Who Has Access To Your Online Accounts?

Why Tracking Access Matters

Think of the logins to your website and business critical accounts like the keys to your shop. You need to know who has them and make sure they’re in safe hands.
Even with a small team, clear rules about who can see what information or make certain updates will prevent mistakes, misunderstandings, and keep vital business information secure from outside threats.

What Could Go Wrong?

Losing Control Over Accounts

Getting locked out of your Google Business Profile or other online accounts can cost you in business reputation, money and tons of time spent recovering access.

This typically occurs when a team member leaves the organization and takes with them one or more important logins. Coordinating with the lost team member is almost always difficult and often impossible. The result is spending an outsized amount of time jumping hoops to recover access when you could be working on your business. 

Paying for Inactive Accounts

Some platforms, such as CRMs, may charge you per user account on their site. If you don’t have a process for managing access when team members leave, you can end up paying for accounts no one is using. 

Hacked Accounts

An abandoned user profile is hacked and an intruder can log into financial accounts, your website…etc

Sabotage

While this outcome is less likely, it’s not unheard of for a disgruntled former team member to perform acts of sabotage against their former employer if they feel they’ve been treated unfairly.

How to Keep Track of Who Has Access

Create A Standard Operating Procedure (SOP)

With so many platforms to keep track of and team members coming and going, it can be all too easy to lose track of who has access to what. The solution is to create a system, or standard operating procedure, for how you manage changes to access and stick to that system.  

Write your SOP in a document that’s stored in a secure location that can be accessed by any team member. 

Your SOP can include any information you feel is relevant to managing who has access to what accounts. However, we recommend keeping it simple enough to follow. 

Processes Covered in the SOP

  • Who’s in charge of managing access?
  • What’s the process for granting access? 
  • What’s the process for revoking access? 
  • Where are passwords stored?
  • Access Audits: How often, who does them and what are the steps involved?

Access Log to Track Access

An access log is a simple and effective way to keep track of who has access to your website and accounts. A log can be a database or simply a secure spreadsheet. The trick to making it work is to consistently utilize it every time access is granted, revoked or updated for anyone on accessing your website/accounts.  

Feel free to download our Access Log Spreadsheet Template or read on to learn out to build your own.

An Access Log Should Include:

  • The name of the individual granted access.
  • The specific platforms or websites they have access to.
  • The level of access granted.
  • The date access was granted.
  • The name of the approver.
  • Any relevant notes or reasons for access.
  • The date access was revoked (if applicable).

In addition to maintaining an access log, it’s helpful to use a wordpress plugin such as Simple History which keeps a record of which team member has made what changes. However, this plugin won’t collect all of the other information needed for your access log. So, it’s still important to keep your access log up to date. 

Periodic Access Audits for Security

In addition to keeping an access log, it’s important to periodically review who has access to what and whether or not that level of access still makes sense for each individual.

  • Designate a specific team member to review each team member’s level of access as indicated in the access log. 
  • Determine how frequently you’d like this audit to be conducted and set a recurring task for the designated member. We recommend conducting your audit quarterly.
  • The audit should include each of the following steps
    • The designated team member will verify that the current access levels are still appropriate based on individuals’ roles and responsibilities. Look for the following:
      • Temporary access granted that should now be revoked. 
      • Team members who are no longer working at the company. 
      • A team member hasn’t logged into an account in the past year probably doesn’t still need access. 
    • Department Heads/Team Leaders may be asked to provide input on the necessity of continued access for their team members.
    • Any access that is no longer required will be promptly revoked. 
    • The access log will be updated to reflect any changes.

Create Secure Passwords

Not all passwords are created equal and, unfortunately, the easier to remember passwords tend to also be the easiest for malicious actors to hack. 

Here are some tips for creating strong and unique passwords:

Do Use:

  • Long Passwords: The longer the password, the harder it is for a cybercriminal to guess or crack with a brute-force attack. In fact, the length of your password is actually more important than the use of special characters such as numbers and symbols.
  • Passphrases: One way to create longer passwords that are still relatively easy to remember is to use a passphrase. A passphrase is a string of unrelated words, often connected by dashes. Eg: helicopter-apple-nap-queen. As long as the words are random, the passphrase will be difficult for hackers to crack. 

Don’t Use:

  • Common Passwords: Don’t use commonly used passwords such as “123456”, “qwerty”, and “password”. 
  • Common Password Modifiers: Common modifiers such as adding your birth date to the end of a password. 
  • Minor Password Updates: When updating a password, don’t simply change out a few characters to maintain the original word. Eg: replacing the “o”s with “0”s, “i”s with “1”s or “!”s…etc. These types of changes are easy for hackers to guess. If your passwords have been compromised, they’ll need to be changed completely. 

Follow Password Best Practices

  • Free Online Password Generator: 1password offers a free online password generator to take the guesswork out of creating a solid password. Their tool allows you to specify the degree of password complexity and even gives you the option to create unique usernames for an added level of security. 
  • A Password Manager: We can’t recommend this enough. There’s a common saying in security that “The opposite of security is convenience”. However, password managers seem to be the one realm in which this truism does not apply!
    In addition to offering a secure location for all of your logins, here are some examples of how password managers make your life easier:
    • No Memorization: No need to memorize complicated passwords. 
    • Automated Login: Many password managers can automatically fill in your usernames and passwords on websites and apps, making logins faster and more convenient.
    • Password Sharing: Some password managers allow you to securely share passwords with others, making it easier to manage shared accounts or access.
    • Temporary Logins: Some password managers allow you to create temporary logins that automatically expire after a certain period. This is ideal for situations in which you need to coordinate with someone outside your organization. 
    • Cross-Device Synchronization: Your passwords can be accessed across all your devices, ensuring you always have access to your login credentials, no matter where you are.
  • Multi-factor authentication (MFA): MFA should be enabled whenever possible for website logins and access to sensitive information.
  • Security Training for Team Members: Regular security awareness training should be provided to all employees regarding password security, phishing attempts, and other security best practices.
  • Limit Access: Access to business-critical information should be restricted based on the “need-to-know” principle.
  • Avoid Password Sharing: Individual user accounts should be created whenever possible; sharing of login credentials should be avoided unless absolutely necessary and documented in the access log with clear justification.

Keep Control of Your Accounts

Keeping track of the login access for every platform you use can feel daunting if you don’t have a solid plan. Following this guide will deliver a simple process to keep track of every login and maintain control of all your accounts.