Article 2.1 of this series named four cybersecurity postures and asked every Caribbean board to choose one consciously. This article begins the substantive work of moving from any of the lesser postures toward Posture D — and starts where every meaningful improvement starts: with the question of who has access to what, how that gets decided, and how the firm knows the answer is still right.

The audit that nobody had run

In February 2026 we ran an Access Inventory Audit at a Caribbean professional services firm of roughly forty staff — a respected boutique with regional clients, a strong reputation, and the kind of partner-led culture in which administrative matters tend to be handled by whoever has time. The firm had migrated to Microsoft 365 in 2022 and had been operating on it since, with its IT support handled by an external consultant who visited twice a month.

The audit took the form of a single straightforward question, asked of the firm’s M365 tenant rather than of any individual: produce a list of every active user account, every administrative account, every external guest account, and every credentialled service account, and let us go through them one by one. The list, when it arrived, had nineteen entries. The partners present at the audit had estimated, without preparation, that the firm had “about twelve or thirteen” active accounts.

Of the nineteen entries, fourteen were current staff. That was the expected portion of the list and required no further investigation. The remaining five entries told the story the audit existed to surface. Three were former staff who had left the firm — one eight months ago, one fifteen months ago, and one almost four years ago — whose accounts had never been deactivated, whose mailboxes still received email forwarded from active distribution lists, and one of whom (the four-year leaver) still had administrator privileges on the firm’s SharePoint document library. The remaining two entries were external consultants from an audit-software implementation project that had concluded in mid-2023; their guest accounts had been provisioned for the duration of the engagement and had simply never been removed when the engagement ended.

None of this was a breach. None of this was, on the day of the audit, evidence of anything having gone wrong. What it was — and what audits of this kind almost always are — was evidence of how easily it could go wrong. A former employee with retained administrative access to a SharePoint library is a credentialled insider for years after they stopped being an employee. An external consultant whose guest account was never removed is an unmonitored entry point that survives the project, the relationship, and any subsequent changes at the consulting firm. The firm had no incident. The firm had every condition that incidents require.

The senior partner, asked at the close of the audit how she felt about the findings, gave the answer this article exists to honour. “I’m not embarrassed,” she said. “I’m relieved. I had assumed it was probably fine. It clearly wasn’t. Now we know what to fix.”

Most Caribbean SMB cybersecurity exposure does not live in the absence of antivirus or the weakness of passwords. It lives in the people who once had legitimate access to the firm’s systems and still do, despite no longer having any reason to.

1. Why this is the single highest-leverage area of cybersecurity investment

Article 2.1 forward-referenced this article with a specific commitment: identity and access management is the single highest-leverage area of cybersecurity investment for most Caribbean SMBs. That is a strong claim, and it is worth earning before the rest of the article proceeds.

The claim rests on a simple observation about how breaches at firms of Caribbean SMB scale actually happen. Across the engagements where we have either reviewed an incident or examined the conditions that produced one, the failure mode that recurs most frequently is not the absence of a control at the perimeter — it is the presence of access that should not have been there. A former employee whose credentials were never revoked. A shared password used by five people, four of whom have since left. An external contractor with administrator rights to a system they were given temporary access to in 2022. A privileged account that was created for a one-off task and never deactivated. A consumer-grade email account being used to access the firm’s banking portal because the staff member never set up the firm’s preferred mail platform. Each of these is an access problem, not a perimeter problem.

When the access layer is right — meaning every person and every service that has credentialled access to the firm’s systems is known, named, and current — the surface area available to most attackers shrinks materially. A phishing email that reaches a person whose account no longer exists is harmless. A credential leaked through a third-party data breach is harmless if the credential was for an account that should not exist. A disgruntled former employee cannot exfiltrate data they no longer have access to. None of this depends on antivirus, on a perimeter firewall, or on a security operations centre. It depends on the firm knowing — in writing, on demand, and accurately — who can do what.

Identity and access management is therefore the leverage point. A Caribbean SMB that invests carefully in IAM and modestly in everything else will, in our experience, defend itself better than a firm that invests in every technical control on the market but has never audited its access layer. The order of operations matters. IAM first, then the other controls.

