Repeatedly, it is a situation that we see over and over. Monday morning hits and we get a frantic call from a manager or VP in one of our customer’s organization. They need access to their account, but the person who was set up as their account manager has left the company or been terminated. Oops.
At LuxSci, like many other conscientious places, we take very seriously the determination of “who is authorized to do what” in an account. If the account owner is gone and provisions are not made ahead of time for taking over his/her duties, it can be a time consuming and tedious process to validate and establish someone else in the organization as the rightful owner of the account (and not just someone trying to “trick the system” and get access to things that s/he should not have access to).
If you are planning on letting an employee go, you should make sure well ahead of time to check the following things:
- Domain names: Does this employee “own” your company’s domain names? Look in the online WHOIS database and see who is listed as the owner and technical contacts. If this person leaves and owns your domain name(s), it might come down to a lawsuit to get them back and you could lose service and access in the interim. Many times, when employees register new domain names for their companies, they put themselves down as the point of contact — which may also make them the “owner”.
- Even if the employee is not the owner of your domains, make sure that s/he is not the only one with the login access to the domain name registrar. If you need to change something later — you do not want to discover that you suddenly do not have any access.
- Email and Web Services: If the employee is the main administrator for your outsourced email and/or web hosting services, make sure that you know his/her login information before letting him/her go. Alternately, make sure that the account is set up so that there are alternate administrators that have full authority over the account. It may be difficult to access all administrative functions or get support for your account once the administrator is no longer at the company.
- Internal Systems: Take an inventory of all of your internal systems and see what the employee may have administrative access to. For example, servers, routers, WiFi, web sites, blogs, wikis, etc. Make sure that someone else also has full administrative access to these systems so that, when an employee leaves, you still have full access to everything and so that employee’s access can be removed promptly and without causing business disruption.
Recommendations
For each critical system or web site, you should make sure that:
- At least two authorized people have administrative access
- The access of these people is independent, if possible, so that removing or turning off the access of one person does not remove access for the other person.
Systems to review may include:
- Domain name registration, domain name ownership, access to registrar and DNS management portals
- Important Email accounts
- Spam and Virus Filtering management portals
- Email Archival management portals
- Web sites with administrative control panels
- Networking hardware such as routers, switches, firewalls, etc.
- Administration of custom web site applications: Wiki, Blog, Forum, Content Management, Web Hosting Control Panel
- Credit card payment gateways accounts
- Online bank account and credit card portals
You can protect access in many ways. The most common include:
- Create two separate administrative users with equal and complete access. This gives you accountability in terms of who is doing what and when. It also allows one user to disable the other user if needed, without the need to change passwords or lose access to his/her own settings and access.
- Use one shared administrative user and password. In this case, multiple people can login to the same account with the same username and password and perform administrative tasks. If needed, the password can also be changed to lock out someone.
- At LuxSci, you could contact Technical Support, and define a policy under which the administrator can be changed or who should always have full access, no matter what. You can also specify how you want the identity of people to be verified. In this way, no matter what an employee may do, you cannot be locked out of your account.
The means that you employ to secure access to important services will depend upon your level of paranoia and the capabilities of the systems and services involved.
All we can do is recommend that you plan ahead and make sure that, if it came down to suddenly having to let someone important go, that you would know exactly how to (a) remove their access to your critical systems quickly and (b) retain your own access to those systems. If you wait until after the fact and react instead of plan, as we have seen many companies do, you are sure to have problems … maybe minor, but maybe so serious that they threaten your business.