Neon sign

Security for marketers: An essential guide

If you’re a marketer you’ll be familiar with analytics, creating content, scheduling social media posts, and working your way around a CMS.

But how much thought do you give to security?

A company’s website and social media channels are its face and voice – arguably things you wouldn’t want in the wrong hands.

Security is a huge and vital topic, but for the purposes of this post I’m going to talk about a few simple steps that marketers can take to protect their key channels of communication and keep their data safe.

A company’s reputation is important and, as a marketer, you are the first line of defense. Here are some things you can do to strengthen that defense.

Limit who has access

As a rule I’d suggest that the less people who have admin privileges or access to social media accounts, the better.

Steps to take:

  • Have a clear idea of who is in charge of what within the marketing team. This will help determine access rights and privileges.
  • Designate a person to set up new users and remove admins/change passwords when staff leave. I would recommend this be the marketing manager.
  • Website backend: Access a list of all users. Delete anyone who is no longer with the company and keep admin to key people only – eg. marketing manager, web designer etc. People who post blogs or other content, but who won’t need to make major changes to the website can be set up as contributors.
  • Twitter: The company Twitter will have one password that is shared. This should be limited to those who will be directly responsible for running the account – eg. the social media exec and possibly the marketing manager. Accounts with shared passwords can cause issues, as it’s harder to track who is doing what. Limiting access to just the key players will just help to mitigate that risk.
  • Instagram: Same as Twitter.
  • Facebook and LinkedIn: The marketing manager can set up new starters as admin/editor/author of the company’s business page. Again, I would suggest not everyone needs full admin privileges. Remember to remove people when they leave the company.
  • Passwords and user credentials that are shared between staff should be kept safe – use a reputable password manager for this.
  • Different companies will store their data in different ways – whether that’s a shared drive on the company server or entirely on Google Suite – but the key principle remains the same. Access should be limited to the people who need it!
  • Change shared passwords – eg. Twitter, Instagram – whenever a member of the team leaves. This should be done as a priority.  

Tip: When changing passwords, aim to change them to something completely different. For example, don’t change from marketing1 to marketing2 – this would be very easy for someone who had the old password to guess. This is just an example – for the love of all that is holy, please don’t use “marketing1” as your password!

I’ve seen it happen a surprising amount that the HR department has access to absolutely everything in terms of social media accounts and the website. This is never necessary. As a rule, if the person won’t be using a particular platform or tool as part of their day-to-day role, they don’t need access to it. It should also go without saying, but don’t share the login credentials to your PC with anyone else in the business – you should never be asked to do this, not even by IT or HR. 

Note: A lot of marketing teams will do work with external agencies, which could require people from outside of the company to have access to things like the website. Risk can be mitigated by only working with reputable third parties, tailoring the level of access in accordance with the job at hand, and removing access rights after the job is complete.  

Ensure staff don’t use their individual email accounts as login credentials

Rather than setting up a shared account (for example Hootsuite) using [STAFFNAME]@[COMPANY].COM as the user, try to use a generic, unchanging company email address. Remember to store these credentials in your password manager!

If possible, have a couple of generic marketing@/digitalteam@/webmaster@ email addresses that can be used when signing up to other platforms and services.

Note: Think carefully about who should be included in these generic email lists. For example, marketing@/webmaster@ etc. should only include the relevant players within marketing, and not everyone within the company will need access to the wider lists such as admin@/info@ etc.

Where mobile numbers are needed for things like 2FA or to verify accounts, try to use a company mobile where possible. In an ideal world, I think marketing managers should be issued with a company mobile phone, however I appreciate that realistically personal numbers will need to be used sometimes. It’s worth keeping on top of whose numbers are being used and making sure a new number is used when that person leaves the company.

Nothing is more frustrating than joining a new team, trying to log in to important accounts and discovering that the email address or phone number is for a member of staff who left a year ago.

Try to keep a record of all accounts that are used on a regular basis

There are potentially lots of other platforms that may be used by a marketer – Canva, Adobe Creative Suite, Buffer/Hootsuite/Sprout, Trustpilot, Mailchimp, to name a few.

It’s worth keeping on top of what is being used on a regular basis and by whom, while keeping all the above safety tips in mind.

Someone should keep a spreadsheet of every platform that is used by anyone within the marketing team, with notes about what it’s used for*. As with everything else, designate one person to manage this and make sure passwords are changed when needed and kept secure (I like to call this role the “Keeper of the Keys”).

*Note: Usernames and email addresses for each of these platforms should be stored in the password manager.

Set up a crib sheet for new starters

I firmly believe it’s a great idea to have a cheat sheet for all new marketing starters. This would include the following information:

  • Key people within the company, with special focus on anyone that marketing will work closely with
  • Who is in charge of what within the marketing team
  • The above spreadsheet of key online accounts and what they’re used for
  • Key suppliers – printers (brochures, business cards etc), exhibition stand designers, merchandise suppliers (ideally with contact info for the account manager)

Don’t ignore warnings

Those warnings that sometimes pop up in your emails – “Recent login from [LOCATION (usually an odd or unexpected place)]”?

Don’t ignore them.

Quickly ask around (another great reason to have a list of who should have access to what within the company, especially if you have a particularly large team) to firstly make sure it wasn’t a legitimate login. Perhaps a member of the team is on holiday but thought they’d check the company Twitter (nerd alert!), or someone may even be legitimately accessing an account through a VPN that shows a strange location. But if you can’t quickly figure out who’s accessed the account, don’t take chances.

If in doubt, change the password and update your password manager. Drop a quick email to the relevant people to notify them of the change, so they don’t attempt to login with the old credentials.


Things every marketing department should have:

  • Crib sheet that contains key information about the company, and who is responsible for what within the marketing team
  • A password manager to keep shared credentials safe and secure
  • Spreadsheet that details key platforms used by the marketing team (eg. Adobe Creative Suite, Canva, Hootsuite) – login credentials to be stored separately in the password manager
  • Spreadsheet that details key suppliers (eg. business card printers, exhibition stand designers, merchandise suppliers) – login credentials to be stored separately in the password manager
  • A designated “Keeper of the Keys” – this person (likely the marketing manager) will be in charge of updating these spreadsheets, managing users and assigning privileges, adding new starters and removing leavers from the CMS and social media accounts, and changing passwords when staff leave
  • The key platforms and supplier accounts mentioned above should be linked to those generic company email addresses, to reduce the risk of accounts being tied to specific members of staff who may later leave, and have their email inbox closed
  • Train staff on the importance of being careful with credentials, set good practices in place – no sharing of personal credentials or giving access to people who shouldn’t have it etc.
  • Try not to tie personal mobile numbers up in company accounts. Ideally try to request a marketing team company mobile phone.
  • Don’t ignore security warnings – if it looks like someone is trying to gain access to your accounts and you are in any doubt about whether it’s legitimate, change your password!

DISCLAIMER: I am not a security expert. I have written this post to share examples of best practice and tips I’ve picked up during my time as a marketer. If you have any questions, or don’t know how/if you should implement any of these suggestions within your own company, please speak to your IT department.

Mental health and lifestyle blogger. Originally from Sussex, now living in sunny Bournemouth. Always up for a good chat.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.