Monday, August 2, 2010

Buying a business? Change all the keys, not just the physical ones.


Image by Bohman via Flickr

I get calls from folks asking me about people getting into their networks when they have recently purchased a business from someone else, or when an employee has recently left, willingly or otherwise.

In larger businesses that have in house IT support, they probably have the IT people take care of this.  But in smaller businesses that do not have internal IT support folks, here are some things to consider when changes in personnel happen:

  1. Get all the passwords.
    First of all, require that the leaving owner or party provide all passwords for everything they have access to and test them for accuracy.  Now it is not a huge deal if you run into something that is password protected, since nearly all passwords can be broken by a knowledgeable IT person, but it can be very inconvenient and sometimes expensive.  Encrypted hard drives could leave you hanging in a big way.
  2. Get the name of the IT support company.
    If you are purchasing a business that has computers and or servers that you rely on to do your business, make sure you get the information on the who has been taking care of the computers at the business.  It may be a company or it might be the old owner’s family.  Either way, you need to know this.
  3. Check out the current IT support company or get a new one.
    Call the IT support company or person and find out if they know the current passwords.  Check them out just like you would if you were hiring them off the street.  Get references and check them.
  4. Sign agreements with your IT support company.
    Anytime you use an IT support company, you should have them sign a non disclosure agreement.  Why? Because they have access to ALL your information.  This is especially true if you are a law firm, in the medical profession, counseling or financial area and handle confidential information.  This should also be true for any internal IT support people.
  5. Does anyone have remote access permission?
    Find out if anyone accesses the network or computers remotely as part of their work and who they are.  If it is the IT support company, again, make sure you know who you are dealing with and have proper safeguards in place for your and your clients’ confidential information.
  6. Account for all the data.
    Make sure you know where all the data is.  Are there off-site backups?  Portable drives? It’s okay to be thorough.  Think of data laying around on portable drives, USB thumb drives, backup tapes or in off-site back up centers as bags of money.  You would want to account for all the money, right?
  7. Are you buying a web site or other off site service as part of the deal?
    Where is it and who is the hosting company?  Who is the registered owner of the domain name if you want acquiring a web address or email address domain as part of the deal?  Can your website be taken down or modified by someone without your permission?  Virtual assets like web sites, email addresses, on-line stores, blogs and even twitter accounts are becoming a common part of acquiring a business.  Make sure you account for all the assets, not just the physical ones.

That is a very short list, but is the minimum you should do to protect yourself and your data and your reputation.  The cost of computer hardware is nothing compared to the cost of data you need to run your business or the liability of a data leak to someone else outside of your business.

If all of that seems to be out of your technical range, and it is for a lot of folks, hire a reputable IT company to come in and do a security check for you.  They can handle things like documenting all of the computer stuff, checking on who your domain is registered to, changing the passwords, checking for any type of external access to your network via PC Anywhere, Log Me In Free, VNC, Terminal Server, etc.  They can and should also check any router you have to verify any open ports that may provide access to your business network.

No comments:

Post a Comment

I have moderated my comments due to spam.