Free AssessmentCall Now

How Many Vendor Logins Do You Have? A Password Audit Guide for Northeast Indiana Businesses

Key Takeaways:

  1. The password spreadsheet that keeps growing isn’t a personal failure. It is an operational pattern that shows up in every industrial services office in northeast Indiana, and it is going to break before you do.
  2. A 25-person Fort Wayne or Auburn industrial services operation typically runs 30 to 80 vendor logins by year five — based on what we see when we actually count them with clients — fuel cards, dispatch software, GPS tracking, e-logs, billing portals, payroll, insurance, banking. Most of them live in one spreadsheet, on one computer, with at least a few passwords typed in plain text.
  3. Cyber insurance carriers and larger industrial customers are now asking about shared credentials directly on their renewal applications and vendor questionnaires. “We have a spreadsheet” is the wrong answer to a question that is getting harder to dodge each year.
  4. The first step is not a password vault rollout, a vendor change, or a hard conversation with your boss. It is a 30-minute audit you can do at your own desk to know what is actually in the spreadsheet — without changing anything yet.
  5. The conversation with your boss is much easier than it sounds when you bring the audit instead of the problem. Office managers who walk in with a list get budget. Office managers who walk in with a worry get told it’s not a priority right now.

If you are the office manager at a 25-person industrial services company in Fort Wayne or Auburn, there is a spreadsheet on your computer right now with every login your business uses on it. It started with the fuel card portal three years ago, then dispatch, then GPS, then the e-log system, then payroll moved vendors and you added that one too. It has tabs. It has color-coded rows for “active” and “inactive.” It has at least one column where the password is in plain text. It has names of people who left the company two years ago.

You are not behind because you missed a class on this. Every office manager at every industrial services operation in northeast Indiana has the same spreadsheet, give or take a tab. The pattern works for the first ten logins, strains at thirty, and is dangerous at sixty. Nobody warned you when you crossed the line — because the line moved one row at a time.

The thing that makes the password spreadsheet stop being ignorable is not a breach. It is a question. It might come from your cyber insurance carrier at renewal — the application now asks specifically about shared credentials. It might come from a larger customer sending a vendor security questionnaire. It might come from your boss after they hear something at a Chamber lunch. Knowing your answer, in real terms, is the difference between a thirty-minute conversation and a six-week scramble.

The good news is the first step is not a vault rollout or a hard conversation with your boss. The first step is a thirty-minute audit at your desk that costs nothing and changes nothing — but tells you exactly where you stand.

Is it normal for our office’s password spreadsheet to keep growing?

Yes. It is so normal that it is the default condition of every industrial services office of your size in northeast Indiana.

The pattern is mechanical. Every new vendor adds a login. Almost no one ever takes one away. The fuel card portal added one row in 2022. The GPS tracker added one in 2023. The new e-log provider added one in 2024 — and the old e-log provider’s row is still there, because nobody told you to delete it. Multiply this across fleet, financial, insurance, payroll, customer-facing, and compliance vendors, and the spreadsheet doubles every two to three years without anyone noticing.

You are also probably the only person in the office who knows where the spreadsheet lives. That is not because you hoarded it. It is because you became the keeper of every operational detail no one else had time to track — which is what office managers in industrial services operations do, and it is why the business runs. The spreadsheet is a symptom of how much you carry, not a sign of how little you know.

How many vendor logins does a typical industrial services office actually have?

More than most owners would guess. Here is what tends to be in the spreadsheet at a 20-to-40-person industrial services operation by year five.

Vendor Login Inventory: What’s Probably in Your Spreadsheet

CategoryExamplesTypical Count Range
Fleet & operationsFuel cards, GPS tracking, e-logs, dispatch software, route optimization, DVIR app5–12
FinancialBank, payroll provider, accounting software, expense management, line of credit portal4–8
Insurance & benefitsWorkers comp, health insurance, 401(k), liability carrier, broker portal3–6
Customer-facingBilling portals, customer EDI logins, contract management, CRM4–15
Compliance & filingsDOT registration, IFTA, state licensing, IRS e-services, BOI / Corporate Transparency Act3–8
Office & utilitiesMicrosoft 365 admin, phone system, internet provider, copier portal, security cameras, alarm5–10
Typical total 30–70+

Most office managers, when they actually count, are surprised by where they land. The “fleet & operations” tab alone usually has more logins than they remembered. The “customer-facing” count varies wildly depending on how many big industrial customers you serve — each one tends to bring its own portal.

