Company Data Security Guide for In-House Teams & Agencies
While this episode is mostly based on our experience a great resource and motivator to the idea for this episode came from Dennis Yu’s post on LinkedIn so go check it out.
Team On-Boarding Management
For every team that you have internally (sales, marketing, product, IT, dev, email, freelancers, and so on) create and keep a list of what internal and external services they have access too. Each team should have an on-boarding process and list of tools/services that they use so that when someone moves on from the company or an engagement ends with an agency/freelancer that a de-boarding process is also followed.
Tips for Data Security
- Have an on-boarding process and document what access someone is given.
- Keep track of all freelancers, contractors and agencies and what they are given access too.
- Create a de-boarding process for each team and the company overall.
- Keep track team by team of what tools, services and other data points they use and review/update the list each Quarter.
- Do mini audits of Social Media accounts, CRM, Google Analytics, GSC & the like and CMS (especially WordPress) each Quarter at least to see what 3rd party tools have access to data.
[00:00:00] Matt Siltala: [00:00:00] Welcome to another exciting episode of the business of digital podcast featuring your host, Matt and Dave roar. Hey guys, Matt SoCal here alongside Dave. Roar. How’s it going, bud?
Dave Rohrer: [00:00:15] It is officially 2020 when we’re recording this. So we all made it through the new year.
Matt Siltala: [00:00:21] Yes, we all survived. And you know, some of us are.
Or a little bit actually. you guys have had a fairly warm weather from what I’ve seen in the Chicago land area.
Dave Rohrer: [00:00:31] Yes. We’ve had more days above 50 than we’ve had a snow this winter and today is about almost 50 degrees and it’s early January, which will, I will not complain about it this time cause we’ll probably get five feet of snow between now and the end of winter.
Matt Siltala: [00:00:50] Yucky.
Yes. Well, let’s go ahead and jump into it. We’re excited bringing another one of these, episodes, [00:01:00] guys. today we’re going to be talking a little bit about companies security. And this is always a fun topic because, you know, the thing that got me, whenever we were talking about this topic day, w was.
The, the churn rate in our industry of, you know, like what we consider a person that’s like a long time veteran in our, even in our, own personal agencies. Like if a person works for you more than a year or two or, you know, it’s almost unheard of that they’re with you five years or even seven years and, and things like that, you know, you know, it got me thinking about, about just because the amount of people that you go through and just a cycle that is in.
This industry, you know, how you keep company assets secure? How do you stay on top of that? How do you do the things that need to be done to make sure that, you know, just 50 random people out there within a couple of years don’t have access to like. All your socials and really screwed you, especially if they leave in circumstances, maybe that [00:02:00] they themselves didn’t find, you know, that, that, appealing, if that makes sense.
Dave Rohrer: [00:02:07] You said socials, by the way. I find that amusing for some, I don’t know why.
Matt Siltala: [00:02:12] Well, you know, old school.
Dave Rohrer: [00:02:14] Yeah. And this, this idea, I don’t think we’ve talked about it and maybe we’ve mentioned it before, but I know we’ve mentioned about like churn and stuff. The usual, what is, I think it’s an year and a half or so is for marketing.
Matt Siltala: [00:02:29] I knew it was something like that
Dave Rohrer: [00:02:32] every year or every two years. There’s some stat that comes out and you know, we’ve been doing it for three years, so I’m probably using an older stat, but I think it tends to be around free. Someone in a marketing agency.
Matt Siltala: [00:02:44] Oh, you’re right. I believe we were talking about this cause we were talking about how the ninjas, how blinkin seems to
Dave Rohrer: [00:02:50] you.
He doesn’t have to worry about this problem too often.
Matt Siltala: [00:02:52] Yeah. It’s crazy. Anyway.
Dave Rohrer: [00:02:54] And the MLM, even new CMO and other people. But then there’s also been stories and we won’t get into it, cause I’m [00:03:00] sure we’ve covered it before as well. But also you can just go, you know, see Melissa or Simon speak at like one of the pub cons or any of the conferences they talk about where they talk about social media oopses and sometimes it’s comes, sometimes some of their mentions are from employees, but sometimes they’re also from former employees that still have access to your Facebook or Twitter.
or your Google search console and they decide to, you know, log into Yelp maybe and say that your location is closed.