 

2. What identity and access management actually means

“Identity and access management” is a term that has, in our experience, almost never been properly translated for a Caribbean board. It sounds technical, which is a problem; the underlying concepts are not. There are two of them, and they are different questions:

Identity — who is this?

The first question IAM addresses is whether the firm can tell, with reasonable certainty, that the person (or service) attempting to access a given system is who they claim to be. This is the question of authentication. The familiar tools at the SMB layer — passwords, multi-factor authentication, single-sign-on across the firm’s main platform — all address this first question. Most Caribbean SMBs have done at least some of this work, prompted by their email platform’s default settings or by an insurer’s request. It is the easier of the two questions, and the one where the firm’s IT consultant is most likely to have made progress already.

Access — what can this person do?

The second question, and the one Caribbean SMBs almost universally underestimate, is what the authenticated person is then allowed to do. This is the question of authorisation, and it is where most of the leverage lives. A staff member who has correctly proven who they are can still, depending on how access is configured, see all of the firm’s client correspondence, transfer funds from the firm’s bank account, delete the firm’s accounting records, or grant access to anyone else they choose. Authentication does not constrain any of this. Authorisation does. And authorisation, in most Caribbean SMBs, has either never been deliberately configured or has accumulated decisions over years that nobody can now explain.

The shorthand, in board language, is that authentication asks “who is this?” and authorisation asks “what are they allowed to do?”. Both questions have to have answers. The first is technical; the firm’s IT consultant largely handles it. The second is governance; it cannot be delegated, and most Caribbean firms have never assigned it to anyone. This article is principally about the second question.

 

3. The four lifecycle stages — and the one nobody talks about

The standard framework for thinking about IAM lifecycle, used in enterprise security for decades, is “Joiners, Movers, Leavers” — three stages that describe the moments when a person’s relationship with the firm changes and their access must change with it. This framework is correct as far as it goes; it has not, in our experience, gone far enough for the Caribbean SMB context.

There is a fourth category, structurally distinct from the other three, and it is where most Caribbean SMB cybersecurity exposure actually lives. We call it Lingerers — people and services that once had legitimate access to the firm’s systems and still do, despite the relationship that justified the access having quietly ended. Lingerers are not Leavers, because the firm never registered the relationship as ending. They are not Movers, because they were not internal in the first place. They are accounts whose justification expired and whose access did not.

 

Stage	What the firm must do, and what usually goes wrong
Joiners	When a new person joins the firm — staff, contractor, external consultant — what do they need access to, and how does that decision get made? What usually goes wrong: the new joiner is given access by copying the permissions of the most-similar existing person, which propagates whatever historical mistakes that person has accumulated. A correctly-managed Joiner stage requires that someone — a named manager — has actually decided, in writing, what the new person needs access to. Defaults are not decisions.
Movers	When a person changes role within the firm, what access do they gain, and — critically — what access do they lose? What usually goes wrong: people gain access in their new role without losing access in their old one. A bookkeeper who is promoted to operations manager keeps her bookkeeping permissions because nobody removed them; a year later she has the access of two roles, neither of which is being actively reviewed. This pattern accumulates silently and is the largest single source of over-privileged accounts in Caribbean SMBs.
Leavers	When a person leaves the firm, how quickly does their access actually end — and what happens to the records, the credentials, and the mailbox they leave behind? What usually goes wrong: access ends in name but not in practice. The HR system records the departure; the IT system does not. The mailbox is left active so that emails to the departed person are not lost; the password is changed but the account is not disabled. Months later the account still exists, still receives mail, and — if the password change was less robust than it should have been — is still potentially accessible. A correctly-managed Leaver stage requires that the IT change happens on the same day as the HR change, and that the account is disabled rather than merely renamed.
Lingerers	Who has access that they once needed legitimately and no longer do — but whose access has never been formally reviewed? Every Caribbean SMB has Lingerers. The external consultant whose guest account was provisioned for a project that ended in 2023 and never deactivated. The auditor’s accounting-system login from a year the audit firm changed. The retired board member who still has read access to the firm’s SharePoint document library. The former IT supplier whose administrative credentials were never rotated when the firm switched providers. These accounts are not Leavers — the people behind them did not leave the firm in any tracked way. They are not Movers — their relationship with the firm changed but the change was never recorded. They are Lingerers, and they are where most Caribbean SMB cybersecurity exposure quietly accumulates. Naming the category is the first step to addressing it. The audit in §5 of this article addresses Lingerers directly.

