Digital Marketing Security – Steps You Should Take To Protect Your Digital Assets

Digital Marketing Security - Protecting Logins From Hacking

Has your team changed a lot recently, or your working practices have changed?  Are you worried some of that knowledge may walk out the door, including that vital login for the system you didn’t even realise you should have access to?

We often talk about digital assets in our talks and for many business owners they appear to be invisible, but they are just as important as those physical assets like buildings, cars and trucks, if not more so. 

For us, digital assets are all the digital elements that add value to your business. This starts with the more obvious elements such as your website, your social media profiles, but as importantly it’s the more ‘invisible’ parts (or ‘black magic’) such as email lists, Google Analytics data, remarketing audiences and more.

This article will talk you through what access you should have to ensure your digital assets are protected, and you have total ownership of your website, social media accounts, Google platforms and more.

It’s incredible how many clients we work with who are not aware of all their passwords, or their logins are all over the place and not saved in one central location, securely.

As we’ve seen recently, sometimes unexpected things happen quickly, and the last thing you probably have on your mind is who has access to what.

We’ve also provided a link at the end of this article to a document you can copy to kickstart your logins list.  Yup, it’s old school, but if you have a spreadsheet of your logins, it’s far better than not having one.  

Although this article is based on digital marketing assets, we’ll give you some prompts for other systems as well.

Digital Security and Transient Staff

In some industries or locations, such as tourist businesses or locations with transient staff, the problem of missing logins is typically worse due to higher staff turnover but this is applicable to all businesses.

It sounds great when young Jimmy joins your team, you think he knows about some online stuff and he sticks up his hand to create a few accounts (maybe incorrectly), and set up some social media stuff.

It’s not so great when Jimmy walks out the door with all your logins and any history of data and potentially campaign results.

As we mention quite a bit, the devil’s in the detail and this is one area where less haste, more speed if the best way forward.

So let’s get down to it… trust us, go through the basics below first, then get onto the real detailed spreadsheet. 

One Marketing Login

We often recommend to clients they have one marketing login that has access to most tools and services. You may want to be more secure than this and allocate it to individuals, but you don’t need to share all the passwords with everyone.  This is much better than individuals setting it up under their own work email, or worse… their own personal email, then leaving you in the lurch. Just because there’s one shared login, individuals can still have access, but it removes the single point of failure.

An example would be using as your login, or  This can also be used for your Google account.  If you didn’t know, your Google account is used for accessing Google tools but does not have to be created using a gmail email address, in fact it’s better if it’s not. You can use any email address, but if it’s one from the same domain as your website it’s even better. (Your Google Account isn’t an email address, it’s an account linked to an email address).

If you ever get into a tricky scenario with Google such as losing access to your analytics account, or business listing and have to go through support, it gives you much more credibility with them if your request comes from a Google account using an email address from your own domain.

We recommended setting up a specific marketing email address for a Google account for our client at the start of a big project and it wasn’t done.  At the end of the project, the email address was set up, and we had to go through all the digital assets for multiple websites, and all the related Google properties changing permissions.  This just costs twice as much time.

This comes down to minimising the total cost of ownership and doing things the right way – less haste, more speed.

Password Security – Avoid Being Hacked

Google123 just doesn’t cut it as a password any more!  Try and use unique passwords everywhere, or at least have a long one generated by a good password generator such as – even though it will be far less memorable.

As an agency we have two factor authentication (2FA) set up wherever we can, but if your password is weak, this is the weakest link.

Think you won’t be hacked?  It’s all fair and well thinking like that, but I can reel off a number of examples from local and international businesses that have had either their :

  • Facebook Ad Account hacked ($20,000 in redirected ad spend)
  • Google account hacked (all files encrypted and held to ransom)
  • Google Ads Account hacked ($250,000 in redirected ad spend)

The pain of dealing with secure passwords and 2FA  is far less than dealing with the potential aftermath.

Two Factor Authentication – WTF?

If you’re not familiar with it, two factor authentication (or 2FA) is a way to change your login process so you enter your normal login details, then you either have to : 

  • Enter a code from an authentication app on your device
  • Enter the code from a text message on your phone
  • Approve a popup from an app on your device

This might all sound too techy or in the too hard basket, but trust me, it’s not. It’s easy to follow and will protect you and your digital assets in the long run. 

Having attempts will increase in times like these.

When there is lots of confusion going on around the world, some nasty people will use it to their advantage, and look to send more phishing emails, or hack into accounts, and take advantage of vulnerabilities. Having 2FA set up can protect you against this a lot better. If someone gets your password, they’re unlikely to be able to get any further if they don’t have your authenticating device or software set up.

Here’s link to an article about setting up two factor authentication for your Google account :

This is a link to the Google Authenticator ( application I use for security codes.

This article will show you how to set up two factor authentication for Facebook (

Many other systems you use will have this too such as Xero accounting, Lastpass password software, and you can also set it up for your website login on WordPress.

Security Of Internet WiFi Connection

If you’re working from home, this is less likely to be a concern, but when you are working remotely and logging in over a free Wifi connection, ideally you should be using a VPN, or Virtual Private Network.

This is a bit of software that sits between you and your internet connection and allows better end to end encryption You can easily, and relatively cheaply, set up tools such as NordVPN, and they often have very steep discounted sales.  When you log in you pick the country you want to appear as being connected from, which can just be your home country.  You may get the odd security alert from systems saying you have logged on from a different location but that’s a good thing.

This may seem like overkill, but I always remember going on a Google Sales course years ago, and a very large agency talked about their Ads Account for a large household name client getting hacked in free airport Wifi.  The end result? About $250,000 in redirected ad spend. !

Digital Platform Logins – Google Account and More

Do you know :

  • a full list of online accounts you have within your business
  • who has access, AND what level of access they have
  • All the logins to your website, analytics, ad account, domain name provider
  • …Google account, and more?

When we start working with clients we are very commonly told something like : 

“Oooh, I’ll have to look around my emails to see if I have a login for that.”

This usually means it will take us ages to get access for what should be a simple task.

As old school and insecure as it is, it makes our lives so much easier (and cheaper for the client) when a client pulls out a spreadsheet of logins.  If you do use a spreadsheet, we recommend password protecting your spreadsheet, and if the password is ever shared, don’t put it in the same email as the spreadsheet link!  Better solutions to this are using password tools such as Lastpass, or even better and more secure, but far less user friendly, an offline equivalent.

We have provided a link to a great spreadsheet as a starting point for you at the end of this article.

It’s not uncommon for us to have a far better handle on the online setups of clients than their internal marketing team either due to a lack of knowledge, or due to us outlasting multiple marketing managers.  This is not a healthy position to be in for a business.

Some agencies still follow the pretty poor practice of not letting you have access to ad accounts, or they’ve set up Google Analytics under their agency account (there’s a way around that now).  If this is the case, you’re being held hostage as they may walk away and you’ll have no data or account history left.

This week I even heard of a business who had paid tens of thousands for a website, were going through phase 2, but the client had had their admin access removed until the project was complete. Unless the client did something crazy and broke the website in the past (it happens), then this is like your accountant having the only log in to your bank account.

Whilst this article was written on the back of the current pandemic in 2020, the same scenario happens if your creative or digital agency goes into liquidation, or shuts its doors.  If you don’t have access to your accounts, it may be impossible to get access to them, especially if you pay them for ad spend as well.

Do you have your Facebook ad accounts set up correctly?  Often even this is sitting in one ad account owned by an individual, who happened to set it up one day when they had some time. Even worse, there are multiple ad accounts for different individuals.

One important element that is very often overlooked is how different accounts are linked together.  We’ve seen a scenario before where a Google GSuite account was deleted, without realising it had full ownership of a YouTube Channel for a well known brand.  Luckily I had the sheer luck to have my Google support call answered by an amazingly helpful American Google employee who went way beyond the norm to get it resolved.  Even in this scenario, the only way we managed to get it resolved was knowing some specifics about the channel from some screenshots I had taken doing some work a few years ago – the client didn’t have these details.

Whilst a spreadsheet is better than nothing, ideally you would use a more secure tool such as LastPass, or other online or offline password management tool.

Use this time to get your foundations and logins all sorted and secure. It will be something which you will be very happy you did, the day someone tried to hack you or the day an employee left. Don’t waste time, act now. 

Digital Logins Spreadsheet – Our Gift To You

So you’ve read all of this, or skipped to the bottom to get the goodies!  

After bringing you up to speed on protecting your digital asset and logins, we’ve supplied a great starting spreadsheet below to get you started on tracking your logins below.

Let us know what you think, and leave any questions in the comments.

Here’s our Digital Marketing Security & Logins spreadsheet.  This is in Google Sheets so please make a copy of it for yourself. Do not request access to it as you can copy it from there.

Now’s the time to start developing those good digital habits. As well as the above, ensure you also have processes in place to store shared assets such as creatives and design files on a shared drive, and not all stashed away in private folders!

Happy organising! 

Darren Craig

Click Here to Leave a Comment Below

Leave a Comment: