Episode 110: Security Series #2 Protecting Your Business Manager

Key Highlights Who should you also allocate admin access to?

Jody Milward

Key Highlights

  • Who should you also allocate admin access to?

  • What to do with people who still have access to your Business manager and shouldn’t

  • What to do with Partners you’re no longer working with

  • Which ad accounts to keep and which ones to remove

  • How to minimize the chance of unauthorized spend on your ad account (and your clients!)

  • The Facebook page settings to also check



Is your business manager set up to avoid getting hacked as much as we can? Well, that’s what we’re talking about in this episode of Online Confidential, where I take you behind the scenes to talk about ‘Secret Ad Manager’ business.

In a previous episode of Online Confidential, we looked at our own personal security, helping to get all those systems in place to prevent our personal profiles getting hacked, because that’s what gets compromised, and it’s those personal profiles that come into our business manager and cause trouble.

If you haven’t seen that episode, head back, it’s the Security Series episode number one, Personal Profiles, and make sure that you and your team have those things set up. We want to make sure our business manager is as secure as possible. We know it’s not foolproof. We have Facebook’s two-factor authentication and then that’s all that we’ve got.

We make sure our personal profiles are secure, and now we work on our business manager to make sure that in case anyone gets in there, that they can cause as little damage as possible. So how do we do that?

How to make your Business Manager as secure as possible

First of all, make sure that two-factor authentication is turned on for your business manager.

Yes, team members and yourself have set that up, but you want to make sure that anyone that comes into your business manager has that set up.

So you’ll be going into your business settings and you’ll be able to go down to your business information. That’s where you will go down and check the little box there or toggle the little slider across to make sure that anyone who is admitted to your business manager has two-factor authentication, 2FA, is turned on.

Who access to your Business Manager?

Then you can go up to your whole business manager settings there and you are going to look at ‘People’ and that’s where you’re going to see the list of people who have access to your business manager. If they don’t have two-factor authentication turned on, it will tell you. There’ll be little red words there that they don’t have it turned on.

So you’ll need to follow up with them if that’s the case. While you’re there at the ‘People’, you will see a little icon of a shield most likely against your name if you are the admin, which I hope you are.

You do not want to be the only admin of your account. If your personal profile gets compromised you can be tossed out of that business manager and you do not have any more access to it.

So make sure you invite someone else as an admin to your business manager, someone you can trust, someone who you can get on a Zoom with, or sit down at the kitchen table and get into that business manager so that you can still see what’s going on, what damage may have been done, and how you can resolve that.

Do not be the only admin of your business manager. Invite someone else in, someone who you trust, and they also have admin access. This can be purely for that backup. They don’t have to be in there and doing anything, but they are there to help get you back in, in case you get locked out.

So while you are there, with the ‘People’ and you see who’s got admin access and you’ve got someone else as an admin, see who else has access to your business manager. Are there team members, contractors, other people who still have access to your business manager that shouldn’t have? Remove them, make that a regular process to be checking that and removing people who do not need to be accessed to your business manager. You do not want them in there. Remove any access that shouldn’t be there.

Remove old partners

Next, you also want to go down to ‘Partners’. What other business managers have you partnered with? Remove them from your business manager as well. We want to keep things as narrow as possible for anyone to try and slip through.

Also while you’re there, check the ‘Pages’. What pages do you have access to? Because if someone were to come in, we don’t want them to have access to all these assets they can then run rampant with and hack. So if there are pages that you’re no longer working with, remove those as well.

Now let’s look at our ad accounts.

Give your ad account a thorough tidy up

This is where a lot of damage is done and where hackers come in and they just throw up really random ads and rack up huge bills. Once upon a time, with a lot of ad managers and agencies, there was this fear that we couldn’t create ad accounts. So we went through and just created all these ad accounts.

What could be a problem here for you, aside from being hacked? And this is a bit of a side note. Is that if your ad accounts aren’t being used, then Facebook can just shut them down. And what would happen then if you had, if you had accounts all shut down at once, it could shut down your business manager.

So while you are here turn off, close, any ad accounts that you may have that are not being used, that have never been used, so that your business manager just doesn’t get shut down when Facebook does a sweep of ad accounts that aren’t being used.

That’s a side note to remove those ad accounts that aren’t being used.

Now with other ad accounts that are there that you may not be using, but they have billing information, remove the billing information if you’re not using them. Because that way the hackers can’t get in and there’s bang, an account with a credit card or PayPal details attached that they can just suddenly run ads from.

