User Access Review: The 2-Hour Security Audit Most Companies Skip

Henrik Schinzel

Henrik Schinzel

2 min read
User Access Review: The 2-Hour Security Audit Most Companies Skip

Two hours. Once a year. That's all it takes to close security holes that could sink your company. Few companies do this. And when they do, it's half-assed. The cost to do it is small. The cost of not doing it can be massive. It has brought many companies down.

What can go wrong

That developer you let go three months ago? Still has access to your production database. The consultant who finished their project last year? Their credentials are on a post-it note at their desk. At their new client's office, and clearly visible in the Instagram post from the Christmas party for the whole world to see. Your junior developer who needed admin access "just this once" to fix something urgent? Still has it. And last week they accidentally deleted the production database. These aren't hypotheticals. I've seen every one of them.

This keeps happening.

  • In 2017, a GitLab engineer accidentally ran a command that wiped their production database — 18 hours to recover. No ill intent, just too much access.
  • In 2022, a former Cisco employee accessed their AWS and deleted 456 virtual machines, taking down 16,000 WebEx accounts.
  • In 2021, hackers used a former employee's admin credentials to breach an ed-tech company and steal millions of student records — the company paid $5.1 million in 2025 to settle.

Why this keeps getting skipped

Leadership often lacks the technical background to know what security processes are needed. So it gets delegated and assumed handled. And there's no easy way to check — no dashboard showing this year's audit was skipped. The responsibility was handed off. It's out of sight, out of mind. Until there's a breach. Then it's too late.

If the CEO had visibility — just a simple flag showing the yearly audit wasn't done — they could ask about it. Get an understanding of the risks involved by not doing it. Based on this make an informed call. And almost certainly say: this is business critical, get it done.

The 2-hour process

It is a straightforward process. Have a list of all systems to check.

Step 1: Update the list of systems: Add new ones, remove old ones.

Step 2: For each system:

  • Find accounts that should be gone. Ex-employees. Former consultants. That contractor from two years ago. Remove them. Write down which accounts were removed and why.
  • Check access of remaining accounts. Apply the principle of least privilege (PoLP). If you are unsure, remove access. If they need access it is easy to add again. Write down which privileges were removed and why.
  • Mark the system as checked.

Step 3: Save the log of what was done, when and by whom.

That's it. For a 20-person company, this takes about two hours.

How to make it stick

Often no one is responsible for this. And if someone is, the problem is no one knows when they don't do it. This process is too important to slip. If it's not done, it needs to escalate. Leadership — CEO, COO, CTO, whoever — needs to see it.

Small investment. Huge dividend. Treat it that way.

Processes like this are exactly why I'm building Process Oak.

Read more