The number itself is not the point. The point is that whatever your number is, it is too many to manage in a spreadsheet without controls. The spreadsheet was a fine tool at ten logins. It is a liability at sixty.

What does cyber insurance actually ask about shared credentials?

This is where the math has changed in recent renewal cycles.

Three years ago, the cyber insurance application asked broad questions: “Do you have password policies? Yes or no.” Almost any office could answer yes and move on. Recent applications ask much more specific questions, and a yes-or-no honest answer is harder.

The newer applications ask things like:

  • Is multi-factor authentication (MFA — a second login step beyond a password, usually a code sent to your phone or generated by an app) enforced on all administrative accounts? On all email? On all remote access?
  • Are any accounts shared between two or more employees? If so, which ones, and what controls compensate?
  • When an employee leaves, how long does it take for their access to all systems to be deactivated? Hours? Days? Weeks?
  • Are passwords stored in a centralized password manager, or in another method?

If your honest answers are “MFA on a few things,” “yes, the dispatch login is shared by all four dispatchers,” “we usually deactivate accounts within a week or two when someone leaves,” and “we have a spreadsheet” — your application is a different application than the one you signed last year. Carriers can deny claims when the application turns out to have misrepresented control status, and that language is showing up more often in policy exclusions. Your broker can’t save you from that. Indiana’s 45-day breach notification rule kicks in once you know about a compromise of personal information, regardless of how the compromise happened — meaning the clock starts whether the carrier covers you or not. For context on how often compromised credentials are the root cause: according to the Verizon Data Breach Investigations Report, stolen or weak credentials are involved in the majority of hacking-related breaches each year. The shared dispatch login and the spreadsheet are not abstract risks.

The fix is not to lie on the application. The fix is to know your real answers before you sign — and to have a credible path forward for the gaps.

How do I audit our password spreadsheet without making this bigger than it needs to be?

The audit is a thirty-minute exercise at your desk. You are not changing anything yet. You are looking honestly at what is on the screen.

Open the spreadsheet. Open a blank document next to it. Walk through the spreadsheet row by row and answer four questions for each entry:

  1. Is this account still in use? (If the vendor is gone, mark for deletion.)
  2. Is the password shared by more than one person? (If yes, note who.)
  3. Does this account have MFA turned on? (If unsure, mark “unknown.”)
  4. If the person responsible for this account left tomorrow, how would the next person get in? (If the answer is “the spreadsheet,” note that.)

The result is a one-page picture of where you stand. It will probably be uncomfortable, and probably better than you feared in some places and worse in others.

Password Management — Where Are We?

Stage 4: Vault + Lifecycle
 │       Password vault in place, MFA enforced
 │       everywhere, offboarding runs in 24 hours
 ▲
 Stage 3: Vault, Inconsistent Use
 │       Vault exists, but some accounts still
 │       live in a spreadsheet or sticky notes
 ▲
 Stage 2: Documented Spreadsheet
 │       Spreadsheet is current, departed users
 │       removed, passwords rotated annually
 ▲
 Stage 1: Growing Spreadsheet
         Where most 20-50 person operations sit.
         Old users still listed. No rotation.
         Plain-text passwords. Shared logins.

Most industrial services offices in our area land in Stage 1 or low Stage 2. That is not a verdict on you — it is a description of where the pattern took you. Knowing your stage is half the conversation. The other half is knowing that the next step is one stage forward, not three.

How do I bring up the password problem to my boss without sounding like I am complaining?

This is the part most office managers get wrong — not because they say the wrong things, but because they bring the wrong document to the meeting.

Office managers who say “we have a password problem” get told it’s not a priority right now. Office managers who walk in with a printed one-page audit listing 47 vendor logins, 11 shared accounts, 3 accounts belonging to people who left, and 22 accounts where MFA status is unknown — they get budget. The numbers are doing the talking. You are delivering them.

