A cautionary tale about access control
Employees leaving is a given in business. And often it is at a time when you get busy, recruiting a replacement, managing workload, we’ve all been there. And when life gets busy, updating access credentials across your digital platforms slides down the priority list.
Or maybe you’re buying a business and assume you’ll figure out the admin stuff later. What could go wrong?
Quite a lot, actually.
The problem we keep seeing
Over the past few months, we’ve dealt with several situations that could have been easily avoided.
Businesses change hands, staff members leave, and suddenly no one knows who has access to what. Website logins, Google Analytics, social media platforms, even payment systems – the whole digital infrastructure becomes a bit of a mystery.
In the worst cases, disgruntled former employees still have access to systems. They could delete content, access sensitive data, or just have a nosey around. Even without malicious intent, outdated access is a security risk you don’t need.
The payment provider headache
Beyond website access, payment providers like PayPal and Stripe, and accounting software like Xero, need special attention.
Adding new team members
Most payment providers require proof of ID when you add someone to your account. If they don’t provide it, your account could be paused. If you rely on that account to take customer payments, you’ve got a serious problem on your hands.
Removing users
Some payment and accounting software use individual user details to connect accounts. Remove someone’s email address or update company details without warning, and you might break those connections. Let us know before you make changes like this!
Buying a business
Make sure the previous owner provides full access to all systems before the transaction completes. We usually only have development access to external systems, which is enough to connect things, but won’t help us recover super admin accounts. Test everything before you sign on the dotted line.
Why multiple payment providers make sense
We typically recommend having both Stripe and PayPal set up. They’re both pay-as-you-go, so you’re not paying monthly fees whether you use them or not.
Having a backup method also means if one provider goes offline, you can still take payments. PayPal is also globally recognised and trusted, which can boost conversion rates. We can help you get both systems up and running.
How do we try to keep things secure?
On our end, we enable two-factor authentication (2FA) on all sites. As long as former staff don’t have access to company emails and remove authenticators from their personal devices, they shouldn’t be able to log in.
We also deploy regular backups that can be restored if something goes wrong, and we have ways of tracking who makes changes to a site.
Practical tips to avoid access issues…
1. Create an access audit spreadsheet
List every system your business uses – website CMS, email, social media, Google Analytics, payment providers, accounting software, domain registrar, hosting – along with who has access and at what permission level. Review it quarterly and whenever someone joins or leaves.
2. Use a password manager
Tools like 1Password or Protonpass let you share access credentials securely without revealing actual passwords. When someone leaves, you can simply revoke their access to the vault rather than changing dozens of passwords.
3. Set up role-based permission
Not everyone needs admin access. Give people the minimum permissions they need to do their job. Your content writer doesn’t need to be able to delete the entire website.
4. Build access management into your off-boarding process
Create a checklist that gets followed every single time someone leaves. Include everything from website logins to social media accounts to payment systems. Make it someone’s job to tick off every item.
5. Keep your web development team in the loop
If you’re making changes to payment providers, adding team members to admin systems, or transferring ownership of accounts, give us a heads up. A quick email can prevent hours of troubleshooting later.
6. Document recovery procedures
Make sure you know how to recover access if someone forgets their password or leaves without transferring credentials. Keep backup email addresses and phone numbers for two-factor authentication in a secure location.
7. Review third-party integrations regularly
Your website might be connected to half a dozen external services. When you remove someone’s access from one system, check whether it breaks connections elsewhere.
What you need to remember
- Keep track of who has access. When someone leaves, immediately revoke their access to all systems. Yes, all of them. Make a list if you need to.
- Business acquisition due diligence. Get full access to everything before the deal closes, and test it all to work. Don’t assume anything.
- When in doubt, ask. We’re always happy to help you work through access issues or security concerns. It’s far easier to prevent problems than fix them after the fact.
Your website and payment systems are the backbone of your business. Treating access control as an afterthought is a risk you can’t afford to take.
Need help auditing who has access to your systems? Get in touch, we’re happy to help.
