Even in non-pandemic times, scheduling regular admin user audits is a good idea. What we’re talking about is going through all the online platforms your organization maintains and making sure the existing admin user accounts are for active employees. Any others should be removed.
When we talk about online platforms, these include, but are not limited to:
- CRM/ticketing platform
- Email marketing platform
- Social media accounts
- Transactional email providers
- Institutional email accounts (G Suites, MS Exchange, etc.)
- Software as a Service (SaaS) accounts (Zapier, Zoom, Slack, etc.)
In a nutshell, there’s a lot to keep track of.
The why end of things is probably self-evident in that providing former employees access to institutional data generates crazy risk.
- To help make sure you catch every platform, check any password manager services. You’re not really looking for the password so much as the list of sites where passwords exist.
- Checking browser password records is a similarly effective trick.
- Make sure you don’t delete any employee email addresses until after you’ve modified ownership at online platforms. Doing so could inadvertently lock you out of an account and permanently lose access to data. Not good.
- When removing users, make sure you don’t inadvertently delete all content associated with their account. For example, in WordPress, you’ll want to reassign all content for an admin user being removed to an existing user.