IF I were to ask a business owner about the state of the company’s inventory I would get a pretty accurate accounting of how much stock was on the shelves, how much was on the way in and how much could be turned around if the supply chain took a hit.
IF I were to ask a business owner about how closely the financial statement for last year would compare to the projections for this year, I would get a pretty grounded assessment of what sales were looking like, how they compared to the proforma and whether there were potential things on the near horizon that would impact those projections up or down.
IF I were to ask a business owner about the fleet of their vehicles, I would get a pretty clear run down of the cars and trucks, their age, how often they are in for repair and when the company planned a replacement.
IF I were to ask a business owner about expansion plans for new hires, offices or just about anything, I would receive a very specific explanation of every potential new hire and why they were needed, a statement about any physical moves or expansions and exactly where and when they might take place.
What we know that you don’t know…
But from our experience I know something that this business owner does not. I know that the company’s keys are in the hands of someone he/she cannot name and that the login and passwords are completely unknown to the business owner. And I know that it will be likely that the possession of these user names and passwords are in the possession of someone who may be disinclined to provide them or the subsequent access codes that will be received when the business attempts to login for the first time as it attempts to regain control.
In fact, it is likely that the person possessing the login and password information will ignore any attempts to regain ownership of these accounts and that IF they are recoverable, it will be a long time before they belong once again to the company.
What accounts are of interest? Well, for starters, Facebook, Instagram, Twitter, Pinterest, Google Location listings (GMB)… But then there is your website hosting, your themes and the online NAME OF YOUR BUSINESS (your URL), your event planning software for things like ticket sales, your newsletter/eblast account with the database of all of your customers, potential leads and past patrons, your public-facing calendars….
Now, the people who set these accounts up were operating with the business’s best interest in mind. That is not the question, but at set up, most of these online listings require that they associate the account with personal Facebook accounts, linked to personal Instagram accounts and using personal cellphone numbers and email addresses to the accounts.
These are the accounts that are also now the recovery defaults for attempting to access these accounts should the need arise for someone other than the person who established them ever need access. It will be those personal emails, cellphones, messenger accounts and SMS accounts that get the texts or calls about someone trying to recover or access the account. Over time, these originating cell phone numbers and email addresses change. People who set these accounts up leave employment.
By the time business owners are talking with me about a new website or questions about why social media is not working, the login and passwords and, in the case of the website, the platforms where they are housed, are long forgotten and/or are owned by people who no longer work for you. Or worse, they are owned by people who never worked for you.
In a very literal sense, you gave them the keys to your business and they left. This isn’t to say that they would deliberately do you harm. But they could. This isn’t to say that they would be unwilling to turn these orphaned accounts back to you. But why should they bother? They don’t work for you.
What to do about this…
So, in the spirit of best practices, here are some pleas for protecting the doors to your business in the same way you have security on the front and rear doors of your building:
- There should be a share drive location where ALL login and password and pins are stored. This share drive should have granular permissions so that those who need access have it and there is senior management oversite of these files in more than one department. Perhaps marketing and legal? Perhaps marketing and the COO? Perhaps marketing and the CEO?
- Once an account is established there should be a designated cell number and email address set up in the account as the recovery default. The login and access to this cell number and email address should be part of the share drive record. This cellphone number and email address should simply belong to the company, kept in working order and monitored for messages every week.
- There should be at least 3 admins on every account. These admins should be in different departments with access to those who operate the accounts being backed up by senior administrators in at least two other departments. These account administrators should be reviewed and updated every single time someone resigns, retires or is fired.
- The website may have several listings. There may be a place that the name is stored, that the website is hosted and that houses things like analytics. The login/passwords and pins should all be stored to a share drive along with all of the recovery email and cellphone listings. And it should be clarified WHO OWNS the domain name. Frequently, web designers purchase things like the domain name FOR a business making that web designer the actual OWNER of the name of your business. Worse, there are companies that sell you the right to use the domain name, but not the actual name, leaving you in a hostage situation in which you will have to buy your own name back from these companies.
- The expiration dates for all purchased online products and the renewal dates should be carefully recorded along with the credit card expiration date that is on file for the renewals. Frequently, credit cards expire before your online renewals are due. Your website can simply disappear for failure to have a current card associated with your account and when nobody is monitoring the recovery email accounts or cellphone numbers.
A new team coming in to build a new website, update an old one or to integrate your social and online presence will need login, password and administrative level access to everything. Having these files available takes literally weeks off the development time for building your new site(s).
And, if I had a quarter – just a quarter – for every business owner who had absolutely no idea who might know what the accounts are, what the user names and passwords are, I could have retired a long time ago.