A lot of our customers spend money and time on cybersecurity tools, encryption, and firewalls, but it is easy to forget the simplest security question of all:

Those “keys” might be logins, shared folders, email systems, or admin panels. And like real keys, they tend to multiply quietly in drawers and pockets until something goes missing or someone uses one they aren't supposed to.

That’s where access audits are critical. As a way to make sure the right people still have the right access, and that everyone else doesn’t.

What is it?

An access audit is a spring clean for your digital house.

It means taking a moment to check:

• Who can open which doors (systems, folders, inboxes, databases)?

• What kind of keys they have (view, edit, admin, delete)?

• Do they still need them, or did they move on months ago?

• Are any doors left unlocked without realising?

• It's a way of exploring the trust relationships inside your organisation.

Why It Matters More Than Ever

Data breaches actually rarely start with clever hackers sneaking through your firewalls.

More commonly, they start with a forgotten account, an ex-employee’s login or a shared password floating around somewhere.

Access audits help you:

1. Spot old accounts and dormant access before someone else does.

2. Detect misuse or unusual behaviour, like an account downloading large amounts of data at odd hours.

3. Tidy up admin privileges: because no one needs god-mode “just in case.”

4. Prove accountability when regulators or clients ask, “Who had access to this?” you’ll have a clean answer.

5. Build a culture of stewardship so that staff start thinking about access as something that’s earned and reviewed, not permanent.

Case Study

In a striking breach of confidentiality, a former paediatric nurse in Nottingham was found to have accessed 28 medical records, not for clinical reasons, but of people she had matched with via online dating platforms.

Over a period of 16 months (August 2017 to December 2019), she exploited her system privileges to view private health data of individuals unrelated to her professional duties.

The Nursing and Midwifery Council disciplinary panel judged this behaviour as misconduct, emphasising that trust and confidentiality are core to the nursing profession. This case serves as a stark reminder that unauthorised access from within your organisation is just as serious as external cyberattacks and a properly conducted access audit (with monitoring and regular review of user activity) is one of the best safeguards against such abuses.

How to Run One Without Losing the Will to Live

Access audits don’t have to be a spreadsheet nightmare. Here’s a pragmatic, people-friendly approach:

1. Start small: Pick one system, email, shared drives, or your CRM, and map out who can access it.

2. Ask “why”, not just “who”: Every permission should have a reason that makes sense today, not last year.

3. Don’t skip the admin accounts: These are the digital master keys, treat them like gold.

4. Link to HR: When someone leaves or changes roles, access updates should be automatic.

5. Make it routine: A short quarterly check beats a huge annual panic.

6. Celebrate clean-ups: When teams fix outdated access, tell them, it builds ownership and awareness.

Time to get your house in order (or at least the keys?)