Small Business Cyber Basics

How to review supplier access in a small business

A practical way to find and reduce supplier access risk across websites, finance tools, email platforms, cloud storage and AI-enabled services.

26 Jun 20263 min readJames MackieUpdated 29 Jun 2026

Supplier access is one of the easiest risks for a small business to forget. It is also one of the easiest to improve once somebody writes it down.

Suppliers are not the problem. Unclear access is the problem.

Where supplier access usually hides

Start by listing the people and companies outside the business who can access systems, data or accounts. The usual places are:

  • Website hosting and CMS accounts
  • Domain and DNS providers
  • Email and Microsoft 365 or Google Workspace
  • Accounting and payroll systems
  • Payment processors
  • CRM and marketing platforms
  • Cloud storage
  • Social media accounts
  • IT support tools
  • AI tools, automations and integrations

Old suppliers matter too. A previous web agency or contractor may still have admin rights because nobody removed them after the project ended.

Build a simple access register

The register does not need to be complex. A useful version has five columns.

SupplierSystemAccess levelBusiness ownerKeep, reduce or remove
Web agencyWebsite CMSAdminOwnerReduce
AccountantFinance platformStandard userFinance leadKeep
Old contractorCloud driveUnknownOwnerRemove

The point is to make decisions visible. If nobody can explain why a supplier has access, that access should be challenged.

Check admin rights first

Admin rights should be rare. They allow users to add other users, change settings, export data, disable controls or create new integrations.

For every supplier admin account, ask:

  1. Is admin access still needed?
  2. Is there a named person responsible for it?
  3. Is MFA enabled?
  4. Is the account shared?
  5. Is there an end date or review date?

These checks connect directly to the first five cyber checks for any small business.

Ask about AI usage

Suppliers may use AI tools inside their own workflow. That might be fine, but the business should understand whether customer data, documents, call transcripts, support tickets or internal information are being processed through AI services.

Simple questions are enough for the first pass:

  • Do you use AI tools to provide our service?
  • What data from us can those tools access?
  • Is our data used to train models?
  • Which subprocessors are involved?
  • Can we opt out of AI processing where needed?

The answers do not need to be perfect on day one. They do need to be asked.

Make offboarding routine

Whenever a supplier relationship ends, access should be removed as part of the close-down. That should include admin portals, shared drives, password vault entries, analytics, social accounts and any integrations they created.

If the business has never done this before, start with the most sensitive systems first: email, domain, finance, website, cloud storage and customer data.

Related field notes

Back to Insights