Most Businesses Work With People Outside Their Team
Bookkeepers. Marketing agencies. IT consultants. Virtual assistants. Freelancers across every function.
External contractors have become a core part of how modern businesses operate – especially small and mid-sized ones. They bring expertise, flexibility, and value. But they also create entry points to critical business systems. And most businesses don’t manage those entry points anywhere near as well as they should.
That’s not a criticism. It’s a pattern we see repeatedly – and one that’s straightforward to fix once it’s on your radar.
What This Looks Like in Practice
It often starts simply enough:
- A bookkeeper is given login access to Xero
- A marketing team gets access to Google Drive and social accounts
- A consultant is added to your CRM for a project
- A developer gets admin credentials to test something
Then the project ends. Or they move on. And the access doesn’t.
Months later – sometimes years later – those logins are still active. Sometimes shared. Sometimes, using a simple password with no MFA.
Where the Risk Comes In
The risk isn’t that your contractors are untrustworthy. Most aren’t.
The risk is structural:
- Contractors may use weak or reused passwords across multiple clients
- Their accounts may not have multi-factor authentication enabled
- Access isn’t removed when an engagement ends
- Their own devices or home networks may not be secured
If a contractor’s account is compromised – through phishing, a data breach, or a weak password – attackers get a direct path into your business through their login.
Why This Matters More Now
Businesses are more reliant on external support than ever, which means more access points than ever. Remote work has compounded this – contractors are logging in from personal devices, home networks, and sometimes shared systems.
At the same time, AI is making phishing attacks more convincing and personalised. Impersonation is easier. A message that appears to come from a trusted contractor could be an attacker who has already compromised their account.
The combination of expanded access and smarter attacks creates real exposure for businesses that haven’t structured their access properly.
What Good Looks Like
On your side, good practice means:
- Knowing exactly who has access to which systems – and why
- Setting clear boundaries before an engagement starts
- Reviewing and removing access when work ends
- Using individual logins rather than shared credentials
- Requiring MFA on any account that touches your systems
And the contractors worth working with take security seriously too. They:
- Use secure systems and MFA across their own accounts
- Follow structured processes for handling client data
- Can tell you how they manage access when an engagement ends
- Treat security as part of how they operate – not an afterthought
Questions Worth Asking Your Contractors
Before giving any contractor access to your systems, these are reasonable questions:
- How do you secure your own systems and logins?
- Do you use MFA across your accounts?
- How do you manage access to client data?
- What’s your process when an engagement ends?
A professional contractor will have clear answers. If they can’t answer these confidently, that’s useful information.
What We See and What We Help With
At IQPC, contractor access is one of the most common risk areas we identify when we work with a new client. It’s rarely the result of negligence – it’s usually just an area that hasn’t been looked at properly.
We help businesses get clear on who has access to what, structure that access with the right controls, and put a process in place so it doesn’t become a problem again. We also work with partners and contractors who take their own security seriously – because that matters too.
Where to Start
If you’re not sure who currently has access to your systems, that’s the first thing to find out. From there:
- Remove any access that’s no longer needed
- Replace shared logins with individual, controlled accounts
- Enable MFA wherever it isn’t already in place
- Have the conversation with your contractors – good ones will welcome it
You don’t need a complete IT overhaul. You need clarity on what’s open, and a plan to close what shouldn’t be.
Book a Security Audit Get a clear, practical view of your security position.
