Below is a guest post from Tom Smith, VP of business development and strategy for CloudEntr by Gemalto. In this role, he helps define and execute Gemalto’s identity and access initiatives in the cloud. Tom has over 30 years of experience with security, mobile, and cloud technologies, including founding executive roles at four technology companies. Read more on how to keep your agency’s data secure though two-factor authentication and password management here.
When you think of all the things that drew you to the marketing and advertising industry, information security probably doesn’t spring to mind. It likely didn’t even occur to you that dealing with clients’ strategies could make you responsible for handling sought-after secrets.
Yet look at how government leaks have happened. NSA servers weren’t hacked. Contractors like HBGary Federal and General Dynamics that work on government projects were targeted. This means you—a third-party vendor—could be at risk. Should confidential client files be leaked, you could be subject to the subsequent investigation.
If you want to land big accounts, you need to prove that you’re not a weak link. Agency collaboration is difficult without sharing access to online services, but you can do so securely with these four practices:
1. Share Access, Not Passwords
Sometimes it’s easier to log someone into your workstation. Perhaps a project is being sent back and forth or you’re managing data for so many clients that it could be difficult to get another login from them. This place is practically a family, so it’s no big deal if you share a password, right?
Wrong! The entire purpose of logins is to track identities.
When you share logins, you’re giving someone your confidential information in the moment for a specific use. But if you’re like most people, you forget whom you’ve shared it with. This allows them to use that information at an inappropriate time—like after they’ve left the company.
Remember, any mis-click will make you look like the culprit. That’s why it’s vital to have a way to report unauthorized usage.
2. Add a Second Security Gate to Your Logins
Passwords are great, but adding a second security step with two-factor authentication helps ensure a user’s validity. This process requires the user to present at least two independent identifying factors. Commonly, the user is asked something he knows (username and password), then for something he has (mobile phone or USB security token) or something he is (fingerprint).
Implement two-factor authentication for the web-based marketing tools your agency uses. This can be done as a software token via a mobile one-time password app or a hardware token such as an OTP key fob.
3. Track Who Is Logged In
All user account information is inevitably stored somewhere on your network. If you use Microsoft’s Active Directory to manage users, tie it to your login management system to have a single place to activate or shut off user access. That way, when an employee leaves, you won’t need to worry about him accessing proprietary or sensitive information.
Track and report who has logged into which accounts. If there’s a leak from your agency—accidental or not—you need to know about it and discover the source before your client does, or you may lose a huge account. Let’s face it, this industry is small; word will spread, and you’ll likely lose accounts and have trouble attracting new ones.
4. Train Your Staff
Communicate your policies and procedures regarding separation of duties to ensure there are checks and balances. In the banking industry, employees can either issue a check or set up a payee, but can’t do both (to avoid drafting and issuing a check to themselves). Think about your employees’ duties and what kind of access they truly need.
Don’t forget about the IT department to avoid a situation where a rogue IT person runs wild. Formalize policies and ensure that every employee—even outsourced IT staff—is aware of security policies.
If you don’t take control of user accounts, someone else might. The next thing you know, anyone can walk into your agency, login to your workstation using the password written on a Post-it under your keyboard, and leak the specs on that groundbreaking tech your agency was responsible for launching.
Whether you take security seriously or not, your current and potential clients will. If you want to make it in this business, you have to learn how to protect those client relationships.
