This is a guest post by Rishi Lakhani who is an Executive Director at fastfwd, a dev and creative agency based in Birmingham. Rishi has been involved in online marketing for over 20 years and is well regarded in the community as a thought leader.
I have moved around a fair bit in the last 15 years, and as a result have many changing habits when it comes to moving houses. One very simple habit that has been a constant however, is my rule of insisting on a lock change, whether it’s a rental or a purchased home.
Why you ask?
Well to start with, how would you like to live in a house knowing that other people may have keys to your property other than your landlord?
The fact is people make copies of keys. These copies hang about for a while even after you leave a property. So why would I risk everything I own, ready for someone to simply walk in with a set of keys that they have and nick my possessions?
I am not sure what the insurance policy in such cases is, whatever it is, I don’t want to find out.
Call me paranoid.
So how does that relate to this post?
Too Much Access
I have been in SEO since 2002 – that’s a bloody long time when I think about it. In the fifteen years I have been in this industry, I have worked on hundreds of SEO campaigns and as many other digital marketing campaigns, as a freelancer, as in-house, as a consultant, and even as an agency insider. In all those years, as you can imagine, I have been given a lot of access to a lot of accounts.
What really shocks me even today is that most businesses don’t even periodically review who has access to their various accounts, from Google Search Console, to WordPress logins, to sometimes even domain registrars. In fact, just last week I realised that I have access to the primary domain name for a major London charity, a client I haven’t worked with for over 12 years!
If I wanted, I could bring their site offline. Nothing they could do about it as I am the official named registered owner as I originally registered the domain for them.
A few of years back I had to reach out to a director of a major high street brand, because it turned out that their site had a manual penalty, however their agency didn’t even realise it, 6 months on, as they never logged into GSC. What’s more worrying, I was the only person that was the registered admin.
These two examples are only a simple indication of the problem of not routinely checking and maintaining account access reviews.
89% of employees continue to have access to at least one application from their former employer now that they are working for someone else.
In 2012, a company called Osterman Research ran a survey in 2014 for Intermedia. They found 89% of employees that still had access to corporate data after they left the company.
Does this Really Happen?
I went through my various accounts – I had access to (for businesses that I no longer work with.)
- 50 sites GSC (mix of read only and admin access)
- 47 GA accounts (mix of read only and admin access)
- 4 email platforms admin access
- 2 basecamp logins (that still work)
- 15 social media accounts admin privileges
- 67 WordPress logins (that still work)
- 14 ex client domains in my Nominet account
- 7 domains registrars login details (that still work)
- 9 hosting account logins (that still work)
I kind of gave up going through other access points, and started removing myself from access where I could and emailed the businesses to remove my access from stuff I couldn’t myself.
Why is this a risk? Two reasons.
Let’s put it very simply, if you leave your access to your online properties, then chances are something may go wrong. There may be disgruntled employees, or a careless user that may leave their login records unprotected.
Some specific threat scenarios:
- If I have access to your webmaster tools, I can completely deindex your website.
- If I have access to your email platform, but no longer work for you, you are in breach of data protection, as I have access to personal information of your customers.
- If I have access to your email platform, what is stopping me from creating havoc by using it to spam?
- Similarly, if I have admin access to your social accounts, nothing is stopping me from deleting your content, or simply posting content that would cause you a PR nightmare?
- If I still have access to your domains, it’s a simple process to divert all your traffic wherever I want…
- If I have access to your hosting accounts, then I could use them to host spam, manipulate your site, inject adware etc onto your sites
- Same situation if I have your wordpress logins
Most consultants move from site to site, business to business. If I fact they don’t damage your site, there may be one other major risk: they may end up working for a competitor. If you leave your accounts access unprotected, that means you may be potentially leaving your competitive data open for them to read, and to in return better advise your competition.
I am not saying that this happens, however I would be surprised if it didn’t.
- Selling your data to your competitors (social, GA, GSC, Email etc)
- Using your data to form a competitive strategy for a competitor to win their business
Set Up A Process
If I have scared you enough (good!) then it’s time to take action. First things first:
- Review every single account that you have that allows access to third parties. Most these accounts will also have user management areas.
- Remove everyone that no longer works on the campaign, regardless of whether you know or trust them.
- Change passwords if they haven’t been in the last 3 months.
- Create a “User Access” spreadsheet that you and your team can keep modifying.
I suggest keeping that rolling user access sheet live, and checked at least every few months.
Here is an example sheet that you can use if you need some inspiration.
[Featured Image Credit: Marc Biarnès]