In this episode, we discuss owning your digital assets. So many people take the time to secure their homes, their offices, cars and their businesses but don’t secure their digital assets, which in today's online business environment can be even more important.
Darryl: Welcome to My Bloody Website. The show where we talk all things online, for small and medium business owners, or executives, who still refer to their bloody website. I'm your cohost, Darryl King.
Edmund: And I'm Edmund Pelgen.
Darryl: Okay. Welcome Ed. Episode Three. Here we go. Three times in, we're still coming back. That's pretty good. Now, let's hope we keep getting more people that are signing up. Thanks to the people who are subscribing, we really appreciate it. Episode Three: Owning Your Digital Assets.-
Darryl: -Well, I talked about this last week in the episode, and I'm probably going to end up on a little bit of a rant. This is a lecture for all you naughty business owners that don't respect your business enough to keep it secure. I used an analogy in the previous episode, I think it was last week, about if you had a physical office, or store, or warehouse, whatever it is your business is about. And if you work in a business, this still relates to you even if it's your home, if you work from home, as many people do. You don't go out ... Well, you don't in this day and age. You don't go out and leave the house wide open. You don't hand out keys, all the way around the street.
You go down to get milk and you go to the shop, "Oh, by the way here's a key. Drop some milk in. Just keep the key you know. That's fine." This digital assets are the things that ... And maybe we should define what that is.
Darryl: Is that the other things that a business owns and uses online. So you don't necessarily own Facebook, but you have an account that your credentials "own", in quotes, and that allow you to access it, and post, and do everything that's on there.
Another asset is your website. Another asset is your domain name or names. Then you rent other parts of the asset chain if you want to call it [inaudible 00:01:51]. I rent up from a hosting company and that's where my website and email lives. Right?
My email accounts are an asset and if they are associated to my business domain, I don't just hand them out. I don't just give them willy-nilly, everybody in the neighbourhood. "Oh yeah, yeah, yeah. You can just have you know Fred at my domain name..." because they could represent my corporate entity doing something I don't want, so we keep control of our assets.
I can't just get an at Google email address. You know, I can get a Gmail address, but I can not get a Google, so ... That's a loose description of the digital assets.
Edmund: Here is my question. Why do most people do such a poor job of controlling these digital assets?
Darryl: Because they don't call them digital assets.
Edmund: That's right. That's a pretty nerdy term.
Darryl: It's a thing. Everyone knows historically that people can burgle you and steal things physically, but because it is virtual we kind of, "Oh, it doesn't matter so much." I understand that.
Despite having been building stuff for twenty years, I get as much enjoyment sometimes about doing something with my hands, building a fence. Saying, "I built that." Because it is there every day when I walk out and see it, whereas we can forget about the stuff that is online if we don't visit it all the time and it is not in front of us.
Darryl: People, they just aren't thinking about it as an asset. They are just thinking about something we've got. Honestly, a lot of businesses spend more care and attention about their business card and their brochures than understanding that this asset, website, their social media accounts, they're something that they have to control and protect.
Edmund: I like the analogy that you've used in the past when we have chatted about this. You know, being if you ran a business you would lock the door every night. You would lock the safe. Right? You'd lock the registers. You'd pull the windows down. You'd make sure that it is secure, that no one can get access to it. All of those things.
We need to reset people's thinking that their online businesses, their website, and all those other digital things are like their real business. Because in this current world, that's how a lot of our businesses run. That is how we find our customers. That is how we interact with our customers. They are critical.
Darryl: Yeah, and like you are talking about that, you know you'd lock up. We have staff in your business. Businesses have to have staff that have access. They know the security code to open the shop in the morning. They have keys. That is a normal practice in a business, to have multi-levels of access to it. But by the same token the store manager that can open the door to the shop in this particular branch, they don't necessarily have keys to every store you've got.
Edmund: That's right.
Darryl: They probably don't have access to your bank account. So you have different levels of responsibility that you give to people. Based on the level of responsibility in your organization. Now step back, even sole entrepreneurs that have handed off the keys. You could have a conversation with a small business owner go, "Where is your hosting?" "I don't know."
Edmund: That's right.
Darryl: But, if they bang their car up they can probably tell you who their insurance agency is. There is just this understanding missing I think, or respect about, this is a valuable commodity that controls who I am. If you don't control it, you risk having it taken away from you. I think we talked off air. A lot of people won't necessarily know it, but there was a company called Marketo, which is known in the online marketing space. They have tools and stuff online.
