Risk management: who controls your organization’s online accounts?
Several of the (non-library-related) organizations whose websites I manage have chosen to give me administrative access to their online accounts such as Facebook, YouTube, or PayPal. Sometimes I need that level of access in order to create widgets for the website, but more often they just consider it good practice to have a trusted person as a back-up in case the main administrator is unavailable.
This has been helpful a couple of times. On one occasion, an organization wanted to add another person as a Facebook page administrator and couldn’t figure out how to do it, so they had me help out. Another time the organization’s regular Facebook page administrator had accidentally removed his own access, and I was able to restore his administrative privileges.
Once I had not been given administrative access and, in retrospect, maybe I should have been. An organization terminated an employee. Before the rest of the Board of Directors even knew the termination interview had taken place, the organization’s Facebook page and YouTube account had been altered. The cover photos and profile photos for both pages had been deleted; photos, videos and past status updates had vanished; and new announcements had been posted promoting a competing organization. No one had thought about the fact that the employee who was terminated was an administrator of the Facebook page and the only administrator of the YouTube account.
In another case, an organization asked me to create a new website to replace their old website which had gone dormant. The old website had been connected with both a CafePress store and a PayPal account. One of the accounts had been set up under the individual ownership of the previous website administrator, and there was no way to transfer control of the account to the organization. The other account was inaccessible because nobody remembered the login credentials, and they no longer had access to the email address that would have been used for a password reset. The organization ended up having to abandon the old accounts and create a new CafePress store and PayPal account from scratch. (Fortunately, there were no funds in the PayPal account, so there was no financial loss.)
- To keep your organization’s online accounts secure, follow these suggestions and consider writing them into your policies:
- Make sure everyone has a clear understanding of whether the accounts are owned by an inidvidual or the organization.
- For accounts that must be tied to a single email address, use an organizational address, not the personal email address of any individual.
- Make sure that more than one person has administrative access or login information to the accounts, and access to the organizational email address.
- Keep a record of the login information in a safe place, so it won’t get forgotten or lost. Make sure someone keeps track of the information when there are staffing changes.
- Before you abandon an email address, update all the online accounts that use that address, so that you won’t lose access to those accounts.
- When an employee is going to leave the organization, just as you would take back their keys to the office, you should also disable their administrative access and change the password on organizational accounts. Do this as soon as possible after the person’s employment ends, to prevent unauthorized activity on the accounts.
Your organization’s online accounts and their contents are valuable assets. Protect them accordingly.