Brute force attacks are simple and reliable. Attackers let a computer do the work – trying different combinations of usernames and passwords.
Asking the hard questions
The best way to help ensure your information is safe is to ask your agency. The agency you are working with should be open about its security policies, and if it isn't, that should be a concern. Here are some questions you should ask:
How do you treat your sensitive information?
What services or methods do you use to store, send, and receive sensitive data?
How many people have access to your data?
Have you ever had a data breach? If so, what was the resolution?
Has there ever been a misuse of a client’s login credentials?
At IMPACT, we take client data security seriously. We recommend that our clients use LastPass because we have done our research and its security measures are the best in the industry that we have come across.
Whether it’s multi-factor authentication, geo-fencing, login controls, or risk assessment status, there are many available checkpoints in place to help secure your data. At IMPACT we use LastPass across the company.
So, should you trust an agency with your login credentials? If they are using secure methods, are open about their policies, and limit who has access, then the answer is probably yes.
At the end of the day, the time you put in to research what they are doing with your information can save you many headaches later on down the road.