Edmund: Billion dollar company.
Darryl: Yeah. Forgot to renew their domain name and so it goes offline. Now, most people end up solving that, but how could you forget to do that? But if you have had that domain for 15 years and the email chain of who ... Oh, I got the IT guys to do it, and they were actually a third party company, and you don't deal with them anymore. Then they're out of business, or whatever it is, and then it came back and you had some internal marketing manager or tech manager, whatever it might be, and they are no longer with you. The domain renewal notification could be going to Billy Ray at my business dot com.
Edmund: That's right.
Darryl: And Billy Ray's not been there and we didn't get on so well at the end with Billy Ray, so when he went it's like, "Just get rid of his accounts, cut him off, I don't want anything to do with Billy Ray." So we deleted his email account because we're in a rage of passion, and no one redirected his email. So seven years later, we lose our domain, no one tells us. We don't know because we haven't checked our website. We'll get to that in another episode. We haven't checked our website for 30 days, it's falling out of the redemption period. It's now gone and you [inaudible 00:06:41] your domain name and it's pointing to this website. And you just wonder why the phones stopped ringing?
And that might sound dramatic. But those things happen.
Edmund: You know what I think would be really handy is, why don't we step through all the key digital assets. And you give us some insight into what they should be doing to protect them. And how they should be protect them? Yeah?
Darryl: Yeah, sure.
Edmund: So, what's the primary digital asset that you would think that they should start with?
Darryl: Well, I think your domain name. Domain names control everything. So domain name is like your street address. If you don't have control of that, everything else is irrelevant. There are arguments to, for, against, not having your domain with your hosting provider.
Here's a tip, I'm in the web development space, have been for a long time, been in the hosting space. Create some independence in who provides some of these services to you. Think about levels of separation. So, if a company goes bankrupt, and goes offline, then their receivers in that company will control what happens with all the things within that business.
So if the web development company that set you up in the beginning, bought your domain name, got your hosting, build your website, and then no longer around, and you can't ... their support contact, the email, is theirs and they don't exist, they went out of business. Then the ability for you to get access and manage this stuff is all [good 00:08:06]. But also, you change your website development provider. And the old people have control of the domain, they just turn it off.
So, there's all sorts of scenarios that people have come across. The way I look at it is, get your domain name with a leading domain registrar. Someone that's offering a good price, been around a long time, that you know they're there. And keep your domains there.
And then that may or may not be your hosting provider. A lot theory would say, no, separate them [inaudible 00:08:33], but for a small and medium business owner, right now, let's just separate a few things. Don't leave the keys in the hands of the people doing the creative work or [SER 00:08:41]. Those things [inaudible 00:08:42], they control everything. They are your bank accounts.
Edmund: That's right, because, [inaudible 00:08:47] some small backyard web designs guys will resell domains and resell hosting. So they will buy it for you, typically. So you may be one step removed from owning your own primary asset.
Darryl: That's right. Because they don't ... And let's make this clear, we're not saying, and I know you used the term backyard, but we're talking ... you know, freelancers and ... backyard, makes it sound bad. There's plenty of great people doing great work. But they buy it, it's convenient.
As a small business owner, well, the thing I hear is, "Oh, can you just do it for me? It's really easy." I get that. And I understand that it's just one more thing I don't want to take care of. So, it's smooth to, "Hey, this guys is just going to take care of everything." And that's okay.
But, at some point you need to make sure. Was the domain record set up correctly, with your name, your email address, your business details? Or was it actually set up with the providers? Now, up until recently, in Australia, you could not do stuff with [inaudible 00:09:38] and all the rest of it. Now you can kind of get around that a little bit.
International domains, you just buy them. There's no restrictions. Well, there aren't anymore. In the very early days, there used to be. So, it used to be harder to get a dot com au, but dot coms, these things you can get very easily. So they can just register under any name. So they've got a reseller account, it's got their reseller profile, they don't change it to you. Technically that domain, at the registrar level, is listed as just the guy that bought it.
Darryl: Not necessarily the business that paid that guy to buy it. And so, there's a little detail like that, but you should be aware of that.
Maybe it would be worthwhile for us putting a link to a, who is, tool? And we'll put that in the show notes. Type in your domain name and see the record, see what's listed. Now, it may be protected. So if it's a dot com, or dot net, you can protect them and hide who it is from. If you log into your registrar, you will be able to see the details.
