How to bulletproof your web agency security policy

Published by Vic Drover

Website Agency Site Preview

building block of any web agency is the trust bestowed upon it by the client. A client trusts your agency to deliver secure websites and online services, but it goes far beyond that: most clients automatically assume that your web agency security is also top-notch.

After-all, the client is trusting your agency with a number of sensitive credentials. Most importantly, this includes access to their server. It also includes a variety of service providers such as those for transactional email, SSL certificates, CRMs, domain registrars, etc…

Your clients are also trusting that you will give thoughtful, accurate advice, have good hiring practices, prepare for disasters, test emergency mitigation procedures for hacked sites, etc.

Unfortunately, these areas can be easy to overlook. This is especially true for new agency owners who are focused on the technology aspects of building and delivering websites.

So let’s look at some ways you can make web agency security part of your corporate culture so that you can retain and grow the trust you have earned with your clients.

Manage passwords securely

One of the most important features of web agency security is the ability to manage passwords and other credentials on behalf of your clients. Passwords need to be stored securely with excellent access controls and robust collaboration tools.

And if you have more than one client, organizing the passwords for each is essential. This makes it easy to find the credentials you need, but should also allow you to share groups of passwords as needed.

For example, you may have clients assigned to specific staff members. Being able to share a group of passwords to some staff and not others may be prudent.

There are numerous tools for password management available today. Team Password Manager and Passwork are excellent solutions for teams. But depending on your needs, consumer options such as Lastpass or 1Password may also be suitable.

Passwork, a team-focused, self-hosted password manager.

We recommend exploring the costs and features of a number of password management tools and choosing the one that best suits your needs. This is a good time to decide if you plan to grow your agency and to pick a solution that will be suitable when you meet your goals.

And if you are storing passwords in a spreadsheet, you should replace this immediately and securely delete the spreadsheet. As you can see in the animation below, deleting the passwords alone may not be sufficient. In this example with Google Sheets, someone with access to your email could easily recover deleted passwords in the version history of the file.

Diy Passwords Manager
Never store passwords in a spreadsheet or other insecure document.

Use strong password policies

In addition to password security, setting team-wide standards for password strength and change frequency are also very important.

For example, you might decide that all the passwords you use internally are 12 characters long with two numbers and two symbols. You might also decide to change these passwords annually.

Finally, when you part ways with a client, you should have a process to destroy all the credentials for that client.

Most dedicated password managers have secure methods to both generate and delete credentials. And choosing a set day each year to change all your passwords is a great idea. Many agencies do this on World Password Day, the first Thursday in May.

Use two-factor authentication

These days, 2-factor authentication is common and we recommend it to protect your most sensitive services. At a minimum, be sure to enable 2-factor authentication agency-wide for your email accounts as well as your password manager.

Choose staff and contractors wisely

Another important issue that impacts digital agency security is the members of your team. The trust given to you by your clients extends to your entire team, so you must choose your colleagues, partners and contractors with care.

Especially with the prevalence of overseas contracting firms, be sure to thoroughly vet everyone who has access to your agency data and client resources. And if you are outsourcing to a firm, enquire about their internal policies: be sure to find out how they are sharing your data and credentials internally.

Closely regulate access to resources

The other important team issue is ensuring that everyone has appropriate access to resources. You can achieve this easily using a corporate email system as shown below for Google Drive.

For example, make sure all your staff are using corporate email and not personal email accounts. Not only does this make for a more professional appearance when communicating with customers, it creates a secure and accessible place for any information sent by email.

And if you are using Google Drive (for example), this also lets you restrict access to files and data.

Google Drive Permissions
Be sure to use your file access permissions wisely.

And if a person leaves your team, you can transfer document ownership to other team members when accounts are closed.

Don’t share accounts

When accessing client sites and resources, it is tempting to use one account and share it within your agency. But wherever possible, we strongly recommend that you use individual user accounts for each staff person. This will let you track user activity when needed for accountability purposes.

It also allows you to adjust privileges on a per-person basis without affecting other people’s access.

Sharing accounts might be OK for iTunes or Netflix, but not when accessing your clients’ servers, websites and other resources.