Matt Siltala: [00:03:30] And, and if they have that login information, especially like on Twitter, even Yelp, like you mentioned, it’s very easy for them to go in, change things and make it almost nearly impossible.
For you to get access to that bag depending on how
Dave Rohrer: [00:03:44] they
Matt Siltala: [00:03:45] want to be. Yeah. I mean, they can change that. Emails that are sent to notifications, like they can make it nearly impossible for you to get that back without having to jump through a million hoops from the companies themselves, which don’t make it easy.
Dave Rohrer: [00:03:57] Mind you. No, they don’t. [00:04:00] And yeah, they could easily go in, log into Twitter or Facebook or anything, change the email that’s on the account. And if you don’t have, you know, even if you have, w, you know, what does it to level off to a, yeah. You know, and it, their phone number or it still goes to them in some ways, they could still get it.
Or if you don’t have it turned on because you have so many people, or if they have access to like a buffer, Hootsuite or something like that, they could still go in and post stuff. And if they have access to all those different tools. They can either do damage, you know, compromise your IP. If you’re an agency, they could compromise your trust with clients and your IP and you know, do who knows what or go through
Matt Siltala: [00:04:48] quickly.
Stuff goes viral. I hate using the word, but like viral, like there’s a reason that the words used, but like. Something could blow up in a day and, and, and almost ruin [00:05:00] you before you would have an idea of what happened. You know what I mean? Like, it just could happen so quick that it’s just anyway, you know what I’m saying?
Dave Rohrer: [00:05:08] And I think the percentage of people that do this type of thing, it’s probably less than 1%.
Matt Siltala: [00:05:15] You and I might get pissed off at someone, but we’re not gonna go and destroy something like this. Like there’s a difference. So what you’re saying is totally right, but
Dave Rohrer: [00:05:25] I mean, there’s still going to be legal ramifications in some cases, and people probably know that and some of them don’t care, or they just, you know.
They just go in and log in and you know, more of a nuisance than a legal or large problem, like going in and telling your, your Yelp to close. I’m going into your Google my business and saying, Oh Nope, we changed her hours. Or, you know, posting something off topic or off color or. You know, answering questions incorrectly.
Well, you know,
Matt Siltala: [00:05:56] I read this morning and it’s kinda, I mean, kind of related, but not, [00:06:00] but in the same sense of the legal, what you’re talking about here, that it’s interesting and just drives more of the point of this kind of stuff’s going to be taken more serious as the years roll on, I believe. in fact, it’s one of the things that we’ve predicted and you know, just last year, but, you know, more legal stuff happening.
But I just read this morning about. If you remember that a go fund me campaign where the two married young married couple, they got the $20 of gas or from the veterans. Supposedly it was his last 20 bucks. And anyway, they’re prosecuting him and I read something like 25 federal. Charges or something like that with like wire tap or money money, wire laundering fraud.
Like, anyway, it was insane. Like, I can’t remember, I’ll see if I can find the article and send it to you and you can include it in the writeup. But, it just got me thinking about that when you’re talking about this, that like, this is the kind of stuff, like it’s, you may think, okay, well I’m just going to go and delete this page or tell them it’s closed and hahaha, screw them.
But like. Be careful cause there can be some [00:07:00] serious legal ramifications coming your way coming soon. You know what I mean? If you
Dave Rohrer: [00:07:05] have for those that decide to, you know, screw with your company or a former company or clients. Yeah. So it’s not like we’re trying to give people ideas of what to do.
Matt Siltala: [00:07:14] No, I’m sure
Dave Rohrer: [00:07:15] they have plenty on their own.
