Manage your account security using HubSpot security health

Use HubSpot's security health to review a list of security measures to understand how well-protected your HubSpot account is from security incidents. If a security measure needs improvement, you can click links to resolve any security risks. The score can then be reassessed to reflect the improvements in your account’s security.

Before you get started

• To access security health and manage security settings, you must be a super admin or have Security Center access permissions.
• Super admins will receive quarterly notifications if there are scoring measures that say Needs review. The notification explains the importance of the security measures and directs you to Security Health to action recommendations. Learn how to opt-out of notifications.

Access security health

• In your HubSpot account, click the settings settings icon in the top navigation bar.
• In the left sidebar, in the Account Management section, click Security. The security health page will display a rating of Good or Needs review for each of the security measures.
• In the left sidebar menu, click the High risk, Medium risk, or Low risk tab to review the different security measures.
• To resolve the security measures, click Manage next to the security measure that needs review. Follow the prompts to resolve the security action.
   

Security measures assessed

When reviewing your account's security health, the following security measures will be assessed: 

Please note: making partner users super admins allows them to view and manage billing, add and delete users, and perform tasks that could add risk to your account. A lower number of super admins reduces security risks. Learn how to manage partner user permissions and determine if any can be removed as super admin.

• Super admins: a lower number of super admins ensures that the risk of users taking risky actions is reduced. Learn how to manage your super admin permissions and determine if any can be removed.
• Risky permissions: knowing which users have risky permissions can help admins assess risk and get rid of risky access for users based on HubSpot's recommendations.
• Two-factor authentication: two-factor authentication (2FA) is the best way to protect your HubSpot account from unauthorized access. This is required for all Starter, Professional, and Enterprise accounts. If you are on a free account, learn how to require 2FA in your HubSpot account. The more users who use 2FA, the more your account is protected from unauthorized access.

• Inactive users: only users who need access to your HubSpot account should be able to access it. HubSpot considers users inactive if they have not logged on in the past 90 days. Learn how to remove or deactivate users.
• Inactive private apps: having less than one private app inactive will help ensure your account only has apps that are being used correctly. Learn how to uninstall apps.
• Content approvals enabled: having content approvals enabled requires users to receive approval before content is published.
• Pending content approvals: review a list of content awaiting approval, including content type, title, requestor, and request date. This ensures that no risky content can be published without review.