Working with business accounts in an organization can be challenging, especially when dealing with transitions or limited staffing.

The Challenge

I was involved with a small nonprofit organization that had only two employees. When one staff person left unexpectedly and was mostly unavailable, I stepped up – on an interim basis – to manage finance and operations. The process was more difficult than I expected.

For example, I discovered that we lacked a shared contact list for key vendors, such as our attorney, insurance agent, and CPA. I had to piece together information from emails and invoices. Furthermore, the previous employee was the administrator for these business accounts, many of which required multi-factor authentication (MFA), which was tied to their personal phone. This complicated accessing these accounts and transitioning responsibilities.

Cognizant that I was interim, I did not want to put everything under my email with my personal cell phone. Why repeat the past mistake? So, I reached out to a half-dozen people working at other companies to find out about their best practices.

Defining Critical Business Accounts

These accounts are used and accessed by multiple individuals within an organization, team, or group. These accounts should be shared, meaning more than one person should have access. Without shared access, transitioning responsibilities when an individual leaves becomes much harder.

Typically, shared accounts are associated with services, tools, or systems, such as:

• Administrative: For managing systems or platforms such as email servers, domain registries, or cloud services.
• Team: Accounts for collaboration tools like donor management, shared social media profiles, or file-sharing platforms.
• Financial and legal: Bank accounts, payroll providers, and registrations with State and Federal agencies.

Managing Shared Accounts Is Essential – and Critical

In my next post, I will be focusing more on security. Securing and organizing critical corporate accounts is increasingly vital as artificial intelligence makes phishing and ransomware attacks more sophisticated. Whether it is a malicious external actor, an unavailable employee, or a disgruntled staff member, your accounts must remain secure and accessible.

In addition, having policies and procedures for managing these accounts provides for better continuity when staff change and improves operational efficiency.

Use Experienced Staff or Hire a Trusted Consultant

Smaller organization may not have staff with experience or expertise to develop an Access Management Plan or implement some of the ideas in this post. If that is the case, I would jump start the process by hiring a trusted consultant to put the plans in place and to train a couple of staff people to manage going forward.

I cannot over emphasize how critically important this is – your organization could be brought to a halt – hurting your clients and staff and undermining confidence with your donors.

Best Practices to Manage Critical Corporate Accounts

Here are the best practices I learned from my interviews:

1. Assign Multiple Administrators with Clear Roles

Always have at least two administrators for accounts. This ensures continuity if one administrator leaves. In addition, clearly outline each administrator’s responsibilities, such as reviewing access logs, updating passwords, and ensuring compliance with security policies. If having multiple administrators is not possible, see #4 below.

2. Create an Access Management Plan

Create a list of all shared accounts and services in a document that top managers can access. For each account, document who has access and their level of access (e.g., administrator, user, viewer). Include additional details such as MFA setup. Update this plan regularly, especially when employees join, leave, or change roles. Having a comprehensive plan helps with onboarding new employees, offboarding current ones, or changing access when an employee’s role changes.

Software tools for Access Management are available. But if you are a small organization, a spreadsheet is probably sufficient.

3. Use a Password Manager

Have all staff put their usernames and passwords for accounts associated with their work into a shared vault of a password manager program. I have personally used Keeper and 1Password and find both easy to work with. One person I spoke to used Bitwarden. There are many options, so research what is best for your organization.

Customize vault access based on job roles. For example, limit access to bank accounts or domain hosting services but allow broader access to donor management systems.

4. Create a Corporate Alias Email

Establish an email alias such as Corporate@yourorg.org or Admin@yourorg.org. Then use this email for access to some accounts – especially ones that do not allow multiple administrators. Store the login credentials for the alias in your password manager, again allowing appropriate staff to access the alias email.

5. Develop a Global Contact List

Set up a global contact list accessible to all staff. Include key vendors such as your attorney, your CPA, your insurance agent, the contact at your bank, etc. Store login details for vendor portals in your password manager.

6. Use a Shared File System

Create a shared virtual file cabinet with tools such as OneDrive, Google Drive, or Dropbox. All your invoices, receipts, expense reports, grant agreements, tax documents, legal documents should be filed in shared folders of this online file cabinet. Set permissions for those who can access specific folders and files. Also develop file naming conventions and enforce them to ensure files are easy to locate. One person I spoke to said it took awhile to get compliance – people forgot and put documents in their personal online workspace instead of shared workspace. If this happens and they leave the company, you may lose access to those documents.

7. Manage Multi Factor Authentication (MFA)

MFA tied to personal devices can complicate transitions. Here are some ideas:

• Two Administrators: As noted above, have at least two administrators for each service or site.
• Multiple Ways to Have MFA: Some sites allow for multiple ways to have MFA – so one could be the primary administrator’s personal cell phone number and another could be an alias email such as Corporate@yourorg.org or Admin@yourorg.org as mentioned above.
• Dedicated Corporate Device: Some organizations have a dedicated organization-owned device (like a tablet) to receive MFA codes that is stored in a secure / locked place. This prevents reliance on anyone’s personal phone. The risk is the device could get lost or stolen. And it will not work with a totally remote work environment since you want multiple people to be able to access the corporate device.
• Authenticator Apps: Some sites allow multiple users to scan the same QR code, enabling shared MFA access through an authenticator app.
• Google Voice or Skype: Set up a corporate Google Voice or Skype (or other) number to receive MFA texts. This number can be forwarded to a personal cell phone. Note, some organizations may not send text messages to a Google Voice number. You can read more here.
• Backup Codes: Make sure that you save backup codes or security keys securely in your password manager.

8. Consider Passkeys

Passkeys are an emerging technology offering enhanced security by replacing passwords with cryptographic keys. While great for individual accounts, they are less practical for shared accounts since they are tied to specific devices. However, some systems allow multiple users to register devices for the same account, making Passkeys a potential option. Read more about passkeys here.

9. Implement a Secure Offboarding Process

Your organization should have an offboarding process. Part of this process is to immediately revoke access to shared accounts when an employee leaves and reassign administrative roles without delay. Also notify vendors about role changes and transitions.

10. Provide Training

Train employees in your organization’s account management practices. Topics should include:

• Using password managers.
• Regularly updating shared passwords.
• Setting up and using MFA or passkeys.
• Understanding file-naming conventions.
• Ensuring all company files are in shared cloud folders and not on personal devices or personal cloud storage.