Last year, my buddy Kai had An OpeSec Event. His business depends on two dozen hosted services (a common situation today), and in the management of all that he’d forgotten to remove access for a former user. They deleted a bunch of stuff and he had to recover from backups. To prevent that from happening again, I shared a monthly checklist to run through for each service:
- Can I cancel this service?
- Should I delete users?
- Should I change shared passwords?
- Should I un-share anything?
- Should I force-disconnect any devices?
- Is the domain name about to expire?
- Is the credit card about to expire?
- Am I paying for more than I use?
- Should I cancel auto-renewal?
- Is the last backup bigger than the one before it?
Recently, while managing my own services, I realized I’d forgotten an item:
- Are there any messages from the provider in my account?
Most services will email you updates, but I’ve learned not to depend on that. Last year there was an alert in the summary page of one of my investment accounts. It required action, but only appeared on that page. No email, no text message, no call. Once, a critical alert got filtered as spam and I barely caught it. Another time it turned out my email address had been updated by a customer service rep and they made a small typo, so I wasn’t getting alerts at all.
It’s a few minutes of work, but I log in to each provider account once a month and look for messages. This saves me from mistakes, but I also find value in seeing all my accounts personally on a regular schedule. It keeps me informed.
Hope your new year is going well!