Darryl: But that's the primary one. Let's get your domain locked down. You need to know where is it at? How long am I renewing it for? Who has got control? And frankly, it has to be someone pretty senior in your business [crosstalk 00:10:46]-
Edmund: That's right.
Darryl: business. [crosstalk 00:10:47]-
Edmund: And make sure that the renewals-
Darryl: -I've got direct control. It's a direct report back to me. Whoever is renewing that, it's done at a generic company email address that won't go away when you leave.
And secondly, I'm across it, and I get notified every time it's renewed.
Edmund: Yeah. All right, that's the domain name. What's the next key one they should protect?
Darryl: Well, I think it probably spreads out from there a little bit, it's pretty flat. I mean, everything matters, but the next thing will be your hosting.
Your website can't exist without hosting. Your email won't work unless you have email hosted somewhere, being run. Whether it be on your local server, they not necessarily all in the same place, but the hosting, your mail, all of those things, they're probably the biggest things that you will day to day deal with. Don't give lots of people access to it. Don't just willy-nilly email details to your web development and everyone else, and then just leave them that way.
So good clients I work with, where we might have to get access to do stuff, they will have difficult generated passwords. They store them. After we finish the work, if its short-term work, they will reset them. Now, as far as a long standing relationship with a client goes, we might have high level access to stuff at the server level. That's quite feasible.
What's important though, is that, if you can, you put it in as a sub-account. So that we're logging in not using the main credentials. And we can't add users, so that we can access stuff, but we can't add users.
But if you have to give high level access, when that relationship terminates, and at the end, we're going to talk about auditing and checklists and things, how to do it. When you terminate a relationship with a provider, or a staff member or whatever it might be, business partner, whoever owns the asset, should be taking control of removing access to it. For lots of reasons. We'll talk about security and all that.
But, just simply from that level, if you have a book keeper and an accountant working in your business, they have access to your booking keeping software, and they may have access to the bank account, with a sub-profile to do payroll, things like this electronically online, would you leave them there when they're no longer working for you? Would you just leave unfettered access to your bank account? At whatever level it is, I don't care even if it's high restricted, why they technically have the ability to put in and change information? I don't think you would, would you?
Edmund: No, absolutely not.
Darryl: Yeah. So, it's the same thing. Treat it like money. Because this is the place where you come in, you do the work, your prospects come to your website. People email you, that's the way that they communicate with you. It's so valuable to your business that you must lock it down.
Edmund: Yeah. And I think it's really important to reiterate that it's easy to determine the value of these things. If you're running an e-commerce business and you make sales online, if your shop goes down, you will lose real money. Right?
Darryl: That's right.
Edmund: If you lose the domain name for your business and that's how people search and find you, you will lose business. It will cost you stupendous amounts of money.
Darryl: Okay. So, let's move on to the next thing. So then there's software. There will be a lot of software you use in your business, web-based software. Software as a service, as it's called. And that could be online meeting software, it could be some A-B testing software. It could be your accounting software. Whatever it is you're using, that software, that's one part of it. And I'm going to include social media as not software. I mean, technically they're web applications.
Darryl: All of these things that you use to run your business, all of these things that you use in your business, if you're paying, or even if they're free, and you use them for business benefit, if they have some influence, so if I'm using Buffer, which is a social media communication platform, the marketing manager sets it up. Because that's all well and good. The product [inaudible 00:14:41] the business, people just set it up. And then the marketing manager leaves and now we're not posting anymore. And you can't get access to it.
All of these, Google analytics, Google webmaster tools or search [console 00:14:51] as we now refer to it. These are interlinked with Google profiles and stuff, but quite often they're set up by that staff member. And maybe they didn't have that company connected Gmail account, so they logged in with personal Gmail, set it up, because everyone was desperate to do it. Or it's in an agency account.
I came across someone the other day, American provider, and their company policy was they don't give access to the analytics accounts, their agency sets up. Now it wasn't made available as knowledge to the client before they got their site developed and provided by them. So they've lost all the historical data. Gone.
Edmund: That's crazy.
Darryl: Eighteen months of data, gone. They don't have ... they will not get access [inaudible 00:15:29]. You could fight it and go on, you know what? The day when we got control we stuck a new account on there. They've got main access to it. We're an agency contact for it. And move on, so they can move forward. They didn't want to go through the legal fight, trying to force it and get access. Get it transferred, you know?
