HubSpot’s Three Principles of Security and Privacy
Engage your business in discussions about security.
Often in small to medium-sized businesses, there aren’t people dedicated to thinking about security, which means the responsibility falls to everyone for the business to be secure.
As a marketer, the best way to get conversations about security going is to simply ask. Ask questions of your team and the wider business such as:
what does this mean for the business’ security?
what is the risk?
at what point does the business need to ask for help?
To capture the answers to these questions and begin documenting your company’s security policies, think about creating a security playbook.
A playbook can become your company’s go-to source of security information, compiling all your policies and best practices and even filling in the gaps so everyone knows what to do and where to turn in the event of an emergency.
Another way to always keep your company’s security front of mind is to ask your colleagues: what would your customers say if they knew how well you were managing their data?
At a time when your customers’ trust means everything, taking this approach can really help to provide some valuable context for your security discussions.
Limiting access will always be a balancing act between enabling users to access the information they need and preventing them from accessing all your customer information.
When thinking about who has access to what, the rule of thumb is to only grant access to the information a user needs.
Remember, access can mean external access as well as internal access.
In terms of internal access risks and what to watch out for, many businesses will grant access to their users by making them Super Admins. That means they have the ability to make a meaningful change anywhere in your account, from changing billing details to adding new users and sending emails to all of your subscribers, for example.
Now, if one of those Super Admins gets compromised or even just makes a genuine mistake, your business is at risk.
You know how important your HubSpot account is — and so do HubSpot. To help you keep it safe, HubSpot has introduced granular control over almost every aspect of a platform. Use it to tailor who has access to what to reduce risk and lessen the severity of anything that could happen in your account
So what about external access?
When we’re talking about this in HubSpot, what we’re really discussing is integrations. The right integrations can make your working life so much easier, but they usually require access to your data to work properly.
Take an email integration. It’s going to want permission to read your emails in order to work effectively. How well do you trust that application or software? Does it need that access?
To keep external access clean, regularly review which integrations and tools have access to your HubSpot account.
If an integration has access to your data but it isn’t used anymore, remove it.
Consider regularly rotating your HubSpot API key to make sure its risk of compromise remains low.
Review API key, security activity and login history logs to ensure that you’re aware of who’s accessing your account and what they’re doing.
Multifactor authentification (MFA) is the single best way right now to secure your account. You’re likely familiar with it already, but are you using it for your HubSpot account?
In case you’re not familiar, MFA adds an extra layer of security to your accounts. All too many passwords are easy to guess, and once a password gets out into the world or an account is otherwise breached, MFA is the only thing standing between you and a threat.
MFA in HubSpot:
keeps data safe by requiring a phone or smart device to log in
means that knowing your password alone isn’t enough for a malicious person to access your account
can be easy to manage (and set up as a requirement for all your HubSpot account users) in your HubSpot User Preferences
Make it as difficult as possible for anyone trying to access your account to do so. MFA is the best way to do that.
You might also consider setting up Single Sign-On (SSO). Less well-known than MFA, SSO allows you to log into HubSpot using an identity provider to manage your accounts. It’s simple to set up, takes away all the pain of having multiple logins and passwords to remember, and you can still set important security policies and processes like MFA requirements or restricting log-ins from outside your corporate network using it.
Did you know… HubSpot supports SSO providers that use SAML 2.0, like Okta, Microsoft Azure, OneLogin, and more. SSO is available in CMS Hub, Marketing Hub, Sales Hub and Service Hub, each at the Enterprise level.
How to secure your HubSpot portal: next steps
Of course, we want you to keep your HubSpot account safe first and foremost. But your security is only as strong as your weakest link.
What’s so great about the Three Principles of Security and Privacy is that they can be applied to all your other accounts and applications, too, so wherever your customers’ data is, and whatever technology you’re using, you can stay safe.
To find out more about securing your HubSpot account, or to speak with one of our HubSpot experts, click the image below and get in touch.