Working with an agency involves trust. You trust that the expertise of your agency partner to help you execute on your business goals. You trust your agency to work efficiently on your projects. You trust them to advocate on your behalf. And just as crucially – but often overlooked – you trust your agency to protect access to the variety of critical IT systems to which you grant them access. Yet many agencies don't fully appreciate how important their own information security policy is to protecting their clients.
Here are the five warning signs that your agency partner doesn't take the safety of your IT systems seriously. If you notice just one of these with your agency partner you should consider a security review to improve the situation.
Warning sign #1: Agency employees don't use secure password managers
We all have too many passwords to possibly remember and no one is expected to be able to remember them all. It's important to require that your agency use a secure method to remember passwords and sensitive information. The critical issue is that some system1 be implemented or already in place and requires its employees to store and encrypt passwords and sensitive information.
Warning sign #2: Computer hard drives aren't encrypted
Without physical security there is no network security. Laptops will get stolen or abandoned in public places. If your agency isn’t fully encrypting the hard drive of every machine in its network then every time a laptop is lost or stolen all the information stored on that laptop (source code, cache files, client documents, etc) is potentially exposed.
Warning sign #3: Employees don't get security training during orientation
Keeping networks secure is an ongoing process composed of policies, engineering discipline, culture, and assessing risk. If your agency doesn't train its new employees to think about security daily and understand the risks, then they aren't creating a culture of security that will continuously work to safeguard their data – and yours.
Warning sign #4: Computers don't require a password to stop the screensaver
Every work laptop should require a password to leave the screensaver mode. Computers get left around, turned on all the time. It only takes a few moments to install malware that can undermine pretty much all of your efforts to secure a machine.
Warning sign #5: Checklists aren't used to launch web sites
The power of checklists to dramatically reduce errors is well known and documented. Checklists provide tremendous value when you have to perform similar tasks repeatedly that can't for whatever reason be automated away. Launching a new website is a complex task frequently composed of fifty or more steps that can't be automated. Mistakes in a launch will cause security issues if important security steps are missed.
1 We love Dashlane at TAG, but there are many good solutions.
2 One of TAG's cardinal rules is if you can't see your computer it should be locked.