How to Protect Your Company From the Password Risks of Techy Turnover
This is advice I usually give to managed service providers (MSPs), but really it applies to any company with sensitive data and systems protected behind passwords: When your employees leave (and, inevitably, some will) they take their knowledge of your passwords with them. I’m not just talking about their personal login to your network and email system; presumably those accounts are deactivated as soon as someone leaves your company’s employ. Passwords protect a host of business systems. You can probably rattle off several yourself just by scanning the equipment in your office and the applications on your computer. Here are just a few:
- Network devices like routers and switches
- Wireless access points
- Printer, scanners, and copiers
- Website and blog administrative passwords (WordPress, Bluehost, MailChimp etc.)
- Administrative credentials in Windows
- Shared company social media accounts (Twitter, Facebook, LinkedIn)
Were any of those on your list? Every time an employee leaves your company, he takes with him the capability of exposing your secrets to your competitors, embarrassing you on social media sites, disrupting your business by removing important files and documents, and clogging up your network for his own uses. If your company manages IT services for other companies, multiply that risk by however many clients the employee has worked with. Are you beginning to see my point? Your company’s passwords—and your client’s passwords, if your company is an MSP—are too valuable to trust with people who are no longer employed by your company.
So how can I protect my company’s passwords?
Whenever an employee leaves your company, it’s extremely important to ascertain:
- What password-protected systems he or she had access to.
- Whether or not those credentials were revoked.
- If he or she had knowledge of shared passwords (passwords used by multiple people for a certain system or application).
You also need a way to monitor your systems so you know if an employee is trying to gain access after he or she has left.
Secure password management practices involve a lot of steps, and if your password management system is essentially a spreadsheet or a list on a Word document, or a smartphone app meant for a single user, or worse, nothing at all, it’s virtually impossible to collect and take action on all the information you need when an employee leaves your company. There are, however, enterprise-level password solutions designed for multiple users with differing roles and levels of access. These solutions are built to enable password management as a process, rather than a product, with functionality for automated password reset when an employee leaves, centralized storage of all a company’s passwords, with access control based on users’ needs and levels of authority.