Passwords, MFA, and Access Policies – What Small Teams Can Realistically Implement

by

Passwords and access control are often presented as a complex topic. In practice, small organisations can achieve a significant improvement with a relatively modest set of changes, provided they are implemented consistently.

In this article I’m going to focus on steps that a small team can realistically adopt within a short space of time.

1. Modern password practices for small organisations

Password guidance has evolved. Length and uniqueness matter far more now than frequent forced changes.

  • Encourage long passphrases instead of short complex strings.
  • Use a password manager so staff can maintain unique passwords per service.
  • Avoid regular forced resets except after suspected compromise.

2. Where to enforce multi factor authentication

Enabling MFA everywhere is not always practical immediately, but there are systems where it is non negotiable:

  • Business email and collaboration platforms.
  • Remote access to internal systems, including VPNs and remote desktop services.
  • Cloud provider portals and any system that controls infrastructure or backups.

Start by enforcing MFA for administrators and remote access, then roll out to all staff on your main email and collaboration platform.

3. Reducing the number of privileged accounts

Over time, small teams accumulate local admin rights, domain admin accounts, and legacy privileged profiles that are no longer required.

  • Inventory all admin accounts on key systems.
  • Remove unused or duplicated admin accounts.
  • Use named accounts, not shared logins, for privileged access.

4. Separating admin and user activities

Where possible, administrators should have separate accounts for day to day work and privileged tasks. This reduces the impact if a user account is compromised.

  • Normal account for email, browsing, and general work.
  • Admin account used only when performing privileged tasks.

5. Clear access policies for joiners, movers, and leavers

Access creep is a common issue in growing organisations. You can reduce this by formalising three basic events:

  • Joiners: define a standard set of accounts and access based on role.
  • Movers: remove access that is no longer required when staff change role.
  • Leavers: revoke access promptly and archive or transfer data responsibly.

6. Third party and contractor access

Service providers often accumulate powerful access to your systems, sometimes long after a project is complete.

  • Maintain a simple register of third party accounts and access.
  • Insist on named accounts rather than shared logins wherever possible.
  • Remove access when contracts or projects end.

Making access control workable rather than idealised

The aim is not to achieve a theoretical identity perfection but to reach a point where you know who has access to what, why they have it, and how they authenticate.

Next step: as part of a Baseline Security Sprint, access control improvements are implemented alongside logging, backups, and patching so that your organisation moves from vague assumptions to a documented, defendable position.

Further Reading