We have audited over 20 companies this year: here is what we always find

This year we have been auditing IT environments at companies between 30 and 300 employees across sectors from logistics to professional services. The stack varies — Azure, on-prem, hybrid, pure SaaS — the sectors differ and IT budgets do too. But there are three problems that appear in nearly every environment, regardless of everything else.

In practically every environment we find active user accounts belonging to people who no longer work at the company. Sometimes these are former employees from two years ago; in one case we found an admin account for an external supplier whose contract had ended three years earlier. This is not malicious negligence: there is simply no systematic review process. Nobody has the explicit responsibility of auditing the user directory when someone leaves.

The question that generates the most discomfort in an audit is not 'do you have backups?' but 'when was the last time you restored something from a backup?'. The usual response is silence or 'can that be tested?'. A backup that has never been tested is not a backup: it is a file that may or may not work on the day you need it most.

Software vendors, external consultancies, previous IT maintenance companies: they all leave access behind. Most of that access is never formally revoked. In our last audit we found 14 active VPN accesses from suppliers, of which 9 corresponded to commercial relationships that had already ended.

• Review the full user list in your Active Directory or IdP at least quarterly
• Assign a specific person responsible for revoking access the moment an employment or commercial relationship ends
• Set automatic expiry dates for third-party access at the moment of creation
• Test backup restoration at least once per quarter with a documented process
• Maintain an access register showing who has access to what, kept updated and available for audit

These three problems are not technical errors. They are the result of managing security reactively rather than as a continuous process. When there is no review calendar, no clear owner for each control and nobody measuring whether controls work, problems accumulate silently until something breaks.

The good news is that all three problems can be fixed without extraordinary investment. They only require process and assigned responsibility. The bad news is that without an external push, they are rarely addressed proactively.