How to review supplier access in a small business
A practical way to find and reduce supplier access risk across websites, finance tools, email platforms, cloud storage and AI-enabled services.
Supplier access is one of the easiest risks for a small business to forget. It is also one of the easiest to improve once somebody writes it down.
Suppliers are not the problem. Unclear access is the problem.
Where supplier access usually hides
Start by listing the people and companies outside the business who can access systems, data or accounts. The usual places are:
- Website hosting and CMS accounts
- Domain and DNS providers
- Email and Microsoft 365 or Google Workspace
- Accounting and payroll systems
- Payment processors
- CRM and marketing platforms
- Cloud storage
- Social media accounts
- IT support tools
- AI tools, automations and integrations
Old suppliers matter too. A previous web agency or contractor may still have admin rights because nobody removed them after the project ended.
Build a simple access register
The register does not need to be complex. A useful version has five columns.
| Supplier | System | Access level | Business owner | Keep, reduce or remove |
|---|---|---|---|---|
| Web agency | Website CMS | Admin | Owner | Reduce |
| Accountant | Finance platform | Standard user | Finance lead | Keep |
| Old contractor | Cloud drive | Unknown | Owner | Remove |
The point is to make decisions visible. If nobody can explain why a supplier has access, that access should be challenged.
Check admin rights first
Admin rights should be rare. They allow users to add other users, change settings, export data, disable controls or create new integrations.
For every supplier admin account, ask:
- Is admin access still needed?
- Is there a named person responsible for it?
- Is MFA enabled?
- Is the account shared?
- Is there an end date or review date?
These checks connect directly to the first five cyber checks for any small business.
Ask about AI usage
Suppliers may use AI tools inside their own workflow. That might be fine, but the business should understand whether customer data, documents, call transcripts, support tickets or internal information are being processed through AI services.
Simple questions are enough for the first pass:
- Do you use AI tools to provide our service?
- What data from us can those tools access?
- Is our data used to train models?
- Which subprocessors are involved?
- Can we opt out of AI processing where needed?
The answers do not need to be perfect on day one. They do need to be asked.
Make offboarding routine
Whenever a supplier relationship ends, access should be removed as part of the close-down. That should include admin portals, shared drives, password vault entries, analytics, social accounts and any integrations they created.
If the business has never done this before, start with the most sensitive systems first: email, domain, finance, website, cloud storage and customer data.
Related field notes
What a small business AI and security review should cover
A practical guide to the first areas a small business should check when AI tools, staff accounts, email security and suppliers all overlap.
Related: Small Business AI & Security Review
The first five cyber checks for any small business
Five plain-English checks that quickly show whether a small business has the basics under control.
Related: Small Business AI & Security Review