And that means that's just not being done right. But then think about Facebook, think about Twitter. Don't give access. There's no reason to give access to your Facebook page, to an individual, as in your account details.-
Darryl: -You can ... You've got a Facebook page, you can add a staff member, if they're going to manage, or an agency, as a contributor or a [crosstalk 00:16:05]-
Edmund: [inaudible 00:16:06]
Darryl: -and they get access, they can write post, but they can't add and remove users. Or, to be even more removed and use a piece of software, like Buffer or Hootsuite or whatever, where you create all the integrations. You activate them all, so they all talk. And then you allow them access to posts and to reply to people.
I can't imagine that the major multi-nationals, and maybe I'm wrong, News Corp. or Wells Fargo, CNN, they just give the top level access to all the stuff. Of course they don't. They're using tools to do it.-
Edmund: That's right.
Darryl: -[crosstalk 00:16:40] and they [inaudible 00:16:41] and remove it.
Edmund: And I think it's important to point out that a lot of these platforms, they understand the practical issues of granting access and security. So, they've configured their systems in a way that allows you, for example, Google analytics, to share access to analytics and restricted access, and search console as well.
But the key thing is being aware that A, these tools have the ability to do that, and then setting them up correctly in the first place. I know one issue we have is, clients who may have had their Google analytics account set up, for example, as a little profile on a web agency's analytics account, which then makes it difficult to separate the two. And as we always say is, if you're going to set up analytics and search console, you have your own Google account, to which you attach your services, and then you control access to the parties.
Because, I mean, I don't think people realize that giving someone access to search console, allows that person to basically de-index your website and remove you from the web. Which is a pretty bad thing to happen, right?
Darryl: Yeah. So how many, just as a question then, as a guess, how many accounts-
Darryl: -do you no loner manage, how many accounts-
Darryl: -you no longer manage, [crosstalk 00:17:51] access to-
Edmund: I've prepped this. There's close to 60, 67 accounts that I can log into my analytics and I still see that I have access to, from the last four years. People who have granted me access to see their analytics that are in their Google search console stuff. And I can go and browse all the historical data, and you know, we've moved on and we're no longer doing any work, but I can still troll through all of their data. Could you imagine leaving access to your zero, your accounting of financial data-
Darryl: Of course not.
Edmund: But I still have access to it.
Darryl: Yeah. You could say that there's a different degree of information there, but in this day and age, that data is competitive intelligence.
Edmund: It is.
Darryl: And that leads on, right? So, I mean, basically if you have access to tools and software, you should be protecting it. You should know what you have access to. And look, you know, we'll talk about where you can start, you can ask accounting. Ask your finance department, "Hey, give me all the subscriptions we've made on the company credit card, so I can actually find out where the hell the software is."
But before we get there, it's a security thing. And I've used that analogy of a shop, and I was getting keys and access and punch cards and whatever. And it's the same. So if you have the key cards or whatever, you have a whole ... Asset register? Who has got them? And then when they become a staff member, they get them. And they have to hand them back in when you want to access, you can control it. It's the same methodology mindset that you'd do there.
But it leads to the next thing. Do you have a password protocol? Do you have a security protocol? What's your thinking? So if you just let this stuff out there, the next thing is, through no ill intent of the person that's accessing your profile ... So think about it, social media, Oh, my Facebook page. I'm a major supermarket chain. And Mary, or Bob, because we're not, you know whoever, has access to post. And they're just really crap about their password security level. So they get hacked, and someone hacks their Facebook account. And suddenly, someone's in there and I start posting foul stuff on this major supermarket chain's Facebook page, "And this crisis going on."
The harm is done, right? So, you come back a layer. It's not even just about knowing, it's about what are the things that can separate it? So, I've got a note here, come on everyone. It's 2017. Stop using your business name 17. Or your child's name and their birth year. Because guess what? We talk about algorithms on search engines and things like Alexa, that know what food I want to eat and recommend all this stuff. Do you not think that hackers have little bots that can run through your social profile and try out every combination of you, your wife, your husband, your children, their birth years, their birth dates-
Darryl: -We're talking minutes. And they run all the combinations to get it. Start using secure passwords. The longer is better. Write a whole phrase. Make it 350 letters long, if you need to. I know most sites won't let you do it. But, longer is better. Make them tricky. And make them hard.
