Who still has the keys to your systems?
Most businesses couldn't name every system a former employee had access to. That's the whole problem. Here's what to do about it.
When was the last time you looked at who actually has access to your systems? Not who should have access, but who does, right now.
For most businesses, the honest answer is: not recently, if ever. Someone joins, they get added to the tools they need; someone leaves, their email gets cancelled, and everything else gets forgotten. The result is an estate of live credentials that grows over time and never shrinks.
Former employees, old contractors, the freelancer who worked on a project three years ago: some of them still have active logins to systems you rely on every day, not because anyone intended it, but because nobody ever went back and removed them.
The shape of the problem
Access control isn't one decision; it's hundreds of small ones made at different times by different people, usually without any central record. A new starter gets added to the project management tool in their first week; when they leave eighteen months later, the task of removing them falls through the gap between IT and a manager who's already moved on.
Shared accounts make this worse: a single login that multiple people use has no obvious owner to remove, so the password would need to be changed and redistributed every time someone leaves, which almost never happens.
Most businesses couldn't tell you, right now, how many people have active access to their systems. Some of those people no longer work there; a few of them didn't leave on good terms.
What to do
A simple offboarding checklist covers most of this — run every time someone leaves, no exceptions. It doesn't need to be sophisticated; it needs to be complete and actually used.
The list should cover every system the person touched: email, cloud storage, CRM, project management, finance tools, website admin, any shared accounts. For each one, revoke access, rotate shared passwords if relevant, and note it done.
A periodic access review, run once or twice a year, catches the gaps that accumulate between leavers. Who has admin access to your website? Does that person still work here? These questions take ten minutes to answer and are almost never asked.
If you're not sure where to start, an access audit is a good first step.
Robin Carswell
More on
Don't let your old domain lapse
Your old domain is still live, still findable, and still your problem. It costs £10 a year to protect; the alternative is more expensive.
Your technology strategy is a switching strategy
Nine months. That's how long a mid-market technology project typically takes. About the same time it takes to make a new human.
The future is command line
We moved this site off Squarespace because we wanted to control it from the command line. If your SaaS doesn't have a CLI or a real API, your customers will eventually make the same call.