When you buy a house, you call a locksmith and change the locks, right? You do it to protect yourself and your belongings, and you don’t give it a second thought. Who thinks, “But what will the previous owner think? Will they think I don’t trust them? Or that I don’t like them?” No. It’s your house now, and controlling who has access to you and your stuff is just using commonsense.
So, why is it that volunteer groups and small businesses don’t remove permission to access files, accounts, and systems when personnel change on projects, boards of directors, etc.?
Take, for example, contractors and freelancers who worked on a project with your in-house team, but their work on the project has finished. Or consider volunteers who worked diligently for your organization during their terms, but have finished their time as officers or board members and no longer fill roles requiring access to sensitive information.
Why can these people still edit documents in the DropBox account? Why do they still have the credentials for your web site and social media accounts? Why do they still have administrative access to your government registrations, like SAM (which has a lot of your business’s sensitive financial information)?
People no longer affiliated with your organization, or those who no longer fill roles requiring that high level of access should not continue to have it, no matter how trustworthy they are or how much they work for your business on an intermittent basis (eg, consultants and freelancers).
Why? Because no matter how much you trust them, every entity with access to your IP, financial information, communication systems, etc. poses a vulnerability to your system. Do you trust that every freelancer and consultant who works for you has impeccably secure devices? You shouldn’t…small businesses, vendors, and sub-contractors can pose incredible risks to business. Remember how hackers accessed Target’s financial system and stole consumers’ Target Red Card information a few years back? The hackers used credentials stolen from one of Targets HVAC contractors to gain access to Target’s systems. As businesses become wiser about cybersecurity and harden their systems to direct attack, indirect attacks via smaller, more vulnerable affiliates have increased.
How to Change the Locks
Here’s what I do to secure the organizations I work with or manage:
- Grant people the minimum access they require to effectively do their job.
- Set a time limit on access for any systems that allow you to. For example, when you invite a user to Slack, you can set a date when their access will expire.
- Make terminating access part of a project closing protocol. For many systems, you may simply terminate a user’s credentials, but for shared credentials (eg, the log in information for a social media account), simply change the password.
- Add an annual or semi-annual audit of your accounts and systems to your business’s cybersecurity protocol to catch any loose ends that may have gone unnoticed.
Still worried about offending that board member whose term has ended, or think it’s a waste of time to terminate access of a consultant you hope will work with you on a project you have slated for the end of the year? Understandable. But consider your fiduciary duty to the organization and the potential liability you open yourself up to should there be a breach as a result of your indifference. As my teen daughter would say: Awkward.
Have any additional tips? Share them in the comments!