Part 3: Who’s Got the Keys? Managing Access in Small Businesses

In many small businesses, identity and access management looks like this:

• A shared Gmail account for marketing
• One login for everyone at the front desk
• An intern who still has access even after they’ve left

When everyone has access to everything—and no one knows who has what—it’s not just bad practice. It’s a ticking time bomb.

Access Management 101: The Principle of Least Privilege

Only give people access to what they need, when they need it, and nothing more.

Think of it like a restaurant kitchen. Not everyone needs the keys to the walk-in freezer or the liquor cabinet.

The Most Common Access Mistakes (and How to Fix Them)

Mistake #1: Shared Accounts

Using one login for multiple people is risky. Fix: Assign individual accounts wherever possible.

Mistake #2: No Offboarding Process

Former employees with active access are a huge risk. Fix: Revoke access immediately—and automate it if you can.

Mistake #3: Everyone Is an Admin

Only a few should be admins. Fix: Separate admin and user roles, and require MFA for all admins.

Smart Access Tips for Small Teams

• Use Microsoft Entra or Google Workspace
• Group users by role
• Review access regularly
• Use an offboarding checklist
• Rotate passwords and revoke stale sessions

Bonus: Tools That Help Without Breaking the Budget

• Microsoft 365 Entra ID – Centralized access – Business Std+
• Google Workspace Admin – User/device management – Basic–Plus
• Bitwarden Teams – Shared password vaults – Low
• JumpCloud / Okta – IAM & directory services – Mid
• Your MSP – Monitoring & offboarding help – Flexible

Need a better way to manage access? Download the policy starter and offboarding checklist to get started.

Coming Up Next: The Human Factor

In Part 4, we’ll explore how to train your team without the snoozefest.