11/30/2016
Unethical practices and what you should know to protect yourself from shady operators
When I am engaged in a client project, one of the first things I must do is obtain access to a variety of devices and services. For example, if supporting a workstation remotely, I need to be able to log in. To update content on a website, I must log in to the web hosting provider. To configure network devices like routers and switches, again, I must have access to the configuration interface, which typically requires a password. Passwords are an imperfect solution to the problem of authentication, but in decades of advances in computing technology, we've still not managed to supplant a better solution. Poor password management can, literally, cost you your business. Taking great care in managing access to your computing resources should be a top priority. Following are some things you must consider when granting access to third parties.
Consider the ethics and diligence of individuals controlling access to your data. If you are even slightly concerned about the possibility of unacceptable use, or lack of respect for best practices, then you should reconsider whether that person should be handed the "keys to the kingdom". Your network belongs to you, and is fundamental to your business. Guests should only be allowed by your permission, when, where, and how YOU specify.
You absolutely must maintain a list of your login credentials in a secure location, accessible only by those whom you have entrusted to manage them. This is critical. You will need to share the appropriate credentials with service providers, in order for them to do the work that you require. Not doing so could increase the time and complexity of an engagement considerably - possibly even to the extent that necessary capabilities are lost and could take days, or even weeks to restore. As an example, If you can't remember your router password, and are forced to reset the router back to factory settings to get back in, you will likely lose all of the settings that you configured which are particular to your environment, unless you had the foresight to export and backup configuration data as part of a recovery plan.
When you grant access your to resources, or a service provider's resources, or any piece of hardware of software which requires authentication; whether it be to a consultant, a guest, a technician, or even one of your employee's kids who is "great with computers and can probably help you", whenever possible you should utilize a temporary, or 'guest' account which can be disabled or removed after the engagement. This is a best practice. Not doing so is worse than giving someone a key to your business, because your physical security system can't detect, nor capture video of a remote, "virtual" intruder. Regarding wi-fi access for customers, a wireless network for guest devices that is separated from your business network with its own SSID and password is an absolute requirement. The importance of this cannot possibly be overstated.
When contracting with someone to do work for you, like build a website, or install and configure a new application, the service provider should ALWAYS provide you with a list of account credentials which were obtained or created by them in the performance of your task. Failure or unwillingness to do so is a HUGE red flag. Do you know of any friends who are small business owners whose websites were "held hostage" leaving them completely at the mercy of the site creator? Unfortunately for them, I do. That this happens at all is completely appalling to me. Even once is unacceptable. The reality is that I have heard this story far too often.
These are but a few examples of things that can go horribly wrong with bad password management. Securing your information and computing resources doesn't necessarily have to be difficult or expensive. More importantly, keeping your network secure requires planning, accountability, and invariable consistency.
