It is a normal Tuesday. Coffee, calendar, a few fires to put out. Then you get the message. Your IT guy quit. Or he is sick. Or the contractor you have used for years just stopped replying.
And suddenly you are staring at a problem that is not really about computers.
It is about keys.
Not physical keys, obviously. The keys to your business. The logins, the admin access, the billing accounts, the domain name, the backups, the settings that make everything work. The stuff that, when it is missing, turns a small issue into a full business shutdown.
So yeah. If your IT guy leaves tomorrow, do you have the keys?
What “the keys” actually means
When people say “keys” in IT, they usually mean access and control.
Like who can unlock what, who can change what, who can prove they own what.
A simple way to think about it:
- User account: your own house key. You can enter and do normal stuff.
- Admin account: the master key. You can change the locks, add doors, remove people.
- Password manager: the key ring. All the keys in one place.
- 2FA (two factor authentication): the deadbolt. Even if someone copies your key, they still need a second thing to get in.
- Encryption key: the safe combination. Without it, the contents are gibberish.
If only one person has the master key, you do not have a system. You have a single point of failure wearing a hoodie.
The quiet way businesses get trapped
Most lockouts do not happen because someone is evil. They happen because everyone is busy.
The IT person sets things up fast. They use their own email “just for now”. They register the domain. They spin up Microsoft 365 or Google Workspace. They connect the accounting tool. They configure backups. They hold all the “I know where that is” knowledge in their head.
Then, over time, that becomes normal.
Until it is not.
And when that person disappears, you find out you do not even know where your website is hosted. Or who pays for it. Or what email the billing receipts go to. Or how to reset anything without texting a guy who moved to another state.
This is what being operationally hostage feels like. It is not dramatic. It is just expensive and stressful and oddly quiet.
The 7 places your keys usually live (and get lost)
If you want to get real about this, focus on these areas. This is where the keys almost always are.
1. Domain name and DNS
Your domain is your business sign on the highway. If someone controls it, they control where your customers go when they type your name.
DNS is like a mail forwarding form for the internet. It tells the world where your email and website live.
What you need:
- Registrar login (where the domain is registered)
- DNS hosting login (sometimes the same place, sometimes not)
- A list of who has admin access
If you do not have this, a website move or email fix can turn into a nightmare.
2. Email and productivity suite
Microsoft 365 or Google Workspace tends to become the center of everything. Password resets, file sharing, calendar access, staff onboarding.
If the admin account is owned by one person and you do not have a backup admin, you are one departure away from chaos.
What you need:
- At least two admin accounts, owned by the business, not a person
- Recovery phone numbers and emails that the company controls
- A clear process for offboarding users
3. Passwords and password storage
If passwords are stored in someone’s brain, or in a spreadsheet called “passwords FINAL v7”, you are gambling.
A password manager is basically a locked key cabinet. One login opens the rest, and you can share access safely without texting passwords.
What you need:
- A company owned password manager account (1Password, Bitwarden, etc)
- Shared vaults for systems (not shared via personal notes)
- A way to recover access if someone leaves
4. Backups
Backups are not “we have copies somewhere”. Backups are “we can restore in a hurry without guessing”.
A backup is like a spare tire. Having one is good. Knowing where the jack is matters too.
What you need:
- Where backups are stored (cloud? local? both?)
- Who can access them
- How to restore, step by step
- Proof they work (more on that later)
5. Website, hosting, and critical apps
Your website host. Your payment processor. Your CRM. Your phone system. Your accounting tool. Your scheduling platform.
Each one has an owner, billing, admin roles, security settings.
What you need:
- Admin access for each platform
- Billing ownership assigned to the business
- A vendor list with support contacts and account numbers
6. Network and Wi Fi
The office internet setup matters more than people think.
Your router, firewall, switches, Wi Fi controller. These are like the circuit breaker panel in a building. If no one knows the label for the switches, turning one thing off can kill everything.
What you need:
- ISP account access (the actual internet provider)
- Router/firewall admin login
- Wi Fi passwords and guest network info
- A simple diagram of what plugs into what
7. Devices and admin control
If employees use company laptops, who manages them?
Device management is like having a fleet of company cars. You want to know who has them, and you want a spare set of keys, and you want the ability to disable one if it gets stolen.
What you need:
- A list of company devices
- Admin access to device management (Intune, Jamf, etc, if you use it)
- Local admin password policy (not “everyone is admin”)
The “hit by a bus” test (yes it is grim, but it works)
There is a simple question that cuts through the noise:
If your IT person got hit by a bus, could you:
- reset admin access,
- pay vendors,
- restore systems,
- keep operating?
If the answer is “maybe” or “I think so”, you do not have the keys.
And you are not alone. This is extremely common in small and mid sized companies.
A practical keys checklist (print this, seriously)
Here is the baseline list I would want any business owner or ops manager to be able to pull up within 10 minutes.
