Let’s say you keep some important documents in a safe in your home. Would you give the combination to the company that installed the safe? Take it one step further — would you let them set the combination and not tell you what it is, so that you could not access the contents at all without bringing them in to open the safe?
Of course you wouldn’t – yet that is what lots of business people do with their web hosting service, email, routers, and network equipment. Unfortunately there are lots of unscrupulous IT consultants out there who claim that the only way to have these things be really secure is for them to have the passwords and complete control, with the customer being at their mercy.
One extreme example: a marketing consultant I once interviewed – but had not yet hired – registered a domain name using the name of my product and set up a demo website to try to secure my business. The domain registration, which could have listed me as the administrator so that I would have control of it, instead listed the consultant as both the admin and the technical contact. When I pointed out that she had illegally taken my intellectual property to register this domain name and demanded it be released to me, the consultant then claimed that there was a 60-day freeze imposed by GoDaddy on all new domain registrations, preventing it from being transferred to a new owner. That was simply a lie, and only the threat of legal action resulted in the release of this domain name to me.
While your IT consultant is not, I hope, quite that dishonest, you may very well be among the large number of business owners who do not have control over their own intellectual property (the domain name) nor over their own networks (passwords to routers, wireless access points, and other equipment).
I’m assuming you have your own domain name. If you’re using email or a website for your business and you don’t have your own domain name, that’s the subject of a different blog – but in brief: you really should.
Here’s the scoop on domain names and access to the registration.
Every domain name (“redroad.com” is a domain name) is registered at a Registrar, where Internet software can look up the necessary information to access the website, email, or other servers for that domain. The registration includes an administrative contact and a technical contact. Every domain has a couple of name servers that enable access to any publicly-accessible servers such as email or websites.
If you change hosting providers, if you change Internet providers and have an in-house server, if you choose a new web developer, if you do anything that involves a change to your domain registration, then you need administrative access to either the registration or the hosting service or both. There is absolutely no justification for any outside consultant to have exclusive access to these. It’s fine if they have the ability to log in and make changes, as long as they’re working for you. But you must insist upon also having that same ability. Otherwise, you can’t get into your safe without the help of the company that installed it.
The very same logic applies to all your passwords for all your devices. Sure, if you have an IT consultant who maintains your network, they need access to your router and other equipment. But again, there is no justification for them to refuse to give you those passwords. You need to have them stored away, using a secure online service or an old-fashioned paper notebook stored in …. a safe. Or at least a safe place.