December has a funny way of exposing weak access controls. Someone is off on holiday, a temp is covering finance, and a supplier is ‘just popping in’ to fix something before the break. Meanwhile, your systems are still carrying the scars of the year: old accounts, stray admin rights, and forgotten apps that nobody owns.
An end-of-year access review is not about pleasing an auditor. It is about shrinking the number of doors into your business, and making the remaining ones easier to lock.
If you are thinking, ‘We’re too small for that,’ you are exactly the sort of business that benefits. Smaller teams move quickly, share tools, and wear many hats. That is great for productivity. It is also how permission creep sneaks in.
What an access review really does
Access reviews boil down to three questions: who has access, what can they do, and is it still justified?
That last part is the one people skip. In small firms, access decisions are made in a hurry. A new starter needs the CRM by lunchtime. A manager needs admin rights to approve a plugin. A contractor needs ‘a few bits’ in SharePoint. In the moment, it feels harmless. A few months later, nobody remembers why it was granted, and the access is still there.
Okta’s October 2025 guidance on modernising access reviews makes the point well: access certifications have moved from annual compliance theatre to a frontline security control.
Why December is a smart time to do it
End-of-year reviews work because they line up with real life.
Staff changes are clearer. Contractors roll off projects. Roles shift. Budgets and renewals are on the table, so it is easier to challenge ‘we might need it’ accounts and licences. Many businesses also do a financial tidy-up in December, and access control fits neatly beside it.
There is a psychological bonus too. January planning feels cleaner when you are not dragging last year’s permissions behind you like a suitcase with a dodgy wheel.
Start with the apps you do not control
Before you can review access, you need a list of what you are reviewing. That sounds obvious. It is also where most teams stumble.
SaaS sprawl is usually the culprit. Someone signs up for a tool on a company card. A client invites you into their workspace. A department tests a platform ‘for a month’ and it sticks. Each one creates identities, sharing links, guest access, and sometimes admin roles.
Our guide to getting a grip on unmanaged apps is a useful prompt: you cannot govern what you cannot see.
The simple checklist
Keep it short and start with high risk. If you try to review every permission in every system, you will give up by lunchtime.
- Confirm the people list (employees, leavers, contractors, temps).
- Review privileged access (admin roles, finance permissions, emergency accounts).
- Check external access (guests, suppliers, shared folders, partner portals).
- Find stale access (no recent sign-in, no clear owner, no clear purpose).
- Review shared identities (shared mailboxes, generic logins, service accounts).
- Validate multi-factor coverage (who is exempt, and why).
- Clean up file sharing (‘anyone with the link’ and forgotten spaces).
- Record what you changed, and what needs planned work.
That is the spine. The impact comes from doing the messy bits properly.
How to run the review without turning it into a spreadsheet marathon
Step 1: confirm your people list
Do not start inside a system. Start with HR, payroll, or a simple staff list. You want one clear view of who is active, who is leaving (with a last day), and which contractors have an end date.
If your joiners-movers-leavers process is informal, tighten it now. Even a lightweight rule helps: no account should exist without an owner and an expiry date.
Step 2: tackle privileged access first
Privileged access is where a small mistake becomes a big incident. Admin rights can create accounts, change security settings, move money, or pull data at scale.
You do not need to remove all admin rights. You do need to put them where they belong. In practice, that means keeping permanent admin roles to a tiny group, using time-limited elevation for one-off tasks, and having a monitored break-glass account for emergencies.
One small tweak often makes a big difference: separate daily accounts from admin accounts. If a user needs admin rights occasionally, give them a standard account for email and browsing, and a separate admin account that is used only for admin tasks. That way, a phishing click does not immediately turn into full control. Pair it with basic logging and alerts on admin sign-ins, so unusual activity is noticed while it still looks odd, not after the damage is done.
Ask one slightly uncomfortable question: if this account was compromised, how far could an attacker get in 30 minutes?
Step 3: bring external access back under control
External access is often created with good intentions. A supplier needs a shared folder. A client wants you in their Teams channel. An agency needs access to the website. Then the project ends, and the access stays.
Check your main platforms for guests and external collaborators, then match each one to a live contract or active project. Remove anything that has expired. For what remains, tighten permissions so the access matches the current scope of work. ‘Just in case’ is not a scope.
Step 4: find stale and orphaned access
Orphaned access is what happens when a person changes role, a tool is replaced, or a team is reorganised. The account remains, but nobody feels responsible.
Look for accounts with no recent sign-in activity, licences assigned to leavers, groups with unclear names, and permissions that do not match someone’s job. If you cannot explain why access exists, pause it and see who complains. Complaints are feedback. Silence is a gift.
Step 5: shared identities and non-human identities
Shared logins are convenient. They are also a nightmare for accountability. If three people share a login, nobody ‘did it’, and your logs become far less useful.
Service accounts and API tokens add another layer. They do real work, and they often get broad permissions because it was faster during setup.
ISACA’s September 2025 note on non-human identities flags a familiar pattern: machine identities miss MFA, miss rotation, and quietly collect permissions because nobody reviews them.
For a small business, the fix is usually straightforward. Assign an owner for each shared mailbox, service account, and token. Set a review date. Trim access back to what the task actually needs.
Step 6: clean up multi-factor exceptions
MFA is widely adopted now, but exemptions linger. Some are genuine, such as legacy devices. Many are simply ‘we had trouble setting it up’.
List who is not using MFA, who is using weaker methods, and which accounts bypass conditional access. Then work through them one by one. This is unglamorous work, but it pays off.
Step 7: tidy sharing and collaboration
Access reviews are not only about logins. They are about data paths.
Focus on links set to ‘anyone with the link’, external sharing that is not tied to an active project, and old collaboration spaces that still hold sensitive files. Remote and hybrid work makes this more important, because work lives in shared drives, chat threads, and quick links rather than a single office server.
Our remote and hybrid work guide covers practical ways to keep collaboration useful without letting sharing turn into a free-for-all.
Step 8: record what you changed
A good access review produces two outputs: changes you made immediately, and a short backlog for work that needs planning.
Keep the record simple. Capture what was removed or reduced, and who approved it. When someone asks in March why access disappeared, you have an answer that does not involve guesswork.
Three traps that quietly ruin access reviews
- Rubber-stamping: if approvals take two minutes, you are not reviewing access, you are blessing it. Reduce the scope and focus on high risk items.
- Treating every system equally: your accounting platform is not the same as a marketing tool. Rank systems by impact, then review in that order.
- Making it a once-a-year event: December is a great reset, but add smaller checks in the year, such as offboarding checks and quarterly reviews for privileged roles.
Where compliance and good practice meet
Even if you are not in a regulated sector, access governance is becoming a normal expectation. Clients, insurers, and larger partners increasingly ask how you control access and how often you review it.
ENISA’s NIS2 technical implementation guidance, published in June 2025, gives examples of evidence organisations can use to show they manage access rights and access controls in practice.
You do not need to quote it in meetings. Treat it as a signal: regular access review is no longer a niche ‘big enterprise’ habit.
Make it lighter next year
The easiest December review is the one you have already been doing in small pieces.
If you finish the month knowing who has admin rights, which external guests are still valid, and which accounts should not exist, you have materially reduced risk. You have also made incident response easier, because attackers have fewer paths and your team has fewer surprises.
If you want a hand running an end-of-year access review, mapping your systems, and tightening permissions without breaking daily work, talk to Mustard IT.
