Protecting your online assets – what to do when someone leaves your business. 

by | Jun 22, 2023

These days businesses have a lot of online accounts to keep track of – social media, website, web hosting and domain, EDM platforms, Google accounts, M365 accounts, and more. When someone leaves your business that manages these accounts, or has access to them, it is really important that every account is checked and updated as necessary, in case the account relies on that person’s email or phone number for logging in or for two-factor verification. Not doing so can mean getting shut out of important accounts, not having access to your data, or worst-case scenario having the account shut down or cancelled.

The following is a list of some of the key accounts that need to be checked BEFORE your employee leaves, followed by our best practice tips for protecting yourself. This is not an exhaustive list, but some of the most common accounts that will need to be checked.

Social Media

  • Instagram accounts will often be set up with someone’s phone number attached to it. So make sure you check and change this if necessary. Verification messages may also get sent to this number. Also check the email address on the account. 
  • Check any other accounts you have, such as Pinterest. 
  • Make sure you have the up to date login details for any accounts that have separate login details. 

Facebook

Facebook warrants its own section, as this is the most likely one to cause problems! Most Facebook pages are “owned” by a Meta Business Account, so it is really important that you know which individuals have access to this account, particularly any admins. It can cause massive headaches if you lose access to the Meta Business Account, and will mean there are certain actions you will not be able to perform on Facebook and Instagram. Furthermore, trying to prove you own a Facebook page or Meta Account can be extremely time consuming and often nearly impossible to rectify. So, make sure you check the following: 

  • Who has page-level and task-level access to your Facebook page(s) 
  • Who has been added as a user to your Meta Business Manager account, and what assets each user has been given access to 
  • Check your Ad Accounts, payment methods, commerce accounts and pixels and who has access to these. 

When someone leaves, make sure you remove them from all the above, and ensure that you still have two or more other people who have access to everything, including at least one admin. 

MailChimp or Other EDM Platform

Make sure you check your MailChimp account (or other EDM platform), and see whos’ email address has been used on the account – also check individual lists and their contacts, as these are often set individually. Also check the “from” email address used for lists/campaigns.

Check and change the identity verification method and/or two-factor authentication settings if needed – these will often be linked to the person who is using the account the most, so if this person leaves you will not be able to verify your identity when you try and login.

Google

Some businesses have multiple Google accounts, and these days it’s basically impossible to log in to any Google account without two-factor authentication or identity verification. So, if someone else has their own mobile number or email address connected to either of these, its near on impossible to gain access without jumping through a lot of hoops. Your Google account is how you access the following Google products, so you do not want to lose access! 

  • Google Analytics 
  • Google Ads 
  • Google My Business / Google maps listing 
  • Gmail 
  • YouTube 
  • Google Workspace 
  • Google Drive 

So go into your overall Google account (https://myaccount.google.com/), and check your personal information settings and Security settings (make sure you also check each login method plus the recovery emails and phone numbers). 

Hosting and Domain Names

Make sure the email and phone number on your domain name account and hosting accounts are current, active and accessible – otherwise you might miss an important renewal email and have your website turned off.  

Website 

Check which users have login rights to your website. If the person leaving uses a generic login (such as “admin”) that other people also use, it could be a good idea to change the password. If they have their own personal login, you can just delete / deactivate their login. 

Payment Accounts 

For example, Stripe, eWay or PayPal. If the person leaving set these up or controls the accounts, the account could be linked to their own email or phone, along with the verification methods. So check and change as necessary. Also be aware that changing account details such as the email and password may reset any API connections, so make sure you check this afterwards.

Other Tools

Some other good ones to check if you use them are Canva and social media management tools.


Our best practices for future proofing 

  • Try and use a generic email address on all your accounts that more than one person has access to, or that will not change when someone leaves, such as admin@, info@, marketing@.  
  • Where possible, always have more than one person on Social accounts. NEVER have just one person added as an admin to a Facebook account. The reason for this is two-fold – 1. If someone’s personal Facebook account gets hacked or compromised, you have a back-up person who can access the account, and 2. If someone leaves, you have a backup person who can access the account. Having a neutral 3rd party added to your Facebook page or Meta Business Account, such as an agency, is also a good protection option. 
  • If you must set up two-factor authentication or an additional verification/contact method, where possible/practical try and have this set to a generic email, or to a phone number that is less likely to change, i.e. the owner or someone else high up in the organisation. 
  • Keep an updated, live record of all your accounts, passwords, what email is attached to them, and who the two-factor authentication will go to. This way if someone needs to access an account, they can easily find the login details and/or who the verification request will get sent to. 

0 Comments