Ownership and access
- Domain registrar login and 2FA
- DNS hosting login and 2FA
- Microsoft 365 or Google admin accounts (2 admins minimum)
- Password manager with shared vaults
- Cloud storage admin access (SharePoint, Google Drive, Dropbox)
- Backup system login and restore instructions
- Website hosting, CMS, and analytics admin access
- Payment processor admin access (Stripe, PayPal, merchant portal)
- Accounting system admin access (QuickBooks, Xero)
- CRM/admin access (HubSpot, Salesforce, etc)
- ISP and phone system admin access
Documentation (simple, not a novel)
- Vendor list: what it is, who supports it, billing email, renewal dates
- Network notes: Wi Fi name, passwords, equipment logins, basic diagram
- Onboarding and offboarding steps
- Where backups live and how to restore
- List of “critical services” (if this dies, we stop)
Security basics
- 2FA turned on for all admin accounts
- No shared accounts for staff (shared admin is fine if it is tracked, but staff should be named users)
- Offboarding checklist that disables access on day one
- A way to recover accounts without a single person holding the only phone number
The part everyone skips: prove you can unlock the door
Having a list is good. But the real test is whether it works.
So do this once a quarter, even if it feels annoying:
- Pick one critical system (email, website, file storage)
- Pretend you lost the admin password
- Do a recovery
- Document what happened
- Fix the gaps
This is like checking your spare tire. You do not want to discover it is flat on the side of the road.
“But my IT guy is trustworthy”
Probably. Most are.
This is not about trust. It is about design.
A well run business does not rely on any single person for operational survival. Not the bookkeeper. Not the sales lead. Not the founder. Not IT.
Also, good IT people usually want you to have the keys. The weird situations happen when nobody sets expectations, and the business side never asks.
So ask. Calmly. Directly.
You are not being difficult. You are being responsible.
How to fix it without starting a war
If you are reading this and realizing you are exposed, do not panic and do not accuse anyone. Just start collecting and organizing.
Here is a clean way to do it.
Step 1: Name an internal owner
Not the IT person. Someone inside the business. Ops, finance, the owner.
Their job is not to be technical. Their job is to make sure the company has control of its accounts.
Step 2: Centralize access in a password manager
Move logins out of email threads and sticky notes.
Treat it like the company key cabinet.
Step 3: Convert personal ownership to business ownership
This is a big one. If your domain is registered under a personal Gmail, move it. Same for admin accounts and billing emails.
You want:
- company email as the owner
- distribution lists for billing (so one person leaving does not break invoices)
- at least two admins
Step 4: Write “good enough” documentation
One page per system is often enough.
Nobody reads a 40 page IT binder. But a one page “here is where it is, here is who owns it, here is how to log in” is gold.
Step 5: Put it into your offboarding process
When someone leaves, access should be removed, devices returned, and shared credentials rotated if needed.
Like changing locks when a tenant moves out. Normal stuff.
The real question
This is not really an IT question. It is a business continuity question.
Because when access is unclear, everything slows down. People cannot work. Vendors cannot get paid. Customers cannot reach you. And then you are forced into emergency decisions, expensive consultants, rushed rebuilds.
All because the keys were never copied.
So take an hour this week. Start the list. Find the gaps. Get the keys into a place the business controls.
If your IT guy leaves tomorrow, you should be annoyed.
Not stranded.
FAQs (Frequently Asked Questions)
What does ‘the keys’ mean in the context of IT and business operations?
In IT, ‘the keys’ refer to access and control elements such as user accounts, admin accounts, password managers, two-factor authentication (2FA), and encryption keys. These are critical credentials that unlock systems, allow changes, prove ownership, and secure data essential for running your business.
Why is it risky if only one person holds the master IT keys?
If only one person has the master key or admin access, your business faces a single point of failure. Should that person leave, get sick, or become unreachable, you might lose access to vital systems like your domain, email, backups, and critical applications—potentially leading to operational shutdowns.
What are common ways businesses get locked out of their own systems without realizing it?
Often lockouts happen quietly because the IT person sets up systems using personal emails or keeps passwords in their head. Over time, knowledge becomes siloed; when they leave or stop responding, businesses find they don’t know where their website is hosted, who pays for services, or how to reset accounts—effectively becoming operationally hostage.
Which seven areas should businesses focus on to secure their IT ‘keys’?
The seven critical areas are: 1) Domain name and DNS access; 2) Email and productivity suites like Microsoft 365 or Google Workspace; 3) Passwords and password storage solutions; 4) Backups with clear restoration processes; 5) Website hosting and critical applications with proper admin and billing controls; 6) Network and Wi-Fi infrastructure including ISP accounts and router access; 7) Devices management with admin controls and inventories.
What is the ‘hit by a bus’ test in IT management?
The ‘hit by a bus’ test asks if your business could continue operating smoothly if your IT person suddenly became unavailable. Specifically: can you reset admin access, pay vendors, restore systems, and keep operations running? If you answer ‘maybe’ or ‘I think so,’ it’s a sign you lack proper control over your IT keys.
How can companies prevent being operationally hostage to a single IT individual?
Companies should ensure all critical system accesses are owned by the business rather than individuals. This includes having multiple admin accounts for email suites, using company-owned password managers with shared vaults, documenting backup locations and restoration steps, maintaining updated vendor lists with billing info under company control, and regularly reviewing network and device management credentials. Establishing clear offboarding processes also helps maintain continuity.
