Every vendor, contractor, or third party with access to your systems is an extension of your risk. Treat access like a key – give it when needed and take it back when the job is done.
What to do:
- Pull a list of every external person or company with access to your business systems – email, servers, software, remote tools, etc.
- Remove access for anyone who isn’t actively working with you right now.
- For all future access requests, set a time limit – 30, 60, or 90 days – and build a reminder to revoke it when that window closes.
Common mistake: A business works with an IT contractor on a project that wraps up in the fall. Everyone moves on. Six months later, that contractor’s credentials are compromised in a data breach at another company they worked with. The attacker tries those credentials on your systems and they work, because nobody ever removed the access.
This isn’t an edge case. It’s one of the most common attack patterns in small business breaches.
The audit takes about an hour and costs nothing.
How to know it’s done:
- You have a current list of every person with external access to your systems
- Anyone no longer active has been removed
- Future access grants have a documented end date with a calendar reminder to review