Keep agency data private and secure

Keeping all your corporate data both safe and accessible is also an important consideration for web agency security. This includes client data/assets as described above, but also all of the internal documents, workflows, financial and legal information, and anything else your business relies on for its operations.

Today there are many ways to store data that have good control for both sharing and real-time collaboration. Google Suite and Microsoft 365 are popular examples but you must determine if they meet the security and privacy needs of your agency and your clients.

For example, data stored on Google Drive may not satisfy the strict requirements required by many clients in the healthcare industry. If you are serving this market or others with sensitive information, you may need a data storage solution certified for secure, private storage.

For agencies managing sensitive data or with strict data privacy requirements like GDPR, check out NextCloud, the self-hosted productivity suite built for privacy.

Keep redundant backups

Just like your website, all the data in your agency needs to be backed up. We recommend a series of redundant backups stored in both on-site and off-site locations.

RAID-based external hard drives are very affordable these days and make for an excellent local backup, especially when the backups are encrypted.

A number of offsite backup services are available as well. Backblaze is a popular and very affordable option. For an extra fee, they can even send your data to you on a physical drive. This service makes an excellent addition to any Disaster Response Plan (see below).

Secure remote data access

One of the benefits of working at a digital agency is the flexibility of your work location. In general, it is just as easy to perform digital work from your office, a coffee shop, or when working from home.

This may also mean connecting to your network using public WiFi. Depending on your clients needs and the sensitivity of the data you store, you may need to consider using VPNs to securely regulate access to your data when outside your local network.

If your agency requires secure, remote data access, consider using either a software VPN or portable hardware VPN.

There are many affordable software VPN solutions available such as NordVPN. Hardware VPNs have an added expense, but tend to provide maximum security and privacy. The InvizBox Go is well-rated ultra-portable option.

Make and test a disaster response plan

Another important consideration for your web agency security is your Disaster Response Plan. The best agencies are well-prepared for any number of emergencies such as:

  • A distributed denial of service attack
  • A data-center outage
  • A hacked site
  • A natural disaster
  • Death or serious illness of a team member

In these kinds of emergencies you need to know a lot of information very quickly:

  • Who will do what and when? This may be different depending on the type of disaster.
  • What is the emergency contact information for everyone on your team?
  • What is the contact information for clients? Can you easily email them all at once?
  • What are the login credentials and contact information for your critical service providers?
    • DNS
    • Hosting
    • Data Center
    • Redundant backup storage provider
  • Are 1-time, emergency-use passwords available to the entire team to bypass 2-factor authentication?

And executing an effective disaster response plan can mean the difference in days or weeks of downtime, and can literally save your business. Consider using a disaster preparedness cycle as shown below to make sure you’re ready for the unexpected.

Disaster Preparedeness Cycle

Schedule regular security education and training

Ongoing education and awareness is also very important if you want to build a corporate culture around security. Be sure to regularly schedule:

  • Security-related talks and conferences.
  • Annual compliance reviews and policy refreshers.
  • Annual training refreshers.
  • Means testing to determine weaknesses.

One common example of an agency-related security threat are targeted attacks involving phishing. These attacks use email or text messages to trick you into revealing private information such as an email password.

To harden your agency against these attacks you can use a phishing simulation service like Phishing Box which sends mock phishing messages to your team and monitors if anyone discloses private information. The results of these simulations can then be used to raise security awareness with your staff either individually or as a group.

Phishing Box
Tools like Phishing Box help you evaluate security awareness on your team.

Creating a web agency security policy

Web agency security will require thoughtful analysis and consideration of the following topics:

  • Password management
  • Password strength/duration
  • Two-factor authentication
  • Resource access
  • Account sharing
  • Team composition
  • Data security
  • Disaster planning
  • Continuing security education & awareness

Regularly creating and reviewing workflows and policies for each item is the backbone of your security policy.

This policy can even be formalized and used as a selling feature when bidding on new projects.

And with careful planning and implementation, your agency can become as secure as all those great websites you’re building.

Finally, be sure to review your policies regularly so they remain in compliance with the ever-changing laws such as the General Data Protection Regulation.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *