Password and Access Security for small business

Password & Access Security for Small Business

Most small business security incidents come down to one thing: weak or poorly managed passwords. Passwords stored in a Word document, shared between staff over email, never changed when someone leaves. This guide covers exactly what to do instead — practical, step-by-step, and built for teams without a dedicated IT person.

Why This Matters

If one staff member leaves with a shared password, they still have access to your email, your accounting software, your client data — everything. You won’t know they’ve logged in. You won’t know what they’ve read. And if that password is the same one used on five other accounts, the exposure is even wider.

The good news: fixing this is not complicated or expensive.

The Standard We Recommend

Password Standards at a Glance — NIST SP 800-63B + (internationally recognised)

Key rules:

  • Passwords must be at least 12 characters
  • No mandatory expiry — only change passwords when a breach is suspected
  • Multi-factor authentication (MFA) is required on all critical accounts
  • Passwords must never be stored in documents or sent via email or chat
  • Every person must have their own individual login

Bad Habits vs Good Habits

Passwords

Bad habits your team might have right now:

  • Using the same password across multiple accounts
  • Short, simple passwords — Password1, dog123, 123456
  • Storing passwords in a Word doc or spreadsheet
  • Sending passwords via email, Slack, or SMS
  • Using personal information — birthdays, pet names, addresses

Good habits to replace them:

  • A unique password for every account — no reuse
  • At least 12 characters — use a passphrase like Coffee-Lamp-River-7
  • All passwords stored in 1Password — nowhere else
  • Passwords shared through the 1Password vault — never through messages
  • Randomly generated passwords from the password manager

Access & Logins Bad habits that create risk:

  • Everyone has admin access “just in case”
  • No record of who has access to which accounts
  • Ex-staff accounts left active after they leave
  • Multiple people sharing one login
  • Logging into accounts on public WiFi without a VPN
  • Using SMS codes for MFA (better than nothing, but weak)

Good habits that reduce risk:

  • Least privilege — staff only access what they need
  • An access register that lists who can get into what
  • Offboarding checklist — accounts removed on a person’s last day
  • Every staff member has their own login
  • Use an authenticator app for MFA — Authy or Google Authenticator
  • Enable MFA on email accounts first, then banking and accounting software

Setting Up 1Password for Your Team

Initial Setup

  • Go to 1password.com/business and create a business account
  • The owner or manager sets up the account and becomes the admin
  • Invite each staff member — they each get their own login
  • Import existing passwords from your Word doc or spreadsheet
  • Once everything is in — delete the Word doc permanently [H3] Sharing Passwords Without the Risk
  • Use 1Password’s shared vaults to give staff access to what they need
  • Assign permissions — not everyone needs access to every account
  • Never copy and paste a password into a message, even internally
  • Shared vaults mean access can be revoked without changing the password for everyone [H3] When Someone Leaves
  • Remove their 1Password account on their last day
  • Rotate any passwords they had access to — especially email and banking
  • Check your access register and mark off every account they had
  • Deactivate their email account and any software logins

Setting Up MFA (Multi-Factor Authentication)

MFA means that even if someone gets your password, they still can’t log in without your phone.

Set it up in this order:

  1. Email (Gmail or Outlook) — this is the highest risk account you have
  2. Banking and accounting software
  3. Social media business accounts
  4. Any cloud storage — Google Drive, Dropbox, OneDrive
  5. Your website CMS or hosting panel Use an authenticator app, not SMS:
    Download Authy or Google Authenticator on your phone. When you enable MFA on an account, scan
    the QR code with the app. From then on, it generates a six-digit code every 30 seconds — no
    text message required. SMS codes are better than nothing but can be intercepted. An authenticator app is the right
    choice for business accounts.

Your Access Register — Who Has Access to What

Keep a simple list. It doesn’t need to be complicated — a shared note in 1Password or a
spreadsheet works. Include:

  • The account name and URL
  • Who has access
  • What level of access (admin, user, view only)
  • When they were given access
  • Date it was last reviewed Review it every time someone joins or leaves the team, and do a full check at least twice a year.

Staff Offboarding Checklist

When someone leaves — whether on good terms or not — work through this list on their last day:

  • Remove from 1Password business account
  • Deactivate their email account or redirect their emails
  • Remove from any shared inboxes or aliases
  • Revoke access to accounting software (Xero, MYOB)
  • Remove from social media business accounts
  • Deactivate any POS or booking system logins
  • Remove from project management tools
  • Rotate any passwords they had access to
  • Update your access register

4 Things You Can Do Today

These cost nothing and can be done right now:

  1. Delete the Word doc — get everything into 1Password first
  2. Enable MFA on your email — Gmail and Outlook both take under 5 minutes
  3. Audit your access — make a list of every account and who can log in
  4. Change any password that was ever sent via email or chat — treat it as compromised

BRISBANE WEB AGENCY

Call: 07 3856 3303, Address: 158 Enoggera Rd Newmarket, Brisbane QLD Australia. ACN: 110 616 781
© 2024 ZOIK. All Rights Reserved.