I read an article in the NH Business Review this week that made my blood boil. In the article, which is published with a ‘cybersecurity’ header, the author advises small businesses on how to obtain their passwords and usernames when they want to change web companies.
His advice includes:
- Ask the web company, but be subtle about it. Or, “have your accountant ask their accountant for them,” under the guise that the ERP system won’t allow payment of invoices without the username and password entered.
- “Have your CEO call the web company’s CEO and ask (in a very charming, but highly authoritative and benevolent way) if he can get the username and password for his geeked-out nephew. The conversation should start something like this: “My nephew Gerald is going to computer camp on Lake Como and he wants to show his campmates the backend of our site. My digital team says that the work you folks do in that area is absolutely first rate. Let’s meet for lunch at the 100 Club a month from now. In the meantime can you shoot that stuff to my secretary? She’ll set it up.”
- And the final gem: “Hire any 13-year-old to hack your site…Once they’re in, you’re in.”
This, dear friends and readers, is pretty much the worst advice I’ve ever heard. Worse, even, than the girlfriend my senior year in high school who convinced me to give myself bangs.
First, let’s address the (absurdly bad) advice.
- A subtle request doesn’t do you any good. And, accountants on either side of the relationship wouldn’t have any reason to have these login credentials. Further, not every company uses an ERP system. This line of reasoning is flawed across the board and wouldn’t result in you getting what you need.
- Any web company worth a damn does not want your geeked-out nephew or his camp friends on Lake Como mucking around in the back end of your website, no matter how charming, authoritative and benevolent you sound. And, if that web agency is worth their salt and is forced to give little Gerald access, they’re going to create a profile with such limited access that Gerald and his friends can’t screw anything up, which doesn’t actually solve your problem.
- Hire a 13-year-old to hack your site? Holy shit. I can’t even.
Accounts to be certain you have control of:
- Website Administration
- Domain Registrar
- Marketing Automation System
- Email Service Provider
- Social Media Accounts
- Google Analytics
- Google AdWords
- Google Search Console
- Facebook Ads
- Review Sites (Yelp, Trip Advisor)
- Third-Party Advertising or Listing Services
- Third-Party Extensions & Plug-ins
The Bottom Line
Bottom line, the author encourages you to lie and/or break the law. None of this nonsense is necessary. If you’re a company that needs your access information from a web – or any other – company, there’s a perfectly reasonable way to get it: ask for it.
Tell your contact at the web agency that you would like a full list of your access credentials for all systems they have access to. It’s truly that easy. If they ask why, and you don’t feel like telling them that you would like a full list for your records and, if they bristle, that it’s your right to have access to – and ownership of – all the platforms and accounts; then you can certainly tell them that you’re updating your security plan or your disaster-recovery plan.
The author suggests that the web company might “get suspicious” if you ask for these credentials. Do yourself a favor: Don’t wait until things get bad or a relationship deteriorates to make sure you have control of your business assets – and don’t be fooled, your website is absolutely a business asset. Ask for the credentials at the three-month mark after you’ve been working together, and maybe again annually.
Remember, though, getting login credentials to your website isn’t always the complete solution to the problem. You need to make sure that you have full administrative access to every platform and account. It’s called ownership, plain and simple.
We have seen many instances where an incumbent company gives the client access to their website, but that login has limited functionality so that they can’t make any significant, or account level, changes. This is actually appropriate in some cases. For example: If you have numerous people logging into a website administrative area, and making changes to the site (updating events, adding blog posts, fixing spelling mistakes, editing page copy, changing prices, adding pictures, etc.), you probably don’t want to give them access to theme files and things that could cause major problems if altered. However, it is appropriate that at least one person at the client company have full administrative access to administer the website and any other account(s) as necessary.
A bigger problem occurs when accounts and/or purchases are made in the vendor company’s name. We have seen instances where a company doesn’t even own their domain name, because their web company purchased it “for them” and now legally owns the domain.
Make sure that any purchases are made in your name, using your credit card – whether you give the company the number, or have them send you a link to what needs to be purchased. Ideally, all accounts should be set up in your name and vendors of any type are granted access to those accounts. That makes it easy to revoke their access if and when the time comes to make a change.
A note about hosting:
If your web company is also hosting your website, there is a chance that you won’t have access to an administration panel. Some smaller web design and web development companies purchase a hosting plan (using a third-party hosting provider like HostGator, Blue Host or GoDaddy) that allows them to manage more than one website within a single, shared hosting account or environment. Because the company is hosting all their clients’ websites in a single account with a single control panel, they can’t grant control panel access to any one client without allowing that company to have access to every client website. If your web company offers hosting (whether on their own servers or as a reseller for another hosting provider), make sure that you have access to your own control panel and not just access to your website CMS.
And, if all else fails, ask your incoming web company to bridge the gap with you. We have done that many times when a new client is ingrained with a company that controls their accounts. And, to avoid getting into the situation in the first place, here are five easy questions you can ask a web company before you sign on with them:
- Will you register our domain and set up our hosting under our company name or yours?
- Where will our website be hosted?
- Will we have access to the administrative area or control panel?
- Can we review a past contract or Statement of Work for a previous project that is similar to ours to see how it is structured?
- Can we talk to a current or previous client to hear about their experience of working with you?
Bad marketing advice is one of my biggest pet peeves and I’m on a one-woman crusade to prevent its spread. It affects all good marketing companies when clients get burned by bad advice or poor-quality work. Then they don’t trust anyone. And, it seems that the bad advice adversely affects small and medium-sized businesses disproportionately. Larger companies have more sophisticated marketing expertise in house and are able to avoid some of these mistakes. So, here’s my offer to you: If you’re in the process of making a decision to work with a web agency, and you’re not totally comfortable with their answers, or you don’t fully understand the implications, call me at (617) 899-2856 and I would be happy to answer any outstanding questions you have, or provide context or explanation around what you’re hearing.