One of our board members has decided everyone on the board should have complete, unrestricted access to everything. From the combination to the lock on the little cabinet that houses the modem and gateway router and the passwords for those devices, to full-administrator privileges on all of our software “systems” (Google Workspace, Mailchimp, Square, Azure, etc.)
Another board member is now rallying with that board member so it is going to be an entire discussion point at our next board meeting.
Part of me wants to just go ahead and do it. Everyone can start sending newsletters through Mailchimp (we have just one person who coordinates them all now) and we won’t have any standards on formatting, frequency, etc. Everyone can setup new groups and users in Google Workspace and create shared drives like they are folders. Why not?
I want to explain that less access means less exposure to systems being compromised. It means not having the person who does a function different from yours digging into your projects randomly and deciding to “help.” It means you won’t end up locked out later because somebody else in a few years decides tightened security is needed and starts arbitrarily making decisions about that.
Are there any other good reasons I should give these particular board members why this is a bad idea? Or, is this just me being too overly protective of the work I’ve been doing for years?
Any feedback or questions are welcome.
I hear this frequently when someone needs X to be done, but so far have received no advice other than, "only person A" can do that. The response is often some version of, "why not?" followed with, "I don't know, only person A has access to it"
The initial request usually comes from higher in the food chain. Usually the requester is used to dispatching responsibilies to (organizationally) nearby people and having their requirements carried out.
This doesn't mean that such people actually want (in this case) to actually remove all access control. They want thing X and they want to move on with their bits of the process feeling like thing X is handled and will be delivered forthwith.
Rather than start with the Why This Is a Bad Idea list, meet with them towards figuring out what X actually is and what needs to be changed to support bringing it about. If they push back, mention how data security affects public perception of your kind of NP. I mean, no one wants to give their PPI to an outfit that is known for ignoring the safe-keeping of their clients' data.
I have found that going into such a meeting with technical guns blazing can overwhelm the bandwidth of (often management) those you need information from.
Make it about X and the people that need X. What do they need to accomplish? What are their timelines? What has broken down such that this issue has arisen? Is person A available to assist?
If you do it right, the requestor will see a scenario where the initial advice was merely incomplete and that you were the person to see about it the entire time.
You might need to make a short-term adjustment for an instance of X to happen (that's all very well and good, but this was supposed to go put yesterday!) but the org managers might start seeing you as someone to engage ahead of someone up-top making uninformed decisions that could have unfortunate long-term consequences.
I could have kept all my deposits as cash on the kitchen table for all the interest that they've been earning.
I spent over a decade as a governor of a local school and avoided ever having access to the WiFi, etc, etc.
In general it is safest and easiest to manage potentially troublesome rights if you keep those to a small known group.
And that's assuming that no one has a latent gambling addiction or whatever.