If you’re like us, you give permission to outsiders to access your data.
That’s what Target did. Its giant data breach was the result of lax security on the part of one of its outsiders. The vendor had a login to the Target system, and it didn’t protect that information sufficiently. It left the door wide open.
In our little firm, we’ve got a dozen outside contractors accessing our data.
Which people do we let in?
- Our outside bookkeeper,
- Our accounting firm (with two or three employees logging in),
- Our Salesforce developer,
- Our NetDocuments developer,
- Three web developers,
- A developer helping with integration of our do-it-yourself site,
- Two people from our outside help-desk team,
- A developer who helps with Google Apps integration,
- Two virtual assistants who manage marketing reports,
- A virtual assistant who handles client surveys,
- A few web developers,
- A law student working on writing projects,
- Plus several others.
Some of these folks have been helping us over the long term. Some of them are with us for short-term projects. They all have access to a great deal of data.
Are these vendors concerned with our security? I hope so.
Are You Doing Enough to Protect Your Data?
We do the usual things to guarantee confidentiality. We have them sign agreements, promise to take precautions, and assume liability. But are they being careful?
If you’re giving your passwords to your service providers, you need to know:
- Who can log in?
- Do they really need to log in? When was the last time they accessed the system? Are they finished?
- Do their credentials expire automatically at some point?
- What’s the policy/plan for cutting them off?
- Would it make more sense to give them a new password each time they need to log in instead of issuing a permanent credential?
It’s your data. It’s your job to engage with the administration of the data. Security is too important to set it and forget it. You’ve got to know the answers. You’ve got to know whether your data is protected.
