You know that keeping your personal passwords secure for websites and apps is essential. This is not another alert about all the ways you can completely mess up your life by letting your private passwords fall into the wrong hands.
Instead, this post is all about securing the passwords you use for your business, and how to safely share those passwords with staff, vendors, and others who need access from time to time. Whether caused by an innocent screwup by a current vendor or a vindictive mission by a fired staff member, compromised passwords can seriously damage your online marketing efforts.
Passwords for Your Website
There are several key passwords you need to keep safe for website access.
- Domain registrar: This is the company you bought your site domain from. You’ll have an account with them where you can access a list of all domains you have registered, manage them, and renew them.
- Host: Your site may be hosted by the same company that registered your domain name, but not necessarily. The site host is exactly what it sounds like – the company that is keeping your site information on its servers. With full access to your host, an individual can edit, add or delete essential files.
- Website login: Our clients’ sites are built in WordPress, but regardless of how your site was built, as long as it runs off of some type of content management system, there will be a way to log into it and make changes.
It should go without saying that in the wrong hands, passwords for these resources could cause serious damage and possibly even cause your website to be disabled or deleted.
Passwords for Social Media
Social media is all about sharing, and we find that for most plastic surgery practices, that means sharing login info with several staff members so that posting and responding to comments can be as easy as possible. It can create a bottleneck if only one person in your office manages all your social accounts. But having many users with access can also create difficulties.
What to Watch For
- Password security features on most social media platforms. They can throw a red flag if for instance a staff member is out of town and tries to log into your account. We’ve seen it happen where accounts get temporarily suspended due to allegedly “suspicious” logins. One way to avoid this is to make sure staff with social media access are only logging in where they usually do and on the device they usually use.
- Communicating password updates. Some social media sites require password updates regularly for security purposes. That may leave your practice manager or front office staff asking, “what’s the new password?” with distressing regularity. This leads to inefficiency and can delay important posts or responses.
- The doomsday scenario: a disgruntled staff member. When a staff member leaves and still has access to your social media channels, there’s some serious risk involved. And it might not be as simple as updating your passwords. If you haven’t been keeping up with passwords, you may have also lost track of who has what types of permissions in your social media accounts. It could very easily be the case that the main login for your Instagram or Facebook got changed to something you no longer control, but your terminated staff member does.
Instagram, Facebook, and most other social channels offer the ability to disable an account (if you’re just planning to take a break for a while) or fully delete an account (if you never plan to use it again). Accounts that have been disabled can be restored, but if your account gets deleted, your profile, photos, videos, comments, likes and followers will be permanently removed. According to Instagram: “If your account was deleted by you or someone with your password, there’s no way to restore it. You can create a new account with the same email address you used before, but you may not be able to get the same username.”
How to Keep Passwords Safe
Hopefully by now, we’ve made some of the risks clear. Thankfully, there’s a pretty simple solution. We strongly recommend that clients choose a password manager such as LastPass, Keeper or Dashlane both for password security and to make it easier to keep track of the wide range of passwords you need online. We can’t tell you how many times we’ve been unable to help with an important update because the client has no idea what their password is and can’t recover it.
But purchasing a password manager and loading all your passwords into it is only step one. Ongoing, you need to be diligent to update passwords in the manager as they change, and add new login info whenever it gets created by you or your staff. No more jotting a password or user name down on a sticky note. You and your staff need to follow a process.
It might be obvious, but be very careful with how you grant permissions within the password manager you choose. In a plastic surgery practice, it may be only the doctor him/herself and maybe a senior practice manager who has full access to manage users and update passwords. From there, you can designate and assign access to staff and vendors only on an as-needed basis. For instance, your aesthetician who also helps out with Facebook and Instagram would only get login info for those sites, while your front office receptionist who also uploads before and after photos to the website would only have your WordPress login information.
As you can see, if roles change or when staff members leave, you can simply remove access in your password manager, rather than scrambling to reset several passwords and worrying if you really covered all your bases or not. For just a few dollars a month, and by sticking to some good internal security processes, you can put your mind toward more important things for your practice.