One of the major ways websites get damaged is from staff, contractors and consultants who have too much access. When an email consultant asks for access to a domain name, businesses hand them the password. When someone is performing search engine optimisation, you provide them administrator rights with enough permission to delete an entire website. Why would a copywriter ever need access to install and change core software? Every day, website owners gladly hand over access as if it somehow it relinquishes their our own responsibilities.
Websites, hosting servers, email accounts and domain names are all highly valuable business assets and demand respect, security and accountability. They directly secure private information and often transactional data entrusted to you by your customers. Domain names are used to protect your identity, secure websites and secure email. Direct access to website hosting servers exposes website code, transaction, payment and customer information. Websites may store customer information and are used to generate leads and income. Customers will hold you responsible for the losses caused by colleagues and consultants when you willingly provided them access.
Businesses need to ensure that only one supplier has full administrator access to each asset. Some business makes this owner the same across all assets, but this is not essential. When you give multiple people access to the same piece of infrastructure, it compromises your security. Just because someone claims they need administrator access does not mean that they should be given the access they request.
We see no justifiable reason for marketing consultants to have full administrator access to your website, hosting, domains and server. As an example; a search engine consultant may work on your website by performing tasks like copywriting and page construction (including tags). These are not administrator tasks. While they may also require the activation of extra software to increase speed, they have limited knowledge how this will affect the construction and hosting of your website. Your maintenance (development) team should perform any installation in coordination with your hosting provider to ensure compatibility.
We have experienced search consultants pressuring clients to provide full administrator access. This behaviour threatens the security of the website and we consider it a very serious matter. Clients are falsely led to believe that this will affect the consultants’ ability to perform their work. Sometimes this is because they have held consultants to account for results outside the scope. In most situations, these are irresponsible bully tactics used by consultants. If accompanied with an overall lack of results, lack of reporting and a refusal to account for work we recommend client immediately cancels their contracts and seeks new advisors. Have you ever experienced?
One supplier for each asset:
Domain Names & Name-servers (DNS)
Domain names are used to protect your identity, secure websites and secure your email. Your IT maintenance* technicians or website maintenance* technicians are ideal to control this asset.
Email Server & Accounts
Email is used to communicate private information, passwords and sometimes transactional information. Your IT maintenance* technicians are ideal to control this asset.
Hosting Server (FTP)
Hosting provides direct unrestricted access to edit, add and delete the website code. It also gives user access to private information and transactional. We recommend that clients purchase hosting from either an IT maintenance* technician or a Website maintenance* technician. Your hosting should include management. When clients purchase hosting directly, they do not always realise they have accepted responsibility for managing access and permissions. Unless clients have qualified server administrators on staff, the lack of knowledge will mean that security is likely compromised.
Websites
Websites protect customer information and are responsible to generate ongoing business. They often contain private client information and transactional information. You Website maintenance* (developers) should control the asset and provide limited access to others involved. You are responsible to ensure you understand and audit access.
CRM/Email Marketing/Marketing Platforms
These platform contain private client information and sometimes transactional information. Your own internal marketing department or the business owners should control this asset and provide limited access to others involved. You are responsible to ensure you understand and audit access.
AdWords/Facebook/Other
While these advertising platforms control your reputation, they contain no private information. Your own internal marketing department or the business owners should control this asset and provide limited access to others involved. You are responsible to ensure you understand and audit access.
*Maintenance assumes an ongoing (contracted) agreement including minimum work each month.
We encourage clients to maintain their own register of users who have access and their permissions, starting with a super administrator. An enormous part of security compliance is tracking who has access to what asset. While technicians will control and administer access, they rarely maintain and audit a register. The register will also help foresee gaps in your security.
While this may sound contradictory, we suggest that there are multiple super administrators. For example, the IT maintenance* technicians and then the business owner. A super administrator is a term given to the highest access available. Having multiple super administrators protects you if one person leaves the business or you disagree with your supplier. Do not use this to bypass security protocols.
Be aware discount suppliers like Crazy Domains and Go Daddy encourage clients to manage their own hosting and domain name-servers. The businesses being targeted usually have no knowledge of these technical devices. It may tempt businesses owners to provide consultants with access to the one account and this is providing super administrator access to multiple assets. This compromises their security. We recommend that clients use managed services and not purchase and attempt to manage highly technical services.
If you already manage technical services like email, hosting and domains and don’t know the state of your security, start improving security by changing the super administrator passwords on your assets and/or accounts. Use a password manager like Keeper Security to store all your password. Alternatively, get someone qualified involved to take over and begin by auditing the security.
