An employee or consultant quits (maybe fired) and takes critical information with them, such as sales reports, vendor lists, or instructions to keep the HVAC running at just the right temperature. It can be disruptive and take significant time and resources to retrieve said information. However, when someone has critical information regarding the IT infrastructure, it can be a nightmare that presents real risk to your business.
Lets examine some recent examples that Versa has encountered:
The Web Developer
You hire a web developer. At the beginning they are easy to work with and it seems the individual is trustworthy. They purchase the domain and hosting which can be confusing for most. Then before you know it the new site is live and looks great! Now you’ve invested in SEO that is beginning to see dividends in web traffic and sales. Next you go to make a few website updates and suddenly your web developer is MIA and not returning emails or phone calls. Although it’s a hassle, you need another web developer and proceed to hire a new vendor. The catch is that you find out your new web developer cannot access your domain name because you do not own it. It is most likely an oversight by the web developer, but could be a timely and potentially costly one, since the legal owner of your domain name has complete control. That includes what website it points to, what domain name registrar maintains it, changing information about your domain name account, controlling who administers it, and being able to sell it.
Digital Marketing Agency
You spend thousands with an ad agency on digital marketing. It started out well with monthly reports that showed promise; then updates on the campaign become less and less frequent and you notice web traffic is trending in the wrong direction. Maybe it’s time to look for a firm to freshen up the campaign? The problem is you discover that you don’t have access to any of the Google Analytics data or Adwords campaigns. As a result the data set from the previous year is now lost and the entire marketing campaign has to being again from scratch.
Fired the IT Administrator
One recent story from The Register is truly chilling. According to the report, shortly after the American College of Education (ACE) in Indiana fired an IT administrator, it found that it no longer had any employees with admin access to the Google email service used by the school. The school said it asked for the former employee to return his work laptop, which was supposed to have the password saved, but the computer was returned wiped, with a new operating system, and damaged to the point it could no longer be used. ACE claimed that its students could not access their Google-hosted ACE email accounts or their online coursework. The school appealed to Google for help, but Google at the time refused to help because the ACE administrator account had been linked to William’s personal email address. It went to court, became pretty contentious, was settled, and Google finally turned over the account to ACE. The school claimed it suffered an estimated damage of $500,000 due to its inability to access its own Google account.
Tracking IT Assets
So if you do nothing else this year, commit to taking ownership of your IT assets. First and foremost, we advise customers to limit local administrator rights. IT best practices dictate that employees not be given local administrative rights. Auditors also frown upon the practice because of its inherent risk. At Versa, we install software updates and patches weekly to protect our customers from security threats, however the system is only as strong as its weakest link. By allowing local administrative rights, companies expose themselves to malicious attacks and the risk of losing time, data, and money.
We also advise that you make sure you legally own the domain name for your business today. Don’t put it off. You can find ownership and registrar information at http://www.whois.net/. Once you confirm you own it, keep the details about your domain name registration account. You should know who your domain is registered with and the username and password for your domain name registration account. Limit who has access to this information and there are now ways to give someone limited access to manage things in your account. If you have to give someone a username and password, change it once they’re done. If you don’t actually own it, contact the owner ask that it be changed. You do have legal recourse if it was done maliciously.
And while you’re at it, you should review all your other password-protected solutions. Keep track of which systems require passwords and who has access to them, whether it’s an employee or a consultant. Review system security regularly – a minimum of once a year – and remove any unused accounts. Reset those passwords at least once a year and more often if you have high employee or consultant turnover. By keeping an inventory or your tech solutions and reviewing it annually, while limiting access to password protected systems, your organization will be more secure and you will be assured that you have control of your IT assets.