This article is about dealing with ex-employees where websites and related data are concerned.
Often website owners will hire others to work on their websites, either as one-off assignments, else on an ongoing basis. This can help move the website project forward, and add new features, that perhaps the website owners wasn’t capable of producing themselves, but unfortunately it also means you have to be careful of access and security.
Ex-employees often do not have their website access revoked.
For example often people will leave a project, but their access rights are not revoked. This leaves both the website owner and the employee in a position. It is best for all concerned that not only are people only granted the minimum access possible when working on a project, but when they leave, their access is revoked ASAP.
It isn’t unusually for example, for people to be granted administration access to a website, where they do not require that level of access, and then once they leave the project, the access is not disabled. It surely would have been better if not only did the person have their own unique account, but one which wasn’t a high level and then could easily be disabled, leaving the possibility to be re-enabled if the writer rejoins the project later. This presents a more robust, sensible and secure level of access for all concerned.
Sensitive data is often available, months, even years after a person left.
Another example is when people are granted access to website statistics, to help them improve the quality of the work they produce, but when they leave, the access is still enabled. For people moving on, especially if they go to work for a competitor, it is important the access is removed. It isn’t just website administration and statistics, that are often not secure, but also details such as FTP, database access and other important and sensitive data.
An access policy and procedure needs to be created to restrict and manage access.
Many website owners, through failing to either restrict or remove access, are reliant on both current and ex-employees to act with good conscience, and not use this oversight and poor judgement to their own advantage.
It is best for all concerned that a policy and procedure is put in place from the very beginning, even at the suggestion of the employee, to make sure all concerned stay protected.
About the author: David enjoys writing about website security, and other website topics, when not eating too many biscuits.