An employee or consultant leaves (often dismissed) and takes critical information with them, such as sales reports, prospect and vendor lists, or instructions to keep the HVAC running at just the right temperature. It’s disruptive, and can take significant time and resources to retrieve. But, when someone has critical information or access to your IT, it can be a nightmare and create real risk for your business.
A few examples come to mind.
You hire a web developer. They are easy to work with, purchase the domain and hosting, the new website goes up smoothly and looks great! You’ve invested in SEO, web traffic and sales is building, you go to make a few updates and they have moved to another country. Okay, you need another web developer, no problem. Until you find out you and your new web developer cannot access your domain name because you do not own it. It is most likely an oversight by the web developer, but could be a timely and potentially costly one, since the legal owner of your domain name has total control. That includes what website it points to, what domain name registrar maintains it, changing information about your domain name account, controlling who administers it, and being able to sell it.
You spend thousands with an ad agency on digital marketing. It started out well with weekly reports that showed promise; then updates on the campaign become less and less frequent and you notice web inquiries keep dropping. Maybe it’s time to look for a firm to freshen up the campaign? The problem is, that you find out that you don’t have access to any of the analytics or campaigns… these were not actually set up in your company’s Google AdWords account. You have lost a year of data and cannot see which campaigns were actually performing, so you need to start from scratch.
One recent story from The Register is truly chilling. According to the report, shortly after the American College of Education (ACE) in Indiana fired an IT administrator, it found that it no longer had any employees with admin access to the Google email service used by the school. The school said it asked for the former employee to return his work laptop, which was supposed to have the password saved, but the computer was returned wiped, with a new operating system, and damaged to the point it could no longer be used. ACE claimed that its students could not access their Google-hosted ACE email accounts or their online coursework. The school appealed to Google for help, but Google at the time refused to help because the ACE administrator account had been linked to William's personal email address. It went to court, became pretty contentious, was settled, and Google finally turned over the account to ACE. The school claimed it suffered an estimated damage of $500,000 due to its inability to access its Google account.
So if you do nothing else this year, commit to taking ownership of your IT assets. First and foremost, we advise customers to limit local administrator rights. According to John Christie, Sinu co-founder and COO, “IT best practices dictate that employees not be given local administrative rights. Auditors also frown upon the practice because of its inherent risk. At Sinu, we install software updates and patches weekly to protect our customers, however the system is only as strong as its weakest link. By allowing local administrative rights, companies expose themselves to malicious attacks and the risk of losing time, data, and money.”
We also advise that you make sure you legally own the domain name for your business today. Don’t put it off. You can find ownership and registrar information at http://www.whois.net/. Once you confirm you own it, keep the details about your domain name registration account. You should know who your domain is registered with and the username and password for your domain name registration account. Limit who has access to this information and there are now ways to give someone limited access to manage things in your account. If you have to give someone a username and password, change it once they're done. If you don’t actually own it, contact the owner ask that it be changed. You do have legal recourse if it was done maliciously.
And while you’re at it, you should review all your other password-protected solutions. Keep track of which systems require passwords and who has access to them, whether it’s an employee or a consultant. Review system security regularly – a minimum of once a year – and remove any unused accounts. Reset those passwords at least once a year, and more often if you have high employee or consultant turnover. By keeping an inventory or your tech solutions and reviewing it annually, while limiting access to password protected systems, your organization will be more secure and you will be assured that you have control of your IT assets.