Edmund: I might point out a free tool. If you Google, strong password generator. There's a free online tool that you click and it creates a series of random, obscure numbers and digits and characters. And there it is. You've got an extremely difficult password to hack and crack. So that's at least [crosstalk 00:21:12]-
Darryl: We're not going to talk about how to store that stuff, but we're just saying, this is your business. Make sure that the access to your primary stuff is done with some sort of rigor. And some security in mind.
Edmund: Yeah. I feel like pointing out that what happened in the last week, a classic example is, an ex-employee of Twitter, this isn't just little businesses, an ex-employee of Twitter who was sacked, as their parting gift, went and deleted Donald Trump's Twitter account. I mean, seriously, you would have thought that they would have had-
Darryl: [crosstalk 00:21:41] was a good or a bad thing. But yeah, it was like, they were able to do it. Now, it's a slightly different scenario, because they're actually working for them, they didn't log in afterwards, but it was their parting gift when they were leaving the company. But that's the level of access people have to impact [inaudible 00:21:57] your business.
And you just need to be across that. You need to understand that you've opened up ... as a business owner, or as a senior executive in a business, granting access to someone in your team to do these things, you just have to remember that they're broadcasting to the world, that the message [inaudible 00:22:15]. So if they get disgruntled, or if they make an error, that's what they're doing. You just have to recognize it, that's what we work with every day and we accept those risks. But come back a step and say, "In accepting the risks that I do in that point, I have to accept the risk that we might ... they might leave or things might change. And how do we control that?"
So that's it. I mean, we've gone on a lot about it, and maybe to wrap it up, we start talking about, "What should I do? How should I handle this? How do I keep my business safe and secure, that my digital assets are looked after, that I can put that one to bed?" And we can move on. Because I think with these episodes, we want to just have some bits of foundation, get some basics. We want to get into some more interesting things. Some of the marketing stuff, design, development, things as well. But this is really important [crosstalk 00:22:57].
Edmund: Yeah. So, I think a great idea might be we put ... we've got a spreadsheet. We'll put it into show notes there, which has a list of all the digital assets you want to look at and go through, to give you some guidance to make sure you haven't missed them.
Darryl: I have some examples, but it's actually a document that is a template to say, list them all out. I don't know what you've got in your business, but it's really just to say, here it is. This is the name of it. This is a URL where I might go to ... this is when we set it up. This is the password, potentially. Or not the password, but who has got access to the password. But what you really want to do, and basically you probably don't want to store the password in a spreadsheet, but you need to go ... who has got access to it.
But what you should first go through is, you go Facebook page. Then you might look down and go, "There's seven people that have got access." Now you might want all seven people to have access. That's fine. But in this document, it tells you who has got it. So when you say, "I'm going to do an audit.", you look there. And I would say that every six months do an audit.
Sit down, and look at that document, and go, "Right. I want to update the document and make sure it's still accurate", as in the new software, things should get added. Every time there's a new tool we use, add it there, who has got access, what do we use it for.
And then check it. And then, "You know what? We're not working with that agency anymore. And they've got five things." Get someone internally to go and remove them from the profile.-
Darryl: -[crosstalk 00:24:18] is, physically log in and check. Who has got access? Check it out.
In this episode we discuss owning your digital assets. So many people take the time to secure their homes, their offices, cars and their businesses but don’t secure their digital assets, which in todays online business environment can be even more important. And that's it. Even if you're looking at it every couple of months, even every six months, you're looking at it. And you'll pick up those missing issues and errors.
Darryl: Yeah, it's not a daily, weekly or monthly thing. I mean, I've [inaudible 00:24:34] said check every six months, once a year. The thing is, build a sheet or build a document that says, this is everything we use. And if it's nothing else other than that, you don't list everyone next to it. But you log in religiously, every six months and check. "Oh, hang on. Ed Pelgen is still in there. We're not working with him anymore. I'm going to remove his access to analytics. Sorry, Ed. Goodbye." Then you're in control of the tools that help you run your business [online 00:24:59].
Edmund: Yeah. [inaudible 00:25:00] I think that was pretty comprehensive. Do you think we covered everything?
Darryl: I reckon we have.
Edmund: Excellent. I reckon that's it for today. Fellow friends, if you want to be notified when the next episode goes live, please sign up to notifications at mybloodywebsitepodcast.com or as always, subscribe at iTunes. Once again, if you liked it, if you enjoy the content, if you found it helpful, we'd love a review. We hope to see you next week, when we will continue talking about My Bloody Website.
It's goodbye from me.
Darryl: And it's goodnight from him.