Any quick review of a business IT site will yield a wealth of information about the steps in-house IT teams should take to lock down access to key resources when an employee leaves the company. But at SMB and SOHO operations, there may not be an in-house IT team to enact such steps. In fact, as consultant, you may be the closest thing to an IT department such a business has had for the last several months. As you close out your engagement, who will ensure that your access to sensitive resources, systems, and data is suspended? For consultants working with SMBs, it's often best if you take the reins.
When I close out a contract, I send the COO/business manager of the SMB client (usually, the person who signs the checks) a friendly reminder of the data I have collected over the term of the engagement; a list of the systems I still have access to; and suggestions as to how to "turn me off." Obviously, you don't want to appear standoffish in this communication, so include language like "standard operating procedure" and "housekeeping" to make it clear that you are looking out for the client's best interest.
This may seem like overkill, but I have been amazed at how wide-open some small businesses leave themselves. A recent client had parted ways on bad terms with their contract site developer, and yet this person's Admin account was still active after more than a year. Fortunately (and this will usually be the case), no one acted unprofessionally in this instance, but you never know. And while this scenario may seem nuts to an IT professional, locking down asset access -- particularly if you are parting ways on good terms -- is among the last thing on an SMB manager's mind.
As you communicate your close-out suggestions to a client, remember that the shortcuts many SMBs and SOHO shops take on the front end of their IT setup can make turning off a user something of a hassle. Without role- or user-based access, blocking you from the network can mean changing an AP password and disseminating that information to 10 or 20 users. They may just not do it.
So, what do you get out of this little exercise? Again, "housekeeping." There's a virtue in doing things correctly, and full disclosure like this builds credibility for your brand. And in many cases it can spare you an occasional frantic mail from a former client trying to figure out what happened to their MailChimp campaign you used to manage.
Here's a quick overview of items I include in my systems close-out email:
- Any potential valuable data of which I have local copies. This can range from exports of email mailing lists to internal business process schematics. Even if you have not signed a nondisclosure agreement (Chip Camden offers great advice about NDAs), I think it's best to remind the client of any data of which you have made copies, along with assurances that you have disposed of those copies. I usually send along copies of said data back to the client (they usually underlie some clumsy analysis, anyway) to be on the safe side.
- Any network access/passwords you hold. Again, experience tells me that this may well not get resolved (I have access to about 30 or so "private" SOHO networks around town), but still do make a note of it to your client, particularly if they have a simple file server or other shared resource.
- Cloud services. Most cloud services (including those offered by Google) have simple-enough account management, and your client should be able to drop you from an internal email or file-sharing account easily enough. Others have inexplicably drug their feet on this essential feature (MailChimp added multi-user permission levels this year). If you have been using an email provided by the client, give it three weeks or so to ensure that no important messages trickle in before turning off the account.
- Admin access. I can't stress this enough. Depending on the client and the nature of the gig, you may find yourself logging in with admin access on a lot of key systems, cloud-based or otherwise. At all costs, make sure that either your personal access level is changed (if not entirely eliminated) or that the credential on the Admin account is changed as soon as your engagement ends. You don't want the headaches of possible misunderstandings or weird questions that are likely to come if you continue to have admin access.
Ken Hardin is a freelance writer and business analyst with more than two decades in technology media and product development. Before founding his own consultancy, Clarity Answers LLC, Ken was a member of the start-up team and an executive with TechRepublic.com and ITBusinessEdge.com.