 

Articles that omit the Lingerers category are, in effect, addressing the access that is visible to HR — the staff who appear in the payroll system, the contractors who appear on the procurement system. They are not addressing the access that lives in the gap between HR’s records and IT’s reality. That gap is where the four-year-old SharePoint administrator account in the opening anecdote lived. It is also where most of the Caribbean SMB engagements we run find their first material findings.

 

4. What good looks like at Caribbean SMB scale

Most Caribbean SMBs are not, and never will be, large enough to run a dedicated IAM platform, employ a security team, or operate the kind of mature identity governance programme that the security literature describes. The advice in this section is therefore deliberately scaled to the Caribbean SMB reality — a firm of thirty to two hundred staff, with one IT person (often part-time, often external), running on Microsoft 365 or Google Workspace plus a handful of SaaS applications. What good looks like at that scale has five components.

A. A single named owner of the firm’s access layer

Someone, by name, owns this. In most Caribbean SMBs that person should not be the IT consultant, because the IT consultant is also the person executing the access changes, and the same person should not both authorise and execute. The owner is typically a senior internal manager — an operations director, a finance director, or the head of a corporate-services function — to whom the IT consultant reports for access decisions. The owner does not need to be technically expert. They need to be the named individual accountable for who has access to what.

B. A current inventory of all credentialled accounts, refreshed quarterly

The inventory lists every active account on every system the firm uses. For most Caribbean SMBs that is the email platform (M365 or Google Workspace), the accounting system, any practice-management or industry-specific SaaS application, the firm’s banking portal, the firm’s domain registrar account, and any cloud storage that lives outside the main email platform. The inventory is not a one-time exercise; it must be refreshed at least quarterly, and the refresh itself is the discipline. A firm that runs the inventory quarterly will catch its Lingerers within ninety days of them becoming Lingerers. A firm that has never run it will discover them only when something goes wrong.

C. Multi-factor authentication on every account, no exceptions

Every credentialled account at the firm, without exception, requires a second factor of authentication beyond the password — a mobile-phone confirmation, an authenticator app, or a hardware token. “No exceptions” is the part of this that Caribbean SMBs find difficult, because there is always one inconvenient case: the founder whose phone doesn’t reliably receive the texts, the senior partner who finds the authenticator app annoying, the accounting system that doesn’t support MFA. Each of these is a Lingerer waiting to happen. The exception either gets resolved (a hardware token, a switch to an authenticator app, a migration to an accounting system that supports MFA) or it gets named and documented as an accepted risk in the firm’s posture statement.

D. Joiner, Mover, Leaver, and Lingerer processes that are written down

Each of the four lifecycle stages has a one-page written process. Who initiates the change. Who authorises it. Who executes it. How quickly. What gets logged. What gets reviewed afterward. These pages do not need to be elaborate, and they should not be — at Caribbean SMB scale the right length for each is half a page, written in plain English, signed off by the access-layer owner, and reviewed annually. The discipline is in having them written down, not in their volume.

E. An access review at the highest-privilege level, twice a year

Twice a year, the firm’s access-layer owner sits with the IT consultant and reviews — by name, in detail — every account that has administrative or other elevated privileges on any of the firm’s systems. This review takes between thirty minutes and two hours depending on the firm’s size, and it is the single most useful security activity any Caribbean SMB can perform on a recurring basis. The review surfaces Lingerers, identifies Movers whose old privileges were never removed, and forces the firm to ratify each elevated access decision in light of current reality. A firm that runs this twice a year cannot be more than six months away from current on its access layer.

 

5. The Six-Question Identity & Access Audit

This is the second audit of Pillar 2. As in 2.1, the questions should be put to the board and the firm’s access-layer owner together — and if Question 2 cannot be answered (no such named individual exists), the audit pauses there and the firm has its first action item from the article.

