Spending time going through security settings and user accesses may not be the most exciting task, but I can assure you that you would not want to spend the time and effort on trying to recover a hijacked account that’s suddenly spending your budget on non-relevant ads.
As more and more can be managed directly from your phone, users tend to open more and more accounts – which often results in reusing passwords. Quite surprisingly (and embarrassingly), here are some of the most common passwords:
123456789, qwerty, password, abc123
A password manager, such as 1Password, Lastpass or Dashlane can help you generate and store all of your passwords encrypted and safely. A strong password is a good start, but unfortunately not enough these days as users tend to reuse or use simple passwords. Luckily, there are some easy ways to add an extra layer of protection, including:
Two Factor Authentication
Two Factor Authentication (2FA), also known as two-step verification, is an extra layer of security mainly used to protect your accounts from remote attackers. Without 2FA you would be able to gain access to your account by simply entering your username and password. With 2FA enabled, you are prompted to provide a second piece of information which usually is a temporary six-digit number sent to your phone via SMS or generated by an app such as Google Authenticator or Authy. The app option is safer as your phone is likely to be protected with a screen lock such as fingerprint or advanced face recognition. If a hacker were to come across your username and password, they would still not be enough to access your account thanks to 2FA.
Securing your advertising accounts for the most commonly-used platforms
Google offers the possibility to require 2FA to be enabled in order to access your Google Ads account. This can easily be done by heading over to Settings in your Google Ads account, followed by “Account access and security”. Click on the Security tab > Authentication method and then “enable 2FA”. Preferably set a start date to give your colleagues some time setting it up for their login account. Here you will find instructions on how to turn on 2FA on your Google account. Have a look – it’s an easy way to add an extra layer to your Google Drive including Google Sheets, Slides and other applications under G Suite.
Apart from enabling 2FA, we highly recommend you also set the allowed domains to your own and your partners’ domains only. This will limit your account even further and make sure that email addresses outside of your business can’t be added to your account. As an admin you can always change this in the future if you wanted to grant access to someone with a different domain.
If you move over to the “Users” tab, you can see a list of users with access to your account. Many account owners tend to forget about reviewing user accesses. We recommend you set up a reminder for every quarter to review this and make sure no unauthorized user has access to your account. The more users you have, the more potential targets a hacker has.
As with Google, Facebook also offers the possibility to require 2FA for all of your users to access the Business Manager account. Head over to your Business Manager, click on the hamburger menu followed by Business Settings – or simply use this shortcut.
Next, go to the Security center, and under “two factor authentication”, we recommend that you set it up for everyone to need 2FA in order to access the Business Manager account. Here you will find instructions on how to enable 2FA for your own personal Facebook login account.
By analysing database dumps on the Darknet among other sources, “Have I Been Pwned” (HIBP) allows you to check whether your account has been compromised by any data breach. Even though someone has not yet tried to log in to your account, your password still might be somewhere out there and you’re at an even bigger risk if you’ve reused that password across other accounts. Why not do a quick search of your email addresses and see if any of your accounts have been compromised? I also recommend you to set up a notification so you can receive an email if any of your accounts were to be included in a leaked database dump in the future.