Sign up to our newsletter
We’ve all heard the stories of ex-employees going rogue on social media accounts. Jared O’Mara, a UK member of parliament (MP), found out the risks to his cost when an employee dramatically resigned by tweet. The employee used the MP’s own Twitter account (which he had access to) to accuse him of having “a vile, inexcusable contempt for the people who voted you in.” Ouch.
For that reason, many companies have robust enterprise password management systems in place to remove social media access when employees leave. However, when a PR or marketing agency and client relationship comes to an end, you don’t see anywhere near the same level of due diligence. How do I know? Well, over the years, I’ve been left with access to lots of former clients’ social and other platforms that I definitely shouldn’t have. And what’s more, so have many of my colleagues.
What typically happens is the PR agency and client part ways and access doesn’t get switched off. ‘Surely it’s up to the agency to switch off access?’ I hear you cry. Well, yes, if the agency can control admin access, then they should switch it off as part of the handover process. It’s where the agency doesn’t have this level of control that it becomes more of a grey area.
Now, not all agencies are built equally and I’ll be the first to admit that mistakes happen agency side. But in my experience, many of the big issues happen on the client side, where they control admin access. What typically happens is admin access or password management is controlled some someone junior in the in-house marketing or PR team. For whatever reason – other priorities or people leaving etc. – it falls through the cracks. While a departing PR / marketing agency should remind the client that they still have passwords or login access, the truth is they aren’t going to bust a gut to keep reminding them. If the agency doesn’t have the authority, the responsibility sits squarely with the client.
You might argue, ‘what’s the big deal anyway?’ Agencies and their employees aren’t likely to trash former clients or go rogue on client platforms, even if the relationship ends badly. For one, it’s not exactly the best advertisement for an agency if you are willing to go ape sh%t over a former client’s LinkedIn feed. While that’s undoubtedly true, lax password management does pose other issues. Many agencies go onto work with competing brands and it’s not beyond the realms of possibility that a PR agency could stumble over a notification or engagement that gives insight into content strategy.
It’s not just enterprise password management around social media platforms that’s the problem either. A quick straw poll of friends and (ex)colleagues for this blog, revealed that most had had access to platforms – like Google Analytics, pay per click, marketing automation, CMS software or wiki pages – long after the relationship finished. One ex-colleague told me they still had access to the compliance system of ex-client even though they now worked for a direct competitor. If they want to (they don’t), they could check every piece of content and the competitor’s edits for the last few years.
Surely that’s market intelligence that needs to be kept safe? I can’t think of many cases where an organisation would be happy to leave open details like spend, content plans and marketing strategy open for all to see. What’s more, it leaves organisations open to security hacks. If the data of the third-party agency is hacked and passwords are comprised, it makes it much harder for IT teams to stem the source of the data. It’s the type of thing that I think trade bodies like the Chartered Institute of Marketing (CIM), Chartered Institute of Public Relations (CIPR) or Public Relations Consultancy Association (PRCA) should be talking up to build awareness and action. Except very little is ever done. It’s like a dirty little secret that the industry knows about, but is happy to let continue – until of course, it all goes wrong.
So what’s the answer? Well, it isn’t to switch off access to agencies or third-parties entirely. Having access to the likes of Google Analytics and marketing automation platforms is vital for both agencies and the client to understand metrics like the performance of content or the best channels to place content. It just requires more care on both sides to manage this access.
Here are a few tips for client-side teams when it comes to enterprise password management:
- Carry out a review – do a review of all your logins that agencies could have had access to. Start with a list of all the tools/ systems you currently use. These often include social media platforms, webhosting/ WordPress, marketing automation, domain name registration sites, online FTP sites, compliance sites and wire distribution services. Then go in manually to check who has admin access.
- Treat your ex-agency staff like a ex-employee – keep a record of who within your agency has access to what tools. Activate the same procedures you would do when an employee leaves. A good idea is to create a checklist for third-party suppliers.
- Use a password management tool – tools like LastPass and Dashlane will help you to set and share passwords efficiently. Crucially, they let you manage password access centrally. This will give you more oversight of who has what and will make the whole process a lot simpler and more transparent in the future.
- Regularly update your passwords – make sure your password goes beyond ‘password123’ and keep changing them every 3-6 months. Password management tools can often help create randomized passwords and will update them for you automatically.
- Assign password oversight beyond the PR/ marketing team – this could be your IT team or office manager who has direct responsibility for adding and removing access. Avoid leaving that responsibility solely within the marketing and PR teams.
So avoid nasty surprises and become password happy. Yes, enterprise password management isn’t exciting but it could save you a lot of hassle in the long-run.
To find out more about our PR and marketing services, drop us a line at email@example.com or visit our Contact Us page.Sign up to our newsletter