Third-Party System Access: The Hidden Risk Most SMBs Ignore

Think about who currently has login credentials to your business systems. Your IT provider. Your bookkeeper or accountant. The developer who built your website. The agency managing your social media. Perhaps a cloud storage service with automatic access to your files.

Most small business owners, if asked to list everyone with access to their systems, would either underestimate the number or find it unsettlingly large. Third-party access is one of the most common — and most overlooked — cyber security risks facing Australian small businesses.

Why Third-Party Access Is a Significant Risk

When you grant a third party access to your systems, you're extending your security boundary. An attacker doesn't need to breach your defences directly if they can compromise someone who already has the keys.

In 2023, a major Australian payroll provider was breached, exposing payroll data for thousands of employees across hundreds of businesses. The businesses themselves hadn't been attacked — the risk had entered through a trusted third party. This is the nature of supply chain attacks: your exposure depends not just on your own security, but on the security of everyone with access to your systems.

Third-party access risks include:

• A contractor's laptop is infected with malware, which spreads to your systems through their access
• An ex-employee of your IT provider still has credentials that were never revoked
• A software vendor is breached and attackers use the vendor's access tokens to pivot into customer systems
• A phishing attack on your accountant's email leads to access to your financial accounts

Audit Who Has Access Right Now

The first step is knowing what you're dealing with. Conduct an access audit across your key systems:

• Email and productivity tools (Microsoft 365, Google Workspace): Who has admin access? Are there any external or guest accounts?
• Accounting software (Xero, MYOB, QuickBooks): Who has login credentials? What level of access do they have?
• Cloud storage (Dropbox, OneDrive, Google Drive): What folders are shared with external parties?
• Website and hosting: Who has admin, FTP, or CPanel access?
• Remote access tools: Does your IT provider use TeamViewer, AnyDesk, or similar? When did they last access your systems?
• Banking and payment platforms: Who has view or payment initiation access?

For each person or service with access, ask: do they still need this access? Is it the minimum they need to do their job?

Apply the Principle of Least Privilege

The principle of least privilege means every person and system should have only the minimum access needed to do their job — no more. This sounds simple, but in practice, access tends to accumulate over time as businesses grow and change.

In practical terms, this means:

• Your bookkeeper doesn't need admin access to your accounting software — a standard user account is enough
• Your web developer doesn't need permanent access to your live website — create temporary credentials for each project
• Your IT provider doesn't need full admin rights to every system — scope their access to the systems they actually manage

Use Time-Limited and Project-Scoped Access

For contractors and external vendors, wherever possible, create access that is time-limited and scoped to the specific project or task. Many platforms support this:

• Microsoft 365: Guest accounts can be set to expire automatically, and Conditional Access policies can restrict when and how external users connect
• Google Workspace: Sharing controls let you set expiry dates on shared folders and documents
• Xero: You can invite advisers with specific access levels and remove them when the engagement ends
• AWS and Azure: Role-based access controls allow you to create granular, temporary permissions for contractors

Establish an Offboarding Process for Third Parties

One of the most common access control failures is failing to revoke access when a relationship ends. When a contractor finishes a project, when you change IT providers, or when a software vendor's engagement concludes, their access should be removed immediately.

Create a simple offboarding checklist for third-party relationships that includes:

• Revoking all user accounts and login credentials
• Removing shared folders and document access
• Revoking API keys and OAuth tokens
• Changing passwords on any shared accounts
• Reviewing and removing any remote access tools installed on your devices

Assign this checklist to a specific person as part of your standard contract close-out process.

Require MFA for All Third-Party Access

Multi-factor authentication (MFA) should be mandatory for all third-party access to your systems. Even if a third party's credentials are compromised, MFA adds a layer of protection that prevents attackers from using stolen passwords alone.

Most business software platforms — Microsoft 365, Google Workspace, Xero, Salesforce — support MFA for all user types including external accounts. Make MFA a condition of any third-party access arrangement.

Review Access Regularly

Access rights should be reviewed at least every six months. People change roles, relationships end, and access that was appropriate at one point may no longer be necessary. A simple spreadsheet listing every third party with system access, what access they have, and the last time it was reviewed is a good starting point.

Key Takeaways

• Third-party access is one of the most underestimated cyber risks for small businesses — audit who has access to your systems right now
• Apply the principle of least privilege: every third party should have only the minimum access needed for their role
• Use time-limited and project-scoped access for contractors and external vendors wherever possible
• Create a formal offboarding process that removes all access when a third-party relationship ends
• Require MFA for all third-party access and review access rights at least every six months

Third-party access risks are one of the areas the Flagged assessment specifically evaluates. Try the free Flagged cyber risk assessment to see how your business stacks up and get practical guidance on tightening up access controls.