December is when Indonesian businesses close the books, chase final invoices, and plan next year. It is also the perfect month for a year-end security audit, and here is the part that surprises most owners: the version that catches 80 percent of your real risk takes one afternoon and costs nothing.

You do not need a penetration tester for this. Most SME breaches I have seen up close did not involve clever hacking. They involved an ex-employee whose email still worked, a shared admin password sitting in a WhatsApp group from 2020, or a plugin nobody had updated since installation.

A year-end security audit at this level is access hygiene. It is asking one question over and over: who and what can touch our systems, and should they still be able to? Block out an afternoon, open a spreadsheet, and work through the list below.

Part 1: The people audit (60 minutes)

Start with humans, because that is where the risk concentrates.

List everyone who left this year. HR knows the names. Now check, for each person, every system they touched:

  • Company email (Google Workspace or Microsoft 365 admin console shows active accounts)
  • WhatsApp groups where business decisions or customer data flow
  • Accounting software, POS systems, admin dashboards
  • Social media accounts, marketplace seller accounts (Tokopedia, Shopee)
  • Bank tokens, e-wallet business accounts
  • GitHub, hosting panels, domain registrar, anything technical

In my experience auditing SMEs, roughly one in three has at least one former employee with a live account in something. One distributor I reviewed had a staff member who resigned in March still receiving customer order emails in October. Nothing bad happened, but that was luck, not control.

Check for ghost accounts. These are logins nobody recognizes: the freelancer from a one-off project, the vendor who "just needed temporary access," the test account someone created and forgot. If nobody can explain an account, disable it. If something breaks, you will find out fast and you can re-enable it with a documented owner.

Fix your offboarding gap going forward. The reason you found problems today is that leaving the company does not automatically trigger access removal. Write a one-page checklist now, while the pain is fresh, and make it part of every resignation. This is exactly the kind of process that belongs in a real plan, as I argued in why your business needs a technology strategy, not just a website.

Part 2: The password audit (45 minutes)

Now the credentials themselves.

Hunt down shared passwords. Ask each team lead directly: which logins does more than one person use? Common offenders are the office WiFi admin, the Instagram account, the marketplace seller account, and the accounting system. Shared passwords mean you cannot revoke one person's access without disrupting everyone, and you never know who actually did what.

For each shared login, the fix is one of two moves:

  1. If the system supports multiple users, create individual accounts and kill the shared one
  2. If it genuinely only supports one login, move the password into a password manager with controlled sharing, so you can rotate it in one place when someone leaves

Rotate anything sensitive that has not changed this year. Bank portals, domain registrar, hosting control panel, email admin. If the password predates your newest employee, it is overdue.

Turn on two-factor authentication where it matters most. You do not need it everywhere in one afternoon. Prioritize email first, because email resets everything else, then banking, then your domain registrar. An attacker who owns your email owns your business.

Part 3: The systems audit (60 minutes)

Machines and software next.

Check what is running unpatched. WordPress sites with plugins last updated in 2021 are the classic Indonesian SME breach vector. Log into your site, count the pending updates, and schedule them. While you are in there, delete plugins and themes you no longer use, because inactive code is still attackable code.

Verify your backups actually restore. A backup you have never restored is a hope, not a backup. Pick one real file or one database table and restore it to a test location. Ten minutes, and now you know. I cover the broader maintenance ritual in the annual website health check.

Inventory your integrations. Every API key, webhook, and third-party connection is a door. Payment gateways, shipping aggregators, Zapier-style automations, that analytics tool from a campaign two years ago. List them, and revoke the ones nobody can justify. One retail client of mine found six active API keys for a marketing tool they had stopped paying for in 2021.

Look at admin sprawl. Count how many accounts have full admin rights on each system. The right answer is usually two: the owner and one trusted operator. Everyone else gets the minimum role that lets them do their job. Five admins on a POS system is not convenience, it is five ways in.

Part 4: Write down what you found (15 minutes)

The audit is worthless if it evaporates. Close the afternoon with three short lists:

List Contents Deadline
Fixed today Accounts disabled, passwords rotated, 2FA enabled Done
Fix this week Updates to apply, backups to test, roles to downgrade Before Dec 15
Fix in January Password manager rollout, offboarding checklist, integration cleanup Before Chinese New Year

Put a calendar reminder for the same audit next December. Once a year is the minimum for a small business; if you handle customer money or personal data, do it quarterly.

The takeaway: boring beats clever

A year-end security audit for a small business is not about firewalls and threat intelligence. It is about the boring, human stuff: dead accounts, shared passwords, admin sprawl, and forgotten integrations. One afternoon of honest checking removes more real risk than a year of worrying about sophisticated attackers who were never coming for you anyway.

Do the people audit first if you only do one part. Ex-employee access is the single most common finding, the easiest to fix, and the most embarrassing to explain after the fact. If you would rather have someone technical walk through this with you and set up the systems so next year's audit takes half the time, that is the kind of engagement I take on selectively, and you can read how I work at /partner.