Pride Intelligence

Recent

    Shared Account Security

    concept2 min readUpdated 14 Apr 2026

    2 min read

    Updated 14d ago

    Shared Account Security

    Key Facts

    • 2FA vulnerability: Two-factor authentication for shared accounts (meet@ email, Xero, social media) sent to CEO’s personal phone only (GOV-003, GOV-004)
    • Single point of failure: If CEO’s phone is lost, stolen, or unavailable, all shared accounts become inaccessible
    • No backup authentication: No alternative method to regain access in an emergency
    • Risk classification: Critical governance and operational risk
    • Accounts affected: meet@ (shared customer email), Xero (payroll/finance), social media (Instagram, Facebook, TikTok)

    The Problem

    Pride of Our Footscray’s shared account security architecture creates a dangerous single point of failure. The CEO’s personal phone is the sole authentication method for critical business systems. If the phone is lost, damaged, stolen, or the CEO is unavailable (illness, emergency), access to payroll, financial records, and customer communication channels is blocked.

    This violates basic security principles and creates operational risk:

    • Access risk: Staff cannot process payroll or respond to customers if CEO phone is unavailable
    • Data risk: No documented succession or backup authentication method
    • Compliance risk: Finance systems (Xero) locked to one person
    • Governance gap: No documented data governance or access control policy

    Current State

    • No documented data governance policy
    • Staff access to systems is variable and not formally tracked
    • No access control matrix showing who should have access to what
    • No backup authentication devices or recovery codes documented
    • No disaster recovery plan for account lockout scenarios

    Solution Pathway

    Immediate (Week 1)

    1. Document all shared accounts and current access methods
    2. Generate and safely store backup authentication codes/recovery methods for each account
    3. Ensure at least one backup authentication device (shared staff phone kept at venue)

    Short Term (Weeks 2–4)

    1. Create formal data governance policy documenting:
      • Which accounts are shared vs. individual
      • Access control matrix (who should have access to what)
      • Authentication method for each account
      • Backup/disaster recovery procedures
    2. Replace personal phone 2FA with shared venue phone
    3. Implement password manager (1Password, LastPass, Dashlane) for shared credentials with role-based access
    4. Establish quarterly access review and audit

    Long Term

    1. Separate individual and shared accounts (where possible)
    2. Implement single sign-on (SSO) for staff accounts
    3. Establish formal onboarding/offboarding procedures with account access provisioning

    Backlinks

    Relationships

    Sources

    • operations/improvement-log.md (GOV-003, GOV-004)
    • governance/compliance-checklist.md
    • technology/systems-inventory.md

    Graph View