And what spurred this most recently was a couple of things, but one of them was a couple of weeks ago, Dennis, you actually, and we’ll have a link to his LinkedIn post, posted a really in depth and it’s very specific to them, a D boarding process checklist. And I think once companies get to a certain size, they’re, it typically has their own checklists.
and if you don’t have an ID it department, you probably don’t have this type of checklist, but it’s, you know, questions that go to, you know, if it’s a marketing person or a sales person, it’s like, okay, who is their direct boss? Well, who should I forward their email to? You know, just so that we [00:08:00] capture stuff.
what is the processes internally for taking away their access to like Salesforce or MAs or Searchmetrics or, you know, whatever tools we use for SEMrush, a rough, majestic, whatever. do they have access to Google webmaster tools, analytics? You know, do they have access to different things? Like, You know, whatever tools you use on your marketing team, sales team, customer service and so on.
What tools do they use and what tools or access at the business level do they have acts like do they have privileges
Matt Siltala: [00:08:33] on even, I can think of several, like in our own organization, organization with access to financials and stuff, and I mean, you want to keep some of that stuff private and. And it’d be very easy for them to get ticked off at you and make that stuff not so private.
And so, I mean, you’ve got to think of every aspect of it. It’s not just like just the, the, what we were talking about with, with going and embarrassing you on Twitter or something. It’s like the, [00:09:00] it’s all of it, all of it that we want you guys to be thinking of.
Dave Rohrer: [00:09:03] Yeah. I mean, do they have admin access to your WordPress and CMS?
Yeah. where are they? Where are they? The one was their email address before you delete it being used for certain logins. one of the companies I work with, someone left a year ago or two years ago, their email address was the one that was on the marketing tool that we used. Oh, geez. So we had to, we like internally, they don’t delete it.
They just updated it. But as we were going, as they were doing. Updates and stuff. You know, I pointed it out and they were like, Oh yeah, we should probably change that. So change the password, changed all that stuff. But how often, if you have freelancers or consultants or agencies, how often do you change your passwords?
Matt Siltala: [00:09:53] I look at it like, you know, doing those audits like you do every once in a while on your, all [00:10:00] your, Your Hulu, Netflix, Amazon, or whatever. How many devices are logged in? Well, I’m going to de authorize all these and cause I don’t recognize that one anymore. I don’t recognize that. But in the morning, it just kind of, you know, you do that kind of stuff with your personal stuff.
I don’t know why you wouldn’t take some of these
Dave Rohrer: [00:10:14] sometimes.
Matt Siltala: [00:10:15] Well, you should, but I don’t know why you don’t take these steps. you know, especially with your
Dave Rohrer: [00:10:20] company. I think everyone’s just busy and you don’t think about it. But I think onboarding process. Keeping track of who’s given access to what, and doing audits of what tools you’re using, which tools you’ve had access to.
everyone works a little bit differently. I worked with an agency in the last two years where they would add me to something and then text me the password. Hm. They never put passwords. In an email or there was a shared document that I was granted access to that had logins and such like that, [00:11:00] that, you know, through the internal systems, then I could add grant, get access to, and then use that to get access to other things.
But at any time they could kick me out because I had my own login and my own email address and everything else like that. And I’ve, you know, but I’ve also had people. You know, just grant me like God, access to their analytics and stuff as soon as we’re on a phone call. Yeah. And then I look in there and the number of people, Nick, one of the first things I ever always do is go, how many other people have access to at this level?
And it’s scary.
Matt Siltala: [00:11:39] It, it, it is. And it makes me laugh. It makes me think back to 20 years ago. And, and hopefully we’ve come a little bit since, in, in company security since these days. But. You know, back when I used to work at a school district, and it was funny, very easy to figure out the teachers a password for their computer when you need a log in to fix something, because most of the time they had it on a [00:12:00] post it note right on their computer
Dave Rohrer: [00:12:02] screen.
Matt Siltala: [00:12:05] Anyway, so I don’t know why I just thought of that kind of funny, but so besides this a list and that we’re going to give you a link to just this a D boarding list that Dennis, she has put out there so. graciously. What other, what other, you know, options or what other ways do you think people should, should go about this, process?
Dave Rohrer: [00:12:27] I think keep a list of contractors, agencies, freelancers, employees, whether you’re in house or you know, anything and who has access to what, you know, every tool, give it its own little column. And keep track of who has access and who needs access and what level. And the other thing I would suggest is for a lot of things, use not a specific email address for a person, but create like a [00:13:00] marketing or sales at domain, right.
