Have you spent any time to think about what your agency is doing with your intellectual property? Who, exactly, has access to your ads account, website, and customer data? And, what does your agency do to ensure your data is actually being protected from hacking?

And, what happens if your agency does something really stupid with your campaign like spend 100x as much as your agreed budget?

There are several elements to ensuring you and your invaluable data is protected. The article will go into depth about ad agencies and security matters.

ad agencies and security

Security Policy

Your company should have a security policy and your agency should have one too. The policy should provide rules and procedures for user logins, data storage, firewall, backup systems, and so on. These are must-have basics that will ensure your valuable data doesn’t go missing or get hacked.

Agencies should only allow authorized employees to view your company data. For instance, the bookkeeping department doesn’t need access to your marketing strategy, but probably need access to your ad spend.


Your agency may have the best intentions and nearly bullet-proof security measures, but nothing is fool-proof. Protecting your company legally provides a recourse when all else fails. Ensure you have the following legal pieces in place to protect your intellectual property (IP).

IP agreement

Your agency should address IP in their terms & conditions agreement or contract. If not, you should have them execute a separate IP or NDA (non-disclosure agreement). This will give you legal options should the agency disclose information you don’t want to be in the public domain. This could be as simple as dropping your clients’ names to a competitor or publishing your campaign details in a case study without your approval. Additionally, it will protect against the agency claiming ownership of IP, such as creative designs, that should belong to you.

Professional liability insurance

Your ad agency should carry a professional liability policy, also known as errors & omissions insurance. This policy protects the agency from mistakes that impact your business as their client.

The most common example is running creatives that negatively impact your company’s image. In addition, it’s pretty easy to make an error when setting budgets and have huge overruns in ad spend. Being backed by an insurance policy provides an “out” for both the agency and you in case something goes terribly wrong with your campaigns.

Cyber insurance

Cyber insurance protects your agency from various forms of hacks to systems they rely on for operations along with proprietary data stores. The insurance money can assist an agency to get back up and running quickly after such an attack, meaning less downtime for your campaigns.

Account Access

Your agency requires access to many important company assets such as your ad accounts, website, social media profiles, and more. Here are some tips for ensuring exposure is minimized.

Ad Accounts Access

Having your ads account hacked will lead to multiple disasters. First, the hacker is going to spend your money. Getting reimbursed by the ad platform probably won’t happen. You might get reimbursed by your credit card company if you’re lucky. The hacker may also decide to delete your campaigns to “clean” up your account before doing their bad deeds.

Worst of all, if the hacker runs unscrupulous ads your account may be suspended. Getting an ads account unsuspended can take weeks or months, and in some cases, you will be permanently banned. Unfair, yes, but it happens all too often.

Most ad platforms offer a way for agencies to connect to your accounts other than adding them as a new user. Importantly, all your ad platform and tools accounts should belong to you. If you choose to stop working with your current agency, you can easily disconnect them and start working with somebody else quickly and easily.

In the case of Google Ads and MS Ads, agencies can gain access using their Manager account. In the case of FB Ads, you can add your agency as a partner, and then give them access to the appropriate ad account, page, and pixel assets.

All major ad platforms support two-step authentication. If you haven’t turned this on, do so right now. Two-step authentication adds another layer of security beyond passwords. In addition to entering a valid user ID and password combination, the login device must be authorized. Authorization can be done in different ways, but most often by initiating a call or text with a PIN code.

Access to your website

Most content management systems like WordPress allow you to set up as many users as you wish and to give different access rights as are needed for their role.

Do not share user accounts with your agency or other people. Always create a dedicated account for each user that requires access. Review your user list on a regular basis and remove or at least demote access rights for users that probably won’t need access for the foreseeable future.

If you work with Shopify, your agency can now connect through their Shopify Partner account. This is a safer way for them to connect and doesn’t take up a user slot in your account.

You should take other precautions to protect your website too. Consider using a different login URL than what’s provided as standard. Set up a CDN (content delivery network) such as Cloudflare and use security software to protect yourself from hackers.

Access to other assets

You most likely use Google My Business, Google Analytics, Google Tag Manager, and/or a bunch of other tools to help manage your website and online profile. Follow the same rules as above for providing access to these tools.

If your agency is going to set up citation links for you such as Google My Business, Yelp, Bing Places, Yellow Pages, etc., ensure they provide you with the login details.

Quality Control

We’ve seen major brands run nonsensical or even embarrassing ads due to creative mishaps. Nobody’s perfect, but having a consistent ad creation process can dramatically reduce the incidence of errors. Furthermore, regular campaign monitoring can help avoid budget overruns, downtime, and other issues.

Creative quality control

Your agency should have a process in place to ensure the quality of creatives. A simple step all agencies/freelancers can take is to use a spellcheck/grammar solution such as Grammarly, to ensure ad copy is error-free. Even so, Grammarly doesn’t catch everything. If ad copy is super important to you, your agency should offer you a way to review and approve new creatives before activation.

Campaign quality control

Good agencies perform internal peer reviews, which is essentially a periodic audit of your account. The audit may identify issues that may be missed by your account manager as well as opportunities and ideas for improving performance.

Campaign performance monitoring

At a minimum, your account manager should be checking top-level KPIs several times a week. And, always the day after making any budgetary or major bid changes. At Ten Thousand Foot View, we’ve built a custom dashboard and check every account first thing each morning.


Working with an agency that doesn’t take security seriously won’t be a problem until it’s suddenly a big problem. It can be enticing to work with somebody that offers you the best price, but those agencies often do so because they fly by the seat of their pants.

Always consider security and reliability when choosing your agency. And, if you’re already working with somebody now may be a good time to see how they are handling your IP.