 

#	Question for the Board (with the Access-Layer Owner)	What “Pass” Looks Like
1	Can the firm produce, on twenty-four hours’ notice, a current inventory of every credentialled account on every system it uses — refreshed within the last ninety days?	Yes — single document or workbook, dated within 90 days.
2	Can the board name, today, the single individual who is the firm’s access-layer owner — and does that individual know it is them?	Yes — name spoken from memory, written into the firm’s posture statement.
3	Has every account on every system been confirmed to have multi-factor authentication enabled, with any exceptions explicitly named and accepted in writing?	Yes — coverage confirmed by live query, exceptions named and dated.
4	Are written processes in place for Joiners, Movers, Leavers and Lingerers — and was each used at least once in the last twelve months?	Yes — four written processes, each with at least one documented use in the year.
5	When was the last twice-yearly review of every account with administrative or elevated privileges on the firm’s systems — and what was the most material finding?	Within six months, with at least one specific finding the access-layer owner can describe.
6	How many Lingerers does the firm currently have — counted, named, and with a date by which each will be resolved?	A specific number, with each named in writing and a target resolution date for each. “None” is an acceptable answer only if Question 1 passed.

 

A firm that passes all six questions is, in the IAM dimension, operating in Posture D from Article 2.1. A firm that passes three or four is in transition. A firm that passes one or two is where most Caribbean SMBs sit today — and the closing of that gap is the substantive Pillar 2 work this article and Articles 2.3 through 2.6 are designed to support.

 

6. Where to go from here

The right starting move, after reading this article, is not to invest in new identity software. The right starting move is to ask the access-layer question of the firm’s own current state. Run the inventory. Name the access-layer owner. Identify the Lingerers. The findings will be uncomfortable in many Caribbean SMBs — particularly in firms that have been operating for a decade or more without a deliberate access discipline — and the relief of having named them is, in our experience, almost always the dominant emotion at the closing meeting.

From there, the substantive work of Pillar 2 continues. Article 2.3 — “Data Protection in Operational Practice: What the Data Protection Act 2020 Actually Requires” — will examine the next layer above the access layer: what the firm is allowed to do with the data its authorised users access, and what the Jamaican Data Protection Act 2020 requires when translated from legal language into operational controls. The access layer is the first defence. The data-protection layer is the second.

 

WHERE TO GO FROM HERE Run the audit. Name the Lingerers. Build the discipline. Through Dawgen Global Technologies, the firm offers two scoped IAM engagements designed for the Caribbean SMB context. The Access Inventory Audit is a one-week fixed-price engagement that produces, on completion, the current-state inventory described in §4 of this article — every credentialled account on every system, named, classified, and reviewed against the four lifecycle stages, with Lingerers explicitly surfaced. The Cybersecurity Posture Review introduced in Article 2.1 incorporates the Access Inventory Audit as its first phase, and remains the recommended engagement for any Caribbean SMB working from Posture A, B or C toward Posture D. Both engagements are led by a senior consultant, billed in USD or JMD, with engagement-partner oversight from Dawgen Global throughout. Visit our webservices site at : dawgentechnologies.com Or write to [email protected] to arrange an Access Inventory Audit through your Dawgen Global engagement team.

Author

Dr. Dawkins Brown is the Executive Chairman and Founder of Dawgen Global, an independent integrated multidisciplinary professional services firm headquartered in New Kingston, Jamaica, operating across 15+ Caribbean territories. Dawgen Global Technologies is the firm’s web-services line, delivering domains, hosting, professional email, Microsoft 365, SSL, websites, security and backups across the region.

 

About The Caribbean Digital Foundations Series

The Caribbean Digital Foundations Series is a 30-article thought leadership programme published by Dawgen Global on its blog (dawgen.global/blog) through 2026. The series is organised into five pillars — Foundations, Trust & Security, Presence & Performance, Productivity & Collaboration, and Commerce & Growth — and is designed to bring the same governance lens Dawgen Global applies to audit, tax and advisory engagements to the web-services decisions every Caribbean SMB must now make.

This is Article 2.2 of the series, the second article of Pillar 2 (Trust & Security). It follows Article 2.1, “The Caribbean Cybersecurity Posture: Beyond Antivirus,” and is followed by Article 2.3, “Data Protection in Operational Practice.”

© 2026 Dawgen Global  |  Big Firm Capabilities. Caribbean Understanding.

About Dawgen Global