Or an additional, third party kind of like, you know. Internal company, blah, blah, blah, blah, blah. At gmail.com that only super senior people have access to, and that is the only one that has the highest level access. Everyone else is assigned. So if you’re, you know, director of digital leaves. Someone above them or the team would have access or very specific people would have access to that one.
But then again, you also have to keep track of who has access to that one, and you can’t allow your team to go, well, I know you always need this report every month and you don’t have the level of access. So here’s, here’s the admin access and that’s what happens. And then suddenly everyone has that
Matt Siltala: [00:13:49] password
Dave Rohrer: [00:13:51] or that credit card oof.
Yeah. Well, yeah, that’s the other thing. It’s like, who charged this on this one? I don’t know.
Matt Siltala: [00:13:58] Yeah. It seems like [00:14:00] every year we’re, we’re doing some sort of an audit like that as well, where. You know where all these charges and, and what are these four or do we still use it?
Dave Rohrer: [00:14:09] I had to fill out all sorts of paperwork.
The last inhouse place I worked, if I needed the, the credit card, I had to submit and document what it was going to be for and have approval. Like I would have to fill it out. Like if it was, even if it was just for, you know, a software thing and it was like a one time, $49 or $27 charge, I would have to know that it was going to cost that, write it down, who it was for.
The date, go and get it signed, and then I could go and get the credit card from someone.
Matt Siltala: [00:14:38] Well, yeah,
Dave Rohrer: [00:14:39] and that was a 200 to 300 person company, and there was 10 or so of us on the marketing team. Hmm. Well, and to use a credit card like that, I would have to go and get approval. Well, yeah. Which makes it a pain, but it also controls who had access to the card [00:15:00] and they knew every charge they could.
Then. Go back to it and say, okay, we gave the card to so-and-so, what did this, where did this one come from? Right. And then you’re talking legal problems cause you’re basically stealing.
Matt Siltala: [00:15:13] Yeah. Well that’s interesting. So, any final thoughts I guess, for, in, regarding to, you know, back to just what, you know, what we’ve talked about with security in general or the social channels or just your financial channels or whatever.
Any, any final thoughts on this date?
Dave Rohrer: [00:15:31] I think have an onboarding process for each team. Even if you’re a small company, just say, okay, you know, we have access to these four tools. This is the master account, you know, and then delegate, you know, whether it’s your WordPress or Squarespace or Shopify or whatever your CMS is, delegate.
And then know who who has access and keep track. Like, you know, if you work with a freelancer, what are they given access to? How long [00:16:00] do they need it for? Do they need forever? You know, is it a tool that’s always connected? a lot of times I also log into Google search console and I’ll see people that have access are granted access to tools.
Like you can look at that in your Google account or take a look at your Twitter or Facebook where you can grant apps access that I do do from time to time because. For the business of digital or, you know, my own personal one. I’m always trying different tools and some of them are like, Oh, we need access to your Google search console, or we need access to your Twitter account so that we can, you know, compare you to five other people.
Okay. And then, you know, you do it once and then you’d never go back. And then three months later. I mean, I somehow end up on that thing and I’m like, what the blank are all these things? And I’m like, Oh yeah, I tried this once, like, you know, six months ago, and I should probably install that. Yeah. So yeah, just do a quarterly [00:17:00] audit of stuff like that.
But I think having an onboarding and deboarding process and checklist will help alleviate a lot of possible problems. Very good, but you have to do it. Yeah,
Matt Siltala: [00:17:14] it is. And it’s one of those things where all of us in this industry, we’re busy all the time and you’re like, do I really need to spend time on that?
We’ll think about how much time you’re going to spend putting out that fire. Heaven forbid if it happens, someone goes out there and does something stupid post something that you don’t want, whatever. that’s going to take you a lot more time than the little bit of time or inconvenience it’s going to take once a quarter.
To go and do these kinds of little audits and just take care of yourself that way. So those are my final thoughts. Dave shared his, and so, for Dave with Northside metrics, I met Sylvia live with avalanche media and we thank you guys for joining us on another one of these, business of digital podcasts.
Thank you guys.
Dave Rohrer: [00:17:52] Thanks.