So if it’s an older account and you still want to keep the data, but you’re not actually using it, go and remove the billing information. Now, when you do that, you will need to pay any outstanding balances. So you’ll just need to wear that, pay any outstanding balances you have and that will take away that credit card.

If it’s an account that you don’t need anymore and you aren’t actually using, again, so it doesn’t get shut down by Facebook and possibly get your business manager disabled, consider closing it. If you do not need the data. If you do not need access to it, just tap on the little three buttons there, close the account and in a couple of days time it will be closed.

That’s one less thing for you to worry about. So here, we’re closing down dormant ad accounts and removing billing information from any ad accounts that we’re not actively using.

Now while we’re talking about ad accounts, a lot of us have personal ad accounts that were used before the days of business manager so make sure you check your personal ad account as well.

Where to remove payment method information

Go in there, remove any billing information that you have in your personal ad account as well, because that could be one that’s just sitting over on the side because it’s not really incorporated with our business manager. It’s just sitting over there. Make sure you remove the billing information from there as well. Keep that one secure.

Now while we’re also talking about payment methods, when you set up a business manager, you may have been prompted to add in some billing information for your business manager. That’s not really necessary because your ad account is typically where you will set up your payment method for your ad account.

So if you’ve got three different ad accounts, it could have three different payment methods. So if you have set in a billing method for your business manager, and you’re not using it because you’re using it via the ad accounts, remove those payment details from the business manager as well.

So now that we’ve got our ad accounts tidied up, we’ve removed billing methods so that as less damage as possible could be made, if the unfortunate ever does happen. We want to go down and we want to turn on notifications.

We want to know if any activity is happening in our business manager, like new users have requested access to it, or any changes that have been made in the business manager, especially if we’re not making them. So make sure in your business manager, turn on as many notifications as you can.

Remove any Facebook Pages you don’t need access to

Another place to look when it comes to assets is on the page itself in the newsfeed. So this one is actually outside of business manager. While we can access pages in business manager and our clients may share their page over to our business manager, and that’s how we connect our ads to it and such.

We also need to remember that in the page, over on Facebook in the Settings is where there are page roles assigned. So again, this is another place to look to keep our page secure and see who has access to our page, not in the business manager, but on the page itself, in the page settings, and remove people who should not have access to the page.

Narrow it down, keeping it as narrow as possible so that we don’t have this big, wide potential breach area for people to hack and get into our assets.

Also, check what apps are connected to your page. Are there apps that you’re no longer using? Remove those from the page.

There’s some tips for you for your business manager to keep it secure. First of all, it all comes back to our personal profiles being secure as much as possible two-factor authentication and a strong password.

So head over and watch video number one about personal profiles in the Security Series for the tips to make sure your personal profile is secure. Then in business manager, we need to turn on two-factor authentication for anyone who has access to our business manager. We also want to turn on notifications so that we know of any changes to our business manager, anyone requesting access, anyone changing permissions, et cetera.

You also do not want to be the only admin of your business manager, so have someone who you trust as another admin for your business manager in case the worst happens to your profile and you cannot get in. Tidy up the people. Remove people who should not have access to your business manager. Get them out of there.

Remove access for any partners that you may have partnered with your business manager in the past. Get them out of there. Close down ad accounts that you are no longer using.

Remove payment methods from ad accounts that you are no longer using. So there’s no ad accounts with payment methods there that hackers could just get into and just start spending and cause a lot of damage for you. So removing payment methods there, and also remove the payment methods from business manager if you have set them up.

Don’t forget your personal ad account. Remove any billing information from your personal ad account as well.

And also make sure that if you are not using those billing methods in your business manager, then remove that as well. If you did set that up at some point.

Don’t forget to check your page over on Facebook or get your clients to check their page over on Facebook and see in the settings who has access to the pages there. Remove them from the page, people who should not have access. Get them out of there, and also check any apps that may have access to your page.

I hope you’ve found this useful. Go through, do a thorough check. Hopefully there won’t be too many nasty surprises for you going, oh my gosh, why didn’t I check that sooner? You’re checking it now and you’re getting things in order, and preventing, hopefully, any security breaches there. If you found this useful, we’d love to know.

Send it through to We’d love to hear from you.

Go through that checklist. Clean up your business manager. Get things in order, and also advise your clients to do these same things as well. Share this video with them so that they can get their assets as secure as possible as well.

That’s it for today. I look forward to seeing you next time. Bye for now.


I love to share practical information to help you improve your skills, learn something new or help you avoid the mistakes that many Ad Managers and I have made to help fast-track you on your journey as a well-paid and in-demand Ad Manager.