Secure Your Firm’s Infrastructure/Applications

Technology Service Provider (TSP)

In a large enterprise there are TSP's who support applications, infrastructure and other parts of the business. These contractors are onboarded into the enterprise's HR system and act on behalf of the enterprise. They provide mission critical support.

In smaller firms, these contractors are hired and perform the same type of activities. It could be argued that these folks are more critical to keeping a small business up and running.

I recently replaced one of these folks at a small 10 person accounting firm. Going through the systems and unraveling the applications, registration, licensing, there were several with the identity of the contractor's business. It's crucial to understand how they are signing up for applications that your company utilizes. Many firms fail to recognize the implications when a contractor registers their accounts under their own name rather than the company's name they are doing work on behalf.

This issue can become particularly problematic when the contractor leaves, as was the case with this local CPA firm. Their IT person retired, and his accounts, which were crucial for operating various applications, were left inaccessible. Support could not help as there is mult-factor authentication tied to unique emails.

What can you do to prevent this from happening at your firm?

Create a Centralized IT Role

The answer is very simple: Create an IT role/email identity. The contractor will exclusively utilize this when registering for applications and products. You store the password securely. The firm owns the Identity.

The heart of the matter lies in establishing a centralized IT role within your domain that is explicitly responsible for managing these applications. By creating an IT identity that is directly tied to your firm’s identity, you enhance your security.

This role should manage all application sign-ups and possess the password for each application, thus ensuring continuity and control. When contractors are brought on board, their access can be limited to the specific resources they need without compromising your company’s overall security.

Managing Access and Password Security

Properly managing access to applications is about more than just having an IT role; it's also about password security. Multi-Factor Authentication (MFA) can add an additional layer of security but can also complicate matters if not managed correctly. For instance, if the retiring contractor had MFA enabled and did not transfer access before leaving, it becomes impossible for the firm to reset passwords or regain access to vital accounts.

To safeguard your firm against such scenarios, consider implementing a comprehensive password management strategy. This includes maintaining a secure, shared password storage solution where credentials for various applications are archived and managed. Logs are maintained ensuring access transparency. Ensure that your IT role has regular access to this information, allowing for seamless transitions when personnel changes occur.

Conclusion

This small change in your procedures when brining in an IT person will save you a lot of headache's in the long run. Give them an ID and email from your identity management system. It is that simple. It is essential to focus on building a robust framework for managing application access, licensing, registration and security. Transferring access protocols as contractors leave, you can protect your firm from unnecessary disruptions. Remember, proactive measures today can save you significant trouble tomorrow.