Any quick review of a business IT site
will yield a wealth of information about the steps in-house IT teams should take to lock down access to key resources when an employee leaves the company. But at SMB and SOHO operations, there may not
be an in-house IT team to enact such steps. In fact, as consultant, you may be
the closest thing to an IT department such a business has had for the last
several months. As you close out your engagement, who will ensure that your
access to sensitive resources, systems, and data is suspended? For consultants
working with SMBs, it’s often best if you take the reins.

When I close out a contract, I send the COO/business manager
of the SMB client (usually, the person who signs the checks) a friendly
reminder of the data I have collected over the term of the engagement; a list
of the systems I still have access to; and suggestions as to how to “turn
me off.” Obviously, you don’t want to appear standoffish in this
communication, so include language like “standard operating procedure”
and “housekeeping” to make it clear that you are looking out for the client’s
best interest.

This may seem like overkill, but I have been amazed at how
wide-open some small businesses leave themselves. A recent client had parted
ways on bad terms with their contract site developer, and yet this person’s
Admin account was still active after more than a year. Fortunately (and this
will usually be the case), no one acted unprofessionally in this instance, but
you never know. And while this scenario may seem nuts to an IT professional,
locking down asset access — particularly if you are parting ways on good terms
— is among the last thing on an SMB manager’s mind.

As you communicate your close-out suggestions to a client, remember
that the shortcuts many SMBs and SOHO shops take on the front end of their IT
setup can make turning off a user something of a hassle. Without role- or user-based
access, blocking you from the network can mean changing an AP password and
disseminating that information to 10 or 20 users. They may just not do it.

So, what do you get out of this little exercise? Again,
“housekeeping.” There’s a virtue in doing things correctly, and full
disclosure like this builds credibility for your brand. And in many cases it
can spare you an occasional frantic mail from a former client trying to figure
out what happened to their MailChimp
campaign you used to manage.

Here’s a quick overview of items I include in my systems
close-out email:

  • Any potential
    valuable data of which I have local copies.
    This can range from exports of
    email mailing lists to internal business process schematics. Even if you have
    not signed a nondisclosure agreement (Chip Camden offers great advice about NDAs), I think it’s best to remind the
    client of any data of which you have made copies, along with assurances that
    you have disposed of those copies. I usually send along copies of said data
    back to the client (they usually underlie some clumsy analysis, anyway) to be
    on the safe side.
  • Any
    network access/passwords you hold.
    Again, experience tells me that this may
    well not get resolved (I have access to about 30 or so “private” SOHO
    networks around town), but still do make a note of it to your client,
    particularly if they have a simple file server or other shared resource.
  • Cloud
    Most cloud services (including those offered by Google) have
    simple-enough account management, and your client should be able to drop you
    from an internal email or file-sharing account easily enough. Others have
    inexplicably drug their feet on this essential feature (MailChimp added multi-user permission levels this year). If you have been using an email provided by the client,
    give it three weeks or so to ensure that no important messages trickle in
    before turning off the account.
  • Admin
    I can’t stress this enough. Depending on the client and the nature
    of the gig, you may find yourself logging in with admin access on a lot of key
    systems, cloud-based or otherwise. At all costs, make sure that either your
    personal access level is changed (if not entirely eliminated) or that the
    credential on the Admin account is changed as soon as your engagement ends. You
    don’t want the headaches of possible misunderstandings or weird questions that
    are likely to come if you continue to have admin access.