Last month, I talked about conducting a tech audit to address security vulnerabilities, including removing users who have left your organization. But what happens if the person who leaves holds all your important logins?
Here are several strategies to protect your organization from being locked out of critical accounts.
Multiple Admins
Most platforms are built with collaboration in mind, so always assign at least two people with admin roles. Typically these are key leaders such as the executive director and board chair. In some cases, it may also include the office manager or primary administrator. Whatever makes the most sense for your operations.
Ensuring that at least two people hold the keys helps prevent lockouts. It is good practice to not have a single point of dependency. As dedicated as our nonprofit leaders are, they should be able to take time off and have peace of mind while being unavailable.
Avoid sharing a single login by distributing the password to multiple people. This creates a security risk. One person can change the password and lock out others, and there is no audit trail to see who made the change.
Sometimes this is unavoidable when a platform only allows one main account holder. In that case, use a password manager and store the credentials in a shared vault. In today’s collaborative environment, think twice about adopting a platform that doesn’t support multiple admins.
Role-Based Access
Give team members their own accounts with role-based permissions. Never share passwords in plain text. This is not only more secure, but it also creates accountability. Activity logs will identify the team member who performed specific actions.
For financially sensitive platforms, this is especially important for audits and transparency. Role-based access also limits who can do what, which is critical when dealing with highly sensitive information across organization-wide systems.
Password Managers & Shared Vaults
We all know about cybersecurity in theory, but in practice, many still default to common pitfalls:
- Writing passwords on paper
- Using the same password across multiple platforms
- Sharing passwords via email or text
I’m guilty of this as well because it’s often the path of least resistance. So how do we reduce friction while improving security?
Use a password manager that works for you and your team. I have used and recommended 1Password for many years. I especially like the feature that allows sharing with users who don't have a 1Password account. This is particularly helpful in nonprofit settings, where volunteers may need access but can’t be expected to download apps and create accounts. This kind of sharing provides secure access without resorting to sending passwords in plain text.
Recently, Bitwarden introduced a secure sharing feature called Bitwarden Send. Bitwarden is a solid password manager that also has a free version for personal use. With this addition of secure sharing that includes not just credentials but also files, I’m curious to try it myself.
Recovery and Backup
Both password managers mentioned above allow you to designate a recovery contact. This person can help restore access if login credentials are lost. Just like having multiple admins, this supports smoother leadership transitions.
Recovery codes are the last resort for regaining access to secure accounts. These are generated once and should be stored safely. Organizations with physical locations can store them in a locked filing cabinet along with other important documents. More mobile teams can store them as secure notes within the password managers or in a designated, secure cloud location known to key team members.
Ultimately, this comes down to communication and knowledge transfer so that new members can find what they need while keeping accounts secure.
Take Action!
Review your most critical accounts and ask: Who else holds the keys? If the answer is no one, that's your starting point. Access is easy to restore when you plan for it and nearly impossible when you don't.
