How to Protect Your Business’s Digital Assets in 2024

December 21, 2022

Quite often  we come across businesses especially Start-ups and SMEs who have no control over their digital assets. Purely because it was created by an employee whose no longer with the organization, or was not handed over back to the company’s digital silo, causing an impact on time, costs and control for the business , and at times posing bottlenecks during very crucial situations when a change is needed. For business, time is money and anything that may make you lose time, in effect is CRITICAL. The motivation and purpose of writing this article, is driven from this need,  to define a “Hygiene Checklist for Managing Digital Assets” , so that you as a business do not  make the same mistake and can be better equipped  for the same.

Since the context of Digital Assets can be huge, let me stick to the ones that pertain to the web and mobile applications that you run,  and lets keep aside any other digital assets for the time being such as IT assets, digital physical assets etc. 

What are the digital assets that web applications use and what is the best way to manage ownership of this. What are the questions you should know as a business owner when you own these digital assets, and what are the Dos and Don’ts here.

  • Hosting and DNS

Your app can be hosted in a shared hosting environment like GoDaddy, or a dedicated VPS hosting like DigitalOcean or Linode, or a cloud environment like AWS Ec2 or Azure. Whichever environment it is, its important that the ROOT account of hosting is under the ownership of a common business email, with 2-factor authentication linked to a mobile number that belongs to the business.  The stakeholders of the business should get ALL notifications from the hosting account at all times, because if there are billing failures for consecutive 3 months your account can be terminated, or the data deleted and its a HUGE risk. Basically the email configured here has to be MONITORED at all times, and the data is too critical if you fail to do so.

And as important as the control on hosting, is the control on the DNS or domain name provider (Could be GoDaddy, Mercaba or any others). The primary account with the domain registrar must be under the common business email, including the mobile number linked to it for 2-factor auth. The notifications for expiry of domain names must be set correctly so that you get timely alerts,  and has to be tracked to avoid unexpected downtimes or outages.

  • Your Web Application and API Interfaces 

The web application will be in your hosting environment but its important to know

  1. How many instances are you running, and getting billed for ?
  2. What is the technical stack each instance is running, for example, if its PHP or Node or React or a combination of stack for backend and frontend. 
  3. Where is the database hosted and how many databases are you running.
  4. What are the 3rd party integrations for the app, and do you have control of the accounts used for each of these.
  5. Does the application use any other services like Elastic Search, S3 or anything else which is additionally charged/billed and on what basis is it billed. 
  6. Most importantly, who has access to the hosting environment, how is it controlled and what is the process used to grant/revoke access. Ideally you should NEVER share the root account login, the best way is to add users/invite them to use the account as a specific type of user based on the required level of access. Or give access at a ssh or specific level for the work that’s required to be done.

  • Web Application Code Base

Its important whenever you run a web or mobile application that you have a source code repository account maintained for your company, be it Github or Bitbucket or similar services. The email used for creating the account MUST be owned by the company, and for each project the required level of access can be given to the developers. There must be a process to add users/revoke users based on the entry/exits to projects. And its also possible to give read access to someone to view the code, if you want to work with a new development firm and give them access to check the code.

For additional protection, its good to add additional layer of protection for the master/main branch that has the production code, such that it requires approval for any code merge to this branch, and protect the branch from deletion etc. If you see ways to enable branch protection for Git, you’ll get good insights on this.

  • 3rd Party Integrations

Most web applications have lot of 3rd party integrations these days, the most common of them being Google Maps, Google Analytics, Payment Gateways, SMS Gateways for OTP Validation, Mailchimp for Newsletter Subscriptions etc. Its important to ensure that all accounts used by the business are from the common business email, with 2-factor authentication linked to a mobile number that belongs to the business . To also ensure that all API keys used for integrated are generated with the specific project name and given to the development/integration team. It’ll be an issue if you allow developers to use their accounts, create these credentials and allow it to be used, even in cases of a google map or a free service. At some point the business will need to switch to the paid accounts based on usage, and it’ll be a pain then to seamlessly switch or upgrade the account.

  • Google Analytics , Social Logins or others

Its good to always plan and integrate analytics on all digital assets you run, especially if its customer facing. And the business should own the Google Analytics account that you would  be using, the same way the business should own all the social media accounts it uses for all its integrations.

  • Backups and Snapshots

Though backups and snapshots are part of the hosting strategy, depending on the type of hosting its important to check whether you have these available at all times. Cloud platforms like AWS and Azure, do maintain snapshots but not all hosting provider maybe maintaining continuous data backups, and its always a good strategy to maintain regular REMOTE backups.

When it comes to Mobile Apps

  • PlayStore and Apple Store Credentials

These are credentials used by developers to publish the apps to the Google Play Store or Apple’s App Store, and it  has to be owned by the business, and not allow developers to use their own. That way you always have control over App analytics and updates, and you get notified of any deprecated versions and upgrades that maybe needed for the apps. The respective developers can be given access by invite only, to the projects they work on and nothing further is needed here. 

  • Push Notifications – Credentials

Most mobile apps use a 3rd party service for push notifications, for example Firebase or others. Whichever one you use, its important to have control on the account which is used here.

  • Mobile Application Code Base

Mobile App Code Base just like web applications code base must be maintained in a code version control tool like Git or BitBucket. The same rules applicable for web code management will apply here too. 

In this era, we cannot take digital assets lightly as they are the lifeline of the business at all times, and its extremely important to understand how to protect and safeguard it at all times. The above is just a start, from a hygiene and must-do perspective and  as we dig deeper there are further best practices and standards that can be followed. But the most important CHECK is to ensure that we have this in place to start with!