editione1.0.0
Updated October 9, 2023By going through the exercise above, you will find yourself with a handy to-do list of things that need securing (if they aren’t already). We have already helped you identify the accounts that likely carry a higher risk because of the type of data they tend to hold. You have already spent the brain power coming up with this list of tools, so capture it somewhere so you don’t have to repeat this exercise again later.
There is no right or wrong way to record this list of tools. It could be a page you ripped out of a notebook and posted on your office corkboard, or it could be listed on a digital notepad text file. It could even be a list of accounts you have in your password manager if you didn’t want to make duplicate lists, as you are likely to have access to all the tools your business uses. Use something that works for you. For us, we have an Asana board (a task-tracking SaaS tool) where we list all of our tools and the information we need to track. This has the extra benefit of helping us with onboarding and offboarding people too.
In addition to keeping a list of the tools, there is other information that is helpful to inventory for each account:
How you log in. Nowadays, when you sign up for an account, you often have the option to log in via another account (like Google or Microsoft), or create a new username and password. Make a record of how you expect you and your employees to log in so your team can be consistent.
Alternatively, make note if this account is a single shared account. We will get into how to set those up safely later in this chapter.
How data is stored. This is going to be the biggest driver behind how you secure that account. We made a fair assumption earlier about the level of risk these accounts carry, but you know better than we do the actual information you keep in those accounts. For example, if you have a Dropbox account that you only use for sharing branding, logos, and other promotional material, it is less important for you to prioritize securing that account now. Compare this to a Dropbox account that is a smorgasbord of customer, internal, and other sensitive data—you’ll want to make sure this one is secured as best as it can be.
This is also a great chance to do some digital spring cleaning. You might notice you pay monthly for a Microsoft 365 account, but can’t really recall what data is stored in it. Now is the best time to log in, take a look, and either record the data you find, or take time to purge the data and shut down the account.
Same goes for any accounts that might have been jogged in your memory by reading through the list of accounts earlier. If you don’t use this account anymore and really don’t want to take care of it, log in now and remove any data or files that you might have left behind. I can speak from experience here—there is a terrible “hole in your gut” feeling that happens when you see a password breach for a service you used to use and you can’t quite remember what password you used.
Subscription or license costs. This does not have a security impact, but instead a business impact. Later on we will talk about sharing accounts for the sake of saving money on licenses and subscriptions while still keeping those accounts safe. Keeping track of the subscription and license costs per user per month will have you make a rational decision on why you might need to share accounts versus having a unique one for each user.
In addition to having this full list of your accounts, you’ll want to pay close attention to your devices.
In Part I, we recommended you toggle updates to happen automatically for your mobile devices, laptops, and other devices. This will still be the case for the devices you use now as a small business, except with the added complexity that you are not the only one using or controlling those devices. If staff are using personal devices, there is even more complexity, as you might not be able to legally tell them what to do with that device even if they are using it for work.
Think of it this way: every copy of business data we have, the more security risk we introduce. That makes sense, because you are increasing the chances of it getting lost or stolen. Every copy of data therefore needs to be protected with the same level of security to prevent this from happening. When you are a small business, the resources needed to scale that security can be a challenge. Access to data is the same as duplicate copies of data—the more ways you can access the data, the more security risk you have.
If your staff log into work accounts from their personal devices, ensure that there is a way to protect the work data that device has access to—in the same way you would protect the data on a work device with anti-malware software or an up-to-date operating system.