This article is taken from
Our Community Matters.
Get the latest edition here.
Lock it up but keep the key: how to manage passwords in your organisation
By Alex McMillan, social media manager, Our Community
Much like the teenage nightmare where you find you've turned up at school naked, the modern not-for-profit manager's nightmare is turning up at work to find they've lost control of their social media account to a rogue employee who is posting about their displeasure to an audience of thousands.
Doesn't sound familiar? That means either you've got your passwords down pat (in which case you can move on to the next article), or you're blissfully ignorant of the potential headache that awaits you.
It's nice to be able to trust your employees, and placing restrictions here, there and everywhere isn't particularly friendly, but the risks to which you expose your organisation by playing fast and loose with password protection increase with every year we march deeper into the 21st century.
The risks associated with lax password control aren't limited to social media accounts, although the thought of blow-back from a rogue tweet should be enough to make you sweat. Getting locked out of any spreadsheet or database can be an absolute nightmare, so ensure your password practices are implemented across all your whole organisation.
What to do: prevention
If you've gone through the problem of stolen passwords once, it's likely you've already set up some safeguards. The best action is prevention, so make sure you:
Develop good password practice. Ensure that when new employees come on board, they sign an agreement regarding their use of password-protected apps or documents. When they leave, remove their access to the relevant accounts, or change the passwords. Build into this process a regular audit whereby you take a look at everyone who has access to an account or password and ensure this information is kept up to date and safe.
Ensure there are multiple ways to access an account. One account holder means one password, which greatly increases your risk of losing access.
The author: Alex McMillan
Utilise access levels for all account holders. Most platforms and tools allow you to assign roles to team members that will limit their ability to change account details such as passwords or billing information. It's very rare that an employee will need full access to an account, so ensure that only the people who really need it have it. In the case of social media, tools such as Hootsuite and Buffer make this process easy.
Ensure the linked email address is safe. An easy way to ensure your account details cannot readily be changed is to connect the account to an email address that only a manager can access.
What to do: reaction
If for some reason you haven't heeded the advice laid out above, then you may find the following useful when it's time to hit the panic button.
Recover quickly. If you find yourself locked out of an account you once held, you should be able get assistance from Facebook, Google etc to regain control over the account. If the only email address you've ever linked to the account belongs to your rogue employee, however, you might have some trouble because of privacy provisions.
Respond quickly. If your only way forward is for the rogue employee to hand over the key, the sooner you get in contact with them, the better. In most cases, letting them know the seriousness of the situation will scare them into action.
Get a lawyer on board. Your communications will pack a little more punch if you have someone who can communicate the full extent of the ramifications unless they hand back the keys.
500 passwords not to use
Are you a fan of bond007, trustno1 or abc123? You're one of many, which makes you vulnerable online. Check out this data visualisation showing the top 500 passwords: https://informationisbeautiful.net/visualizations/top-500-passwords-visualized/
To create a strong password, Google advises you should use a combination of letters, numbers and symbols; avoid personal information and common words; and avoid reusing passwords.