Business Continuity

The Bus Factor: When Your IT Guy Gets Hit By One

By Jeff Wray

*Examples in this article are based on real incidents with details modified for privacy and clarity.*

The call came on a Tuesday. "Our IT director was in a car accident. He didn't make it. We can't access anything—servers, domains, email admin, cloud accounts. Everything was in his head. Can you help?"

What followed was a 6-month nightmare that cost the company $400,000 and nearly ended their business. All because they never asked: "What if?"

The $400,000 Password

Here's what we discovered in the days after the tragedy:

The Digital Lockout:

  • AWS Root Account: Personal email, no documentation
  • Domain Registrar: His Gmail, 2FA on his destroyed phone
  • SSL Certificates: Expiring in 2 weeks, no renewal info
  • Database Passwords: Changed monthly, never written down
  • API Keys: Hardcoded, no backup copies
  • Vendor Accounts: All under personal emails
  • Server Access: SSH keys on his laptop (encrypted)

Time to regain full access: 6 months. Cost: $400,000+

The Recovery Nightmare

You'd think tech companies would have processes for this. You'd be wrong. Here's what it actually takes:

Death Certificates Aren't Magic Keys

AWS wanted: Death certificate, corporate documents, notarized letters, legal opinions, and 3-6 weeks. Meanwhile, your servers are running, billing continues, and you can't change anything.

2FA Becomes 2F-Screwed

That secