editione1.0.0
Updated October 9, 2023Aside from reducing user accounts for your services, you might also be downgrading or canceling services you don’t need to keep your business alive. It drives me mad, but some services only provide security features for users on paid or higher-level service tiers. Service providers might not handle service cancellations with grace, which means copies of your data might be lingering around, which also leaves the security risk lingering around too. These changes can limit the amount of security protection your accounts and data has, and there are a few things to check before you hit “cancel service.”
For services you are downgrading, check what security and data protection features are included in the lower-tier plans. You can often find this information on the service provider’s pricing page, or you can search through their knowledge base or support documentation. If you can’t find this out after a quick search, ask the service provider.
To help you draft that email, you will want to ask if the following features are still available at lower or free service tiers:
Are the following features still available at lower or free service tiers: 2FA and the ability to export account data?
What happens to any excess data if we switch to a service tier that has lower data storage limits than what we currently have?
If the answers you find are not ideal, don’t be afraid to negotiate a new service arrangement. The other side of that support email is a human, and sometimes humans have empathy and the ability to make exceptions. This could be in the form of discounts, temporary details, or modified service plans. It is always worth asking before making arrangements to remove your data or shift to an alternative service that gives you the security features and pricing you need.
For services you are canceling, check what happens to your data after you cancel. Often, services might leave this data in their databases until it gets archived years later. If this service has a data breach, your business could still feel the impact even if you aren’t an active paying customer. Thanks to new privacy legislation like GDPR, service providers have to have processes to delete personal data. This means it makes asking these requests a lot easier and more likely to be fulfilled.
In an ideal situation, you can export copies of your account data and then request all account data be deleted. Don’t assume that just because you canceled your services the service provider will delete your data. They might specifically wait for a request to delete it, or just leave it there to gather dust. In a less ideal situation, you might have to delete the account data yourself and then wait for a short period of time to pass (usually 30 to 90 days). This short period of time is often the amount of time your data will stick around in backups and might still be accessible. Regardless of which situation you have to go with, at the end of it, you can be confident that you have cleaned up any left behind data and can consider that service canceled.
The last area to address when scaling down is your people. This is going to be the hardest one to address because no business owner wants to be in this situation. Restructures and redundancy processes are difficult, and we might do anything to make this situation pass as quickly as possible. Try to avoid that impulse—you can carry out this step with empathy and kindness, while still making sure you take the time to protect what is left with your business.
First, you need to consider the devices and accounts your employees have access to. You will want to retrieve what you can, knowing that you might not be able to retrieve it all. Even if you lose copies of some documents or data, you can still keep control over accounts by resetting passwords or removing access just after they leave. If there are devices you can’t get back, for example, if they are lost, damaged, or it’s unsafe to claim them, you can monitor your accounts to block and unlink access from these devices. You can also remotely wipe these devices if you set that up when we covered it in Part II, but be sure to do it with kindness. We have all used our work devices for personal use at one point or another, and it would be a real kick in the ankles to lose your job and copies of some personal data you had stored on your work laptop. You can always give employees who have left a heads-up that you need to wipe the device, and give them a chance to back up or move any personal files they might have stored.
danger Watch out for systems or workflows that might depend on an individual employee’s account. Often, we might set up automated workflows or system service accounts that are tied to our own individual emails or accounts. If these accounts are disabled, this could result in a domino effect of failures that would be a challenge to clean up.