PPC advertisers use a lot of data but big data comes with bigger security risks. It’s never been more important to keep your accounts secure and protect yourself from any security breaches.
The risks are increasing all the time, too, as hackers use increasingly advanced techniques, and trends like working from home open new threats. Luckily, PPC platforms like Google Ads have their own security features and guidelines you can follow to keep accounts safe and this article explains what else you can do to protect yourself.
The first step to protecting your PPC accounts is to check the security features and recommendations of each platform. Google has a variety of security features built into its various products (including Google Ads) and it also recommends additional steps you can take to protect your account.
Facebook, LinkedIn and other networks all come with their own features and recommendations so familiarise yourself with each platform.
Here are some of the key steps Google recommends for protecting your Google Ads account:
Account administrators can require all users of their Google Ads accounts to enable 2-Step Verification. When you set up 2-Step Verification, you’ll sign into your account using a password and a second verification step. The second verification step can involve a phone call, the Google Authenticator App, a security key or a text message (SMS).
To help protect your account, you may need to prove it’s you when you try to complete sensitive actions like the following:
When attempting these actions, you may be asked to confirm it’s really you by completing a security challenge such as receiving a security code on your phone.
By adding allowed email domains in your security settings, you can ensure that users from outside your organisation don’t get invited to access your Google Ads account. For instance, if you set “example.com” as the allowed email domain for your account, you’ll only be able to invite [email protected] to the account, but not [email protected].
If many people need to use your Google Ads Account, don’t have them share the same username and password. Instead, grant each person access to the Google Ads account, using their individual Google Account.
Each Google Account can have direct access to up to 20 Google Ads Accounts. Also, keep in mind that if you’re managing multiple Google Ads accounts, a manager account might be a better option for you. You can then give different users access to the manager account, and allow them to access multiple accounts from that single manager account.
Manager account security mandates are minimum security settings enforced on all current and future sub-accounts that a manager account has administrative ownership over. These security settings are available to admin users of manager accounts and can be applied to all current and future sub-accounts owned by the manager.
Obviously, these steps apply to Google Ads specifically but most advertising platforms implement similar features and security advice. Google is pushing security harder than most advertisers, though, so you may find other networks still have some catching up to do.
Here are some useful links to security information for the other major advertising platforms:
Two-step verification (2SV) is becoming the default standard for account protection in Google products. Since 2018, the company has expanded 2SV across its range of products and this now includes Google Ads and Google Analytics.
“When you use Google Ads, you’re trusting us with sensitive information—which is why it’s important to keep it private and safe. Today, we’re making updates to put you in control of your security and ensure you stay protected.” – New security protections for your Google Ads account, Google Ads Help
Increasingly, this is the default setting in Google Ads although this doesn’t apply to all accounts yet. If it isn’t, you can enable 2-step verification by following the steps on this page. You can also opt out of 2-step verification by following the steps at the bottom of the same page but Google strongly recommends using this security setting, especially for Google Ads.
Google is now rolling out the same system to personal accounts and it has seen a 50% drop in hacked accounts since expanding.
Two-step verification (2SV) is a security method that adds a second layer to the log-in process. Once you’ve typed in your details (normally your email/username and password), you’ll be asked to follow an additional step, such as type in a verification code sent to the email address you typed in.
You’ve also likely heard of two-factor authentication (2FA) and it’s already common to use the names 2SV and 2FA interchangeably, but they’re actually two different methods.
Technically, two-factor authentication is a more secure alternative to 2SV because it adds a second step of authentication that requires you to use an entirely different method of authentication – for example, sending a code to another device (SMS message) or scanning a fingerprint.
In the case of Google, its “two-step verification system” is a mix of 2SV and 2FA methods.
Over the months and years, many different people can legitimately gain access to your PPC account. New team members join, old ones leave and others get promoted into and out of roles. You want to make sure that access is always restricted to the people who really need it and the only way to avoid mistakes is to regularly review who has access to any given account.
Doing this regularly will make sure people don’t retain access for any longer than necessary but – more importantly – it will help you identify any access that was never intentionally given in the first place.
In Google Ads, you can easily review and remove access by clicking on the tool icon labelled TOOLS AND SETTINGS in the top navigation menu and selecting Access and security under the Setup section.
Here, you can review everyone who has access to the account and you can remove access by clicking on Remove access under the Actions column.
You’ll find more information on this Google Ads Help page.
Make sure you regularly review user access (ideally, every quarter or more, depending on how many users you have) and do this across all of your advertising networks.
Likewise, you should regularly scan all machines for malware and keep antivirus software up-to-date at all times. This should be standard procedure for all on-site machines used to access your PPC accounts but don’t forget about any devices used outside of the office – an increasing threat as more people work from home or remotely.
We’ll discuss this last point in more detail later.
If your website is compromised, you could find platforms like Google Ads disapprove your ads due to malicious links. Hackers are constantly refining their techniques and working their way around the latest security innovations so it’s important to take this seriously.
Google cares a lot about security, too, and it doesn’t want to send users to infected websites. Not only will the search giant disapprove ads linking to affected sites, it will also remove sites from its organic search rankings to protect users.
As standard, you should take the following steps to protect your website:
Any content management system (CMS) comes with vulnerabilities. As the world’s most popular CMS, WordPress is targeted by hackers more than any other platform of its kind and the open-source nature of its ecosystem comes with additional risks.
Aside from the standard steps listed above, you should also implement the following procedures to protect any WordPress website.
Make sure you work with an experienced WordPress developer when implementing any security changes as mistakes can bring your whole site down.
We’ve touched on remote working and working from home a little in this article but more companies are moving to flexible working patterns so this point is becoming increasingly important.
Remote working and working from home can be just as safe as time spent in the office, as long as you and your team understand the potential risks:
All of the risks listed above – and any other potential security issues associated with working outside of the office – are relatively easy to mitigate. First, you need to make sure your team members understand the potential risks and provide training on how to avoid security breaches.
Public WiFi is the obvious example of an unsecured network but private networks are easily compromised, too. So your priority should start with ensuring your staff’s home networks and any devices they’ll use on them are as secure as possible. From there, you can develop guidelines to protect your PPC accounts and any other sensitive information.
For example, you might warn team members against working in cafes and other public settings if they’re going to use any sensitive information, such as logging into or using Google Ads. You might even want to provide your staff with devices specifically for work purposes – machines that you can customise and protect on your own terms.
If you have any concerns about the safety of your PPC accounts, call us on 023 9283 0281 or fill out the contact form and we’ll be in touch.
Chantelle is a PPC Specialist at Vertical Leap.
Looking for evidence-led search marketing expertise?
Categories: Content Marketing, PPC, SEO, Social Media
Categories: Office Life
Categories: Machine Learning, Martech
Categories: Content Marketing, SEO
Categories: Data & Analytics, Data Science