Frame it the way you would frame any other operational risk. “Here is what I found. Here is what the next step looks like. Here is what it costs to do nothing for another year.” Your boss is used to making this call on equipment, on insurance, on inventory. They are not used to making it on passwords because nobody has brought them the data in a form they can act on. You are the one with the data.

Do not frame this as your problem alone. Frame it as a business question that needs a business answer. The audit is what makes it a business question instead of a personal worry.

Want help reading what your audit is telling you?

After the thirty minutes at your desk, you’ll have a list. What you may need next is a way to look at that list and know what counts as “normal industrial services scale” versus “actually a problem that needs attention this quarter.” That’s where outside eyes help — not to sell you a vault, not to start a project, just to read the audit honestly with you and tell you what’s urgent, what’s a year out, and what’s fine for now.

No pitch, no follow-up campaign — just a working conversation about what your spreadsheet is telling you.

Call Aptica: (260) 243-5100

Or schedule a 15-minute call at a time that works for you: calendly.com/jnewburg-1/15min

Frequently Asked Questions

How do I verify password security claims from my IT provider?

Two interpretations are possible, both useful. They might mean the spreadsheet itself is technically secure on your computer — encrypted, backed up, only accessible from your machine. That can be true. It is also not what cyber insurance carriers and industrial customers are asking about. They ask about the controls around the credentials inside the spreadsheet — shared logins, missing MFA, slow offboarding. Both matter. Ask them which one they’re answering.

What is MFA and do we already have it?

MFA — multi-factor authentication — is a second login step beyond your password, usually a code texted to your phone or generated by an app like Microsoft Authenticator or Duo. You almost certainly have it on a few important accounts already, like your bank or your Microsoft 365 account. The question on insurance applications and customer questionnaires is whether it’s on every account that matters — and whether shared accounts are even capable of using it (most aren’t, which is part of why shared logins are now the question).

Do I need to roll out a password vault before I do anything else?

No. The audit comes first. A password vault is a tool — useful only after you know what you’re putting in and what you’re taking out. Buying a vault before doing the audit means you have organized chaos instead of solved chaos. Most offices that did the audit first and the vault second say the rollout went smoothly. Most who did it the other way say it was a mess.

What does the Indiana 45-day breach notification rule actually require?

Indiana law requires written notice to affected individuals within 45 days of discovering a breach of their personal information. For an industrial services office, this comes up most often when employee or customer financial information is exposed through a compromised vendor login. The rule does not care whether the breach was your fault or your vendor’s — once you know about it, the clock starts. That’s a separate clock from anything your insurance carrier does. The full text of the statute is Indiana Code 24-4.9 if you or your attorney want to read it directly.

How should I answer a customer cybersecurity questionnaire when there are gaps?

You answer it honestly anyway. Larger industrial customers — especially the ones serving regulated industries — have been pushing security requirements down to their service vendors since 2023. An honest answer with a remediation plan beats a confident answer that doesn’t survive review six months later. Customers are telling other office managers at their associations that they prefer “we’re working on it, here’s the plan” over “yes, no problem” that turns out to be wrong. The spreadsheet pattern is part of what’s getting flagged. Knowing your real answers — even if they aren’t the answers you wish they were — is what keeps the account.

About Aptica

Aptica is a locally owned IT provider serving manufacturers, distributors, engineers, healthcare practices, and professional services firms across Northern Indiana, Southern Michigan, and Northwest Ohio. Founded in 2003 and based in Angola and Fort Wayne. BBB Accredited, A+ rated.

Angola: 113 E Maumee St, Angola, IN 46703 · (260) 243-5100 Fort Wayne: 1690 Broadway, Bldg 19, Suite 10, Fort Wayne, IN 46802 · (260) 243-5182 Web: apticallc.com · Email: info@apticallc.com

Call us. We answer the phone.

How much should Managed IT Services cost?

Use our FREE calculator to see how our predictable pricing compares to the competition. Our interactive calculator provides personalized cost estimates based on your inputs.

Get Free Estimate

Free Assessment

or fill out the form below

Mobile information will not be shared with third parties/affiliates for marketing/promotional purposes. If you wish to be removed from receiving future communications, you can opt-out by texting STOP.

Protected by CleanTalk Anti-Spam