Working with marketing and creative agencies can help your business, association, or nonprofit in incredible ways, but it also often means sharing access to sensitive business accounts and data. Examples of these include email or website hosting accounts, domain name registrars, or CRM or project management software.
As a client, you might focus on the creative results while overlooking critical security considerations that could protect your company or organization from data breaches, account takeovers, or worse.
Unfortunately, most agencies have never even looked at basic privacy and security, and some agencies sell client data to advertising partners or data brokers. As the consumer, it's a good idea to be informed, and to inquire about how your agency protects your data. This article will give you an excellent starting point and references to learn from.
Never Share Passwords Via Email
Email is not secure, especially when you consider that you don't control what the recipient does with their email account. When you send login credentials through email, you're creating a permanent record that could be compromised if either your email account, or your agency's email, gets hacked.
The problem compounds: If your email (or your agency or designer's email) gets breached months later, hackers now have access to every password you've ever shared via email, even for accounts you thought were secure.
If your agencies share email access with many team members, or freelancers, all of those people will have access to your private account login details for whatever you've shared.
What you should do instead: Use platform-based access permissions whenever possible. Most modern business tools offer ways for you to grant limited access without sharing your master password. If you do need to share your account credentials, we'll share how to do it securely, later in the article.
Use Platform Access Permissions
Most business platforms now offer secure ways for you to grant access to agencies without compromising your account security:
Domain management: Registrars like Porkbun and GoDaddy allow you to grant specific DNS management permissions to agencies and collaborators. Your agency can then connect your website to your domain without needing your full account password and permissions.
Social media management: Platforms like Facebook, Instagram, and LinkedIn let you add team members or agencies with specific permission levels.
For Kuva Media clients receiving social media management services, we connect to your social media accounts through our social media management platform, which allows you to grant and revoke access to specific profiles at any time.
Advertising accounts: Google Ads and Meta Business Manager let you add agencies as managers while you maintain owner-level control. You can see exactly what they're doing and remove access instantly if needed.
Analytics and tracking: Google Analytics, Google Search Console, and other tracking tools offer user permission systems that let you give agencies access to data without compromising your main account.
When You Must Share Credentials
Sometimes you'll need to share login information for platforms that don't offer granular access controls. When this happens:
Use encrypted sharing tools: Never send passwords through regular email, Slack messages, or text. Use secure, encrypted password sharing tools that automatically expire links and don't store information permanently.
Share the minimum necessary: Only provide access to the specific accounts needed for the project, not your entire digital ecosystem.
Set up temporary access: Create temporary passwords or user accounts specifically for the agency that you can disable when the project ends.
At Kuva Media, we use encrypted sharing systems and follow the cybersecurity principle of least privilege—our team members only get access to what they specifically need for their role on your project.
