Security and Access Management When Working With a VA
Key takeaways
- Grant the minimum access each task requires, and expand it deliberately as the role grows.
- Share credentials through a password manager — never by email, text or shared spreadsheet.
- Use separate accounts wherever software allows, so actions are attributable and removable.
- Offboarding is a security task: revoke access the day the engagement ends.
Handing a stranger access to your inbox, banking-adjacent systems and customer records is a bigger act of trust than most hiring decisions — yet it is routinely done with less thought. The good news is that sensible security for a VA engagement is not complicated or expensive. It is a handful of practices, set up once.
Least privilege: the golden rule
Give access to what the work needs, and nothing more. If the first task is invoicing, your VA needs the accounting software — not the email admin console, the bank login and the file server. Every additional system can be granted in thirty seconds when a task actually requires it; access that was never granted can never be misused, leaked or forgotten.
Map it explicitly: keep a simple register of which systems your VA can reach and at what permission level. The register makes offboarding trivial and answers audit questions instantly.
Separate accounts beat shared logins
Wherever the software supports multiple users — accounting platforms, email, CRMs, project tools — create your VA their own account with an appropriate role. Separate accounts mean their actions are attributable, their permissions are tailored, and removal is one click that does not disrupt anyone else. Shared master logins are a last resort for tools with no user management.
Password managers, not spreadsheets
When credentials must be shared, share them through a password manager that supports secure sharing. The credential stays encrypted, you control who can see it, revocation is instant, and nothing sensitive sits in an inbox forever. Emailed or texted passwords, and the shared logins spreadsheet, are the two most common small-business security sins — both are permanent records of secrets in insecure places.
Two-factor authentication everywhere it matters
Enable two-factor authentication on every system that supports it, for you and your assistant both. For shared accounts, prefer authenticator apps and plan how the second factor is shared — some password managers can hold and generate the code alongside the password, which solves the problem cleanly.
Email deserves special caution
Full inbox access is one of the highest-trust grants you can make: an inbox resets passwords for everything else. Where the platform allows, use delegate or shared-mailbox access rather than handing over your primary credentials, and keep your own login and second factor private.
Paper matters too
A confidentiality clause or NDA should be part of the engagement from day one — our separate guide covers what they do. Alongside it, agree the practical rules in writing: no storing customer data on personal devices where avoidable, no forwarding business documents to personal accounts, and immediate notification if anything is lost or compromised. If your business handles personal information, the Office of the Australian Information Commissioner publishes plain-English guidance on the Australian Privacy Principles that is worth an hour of your time.
Offboard like you mean it
When an engagement ends — happily or otherwise — treat access removal as a same-day task:
- Disable or delete their user accounts on every system in your register.
- Rotate any credentials that were shared rather than individual.
- Revoke shared items in the password manager.
- Transfer ownership of any documents or boards they administered.
- Confirm return or deletion of business files held on their devices, as your agreement provides.
Five minutes with the access register closes every door at once. Businesses without the register spend months discovering forgotten logins one unpleasant surprise at a time.
Perspective
None of this reflects distrust of assistants, who overwhelmingly guard client access carefully — their livelihood depends on it. Good security protects both parties: your VA is protected from suspicion whenever something goes wrong, and you are protected from the small percentage of cases that end badly. Set it up once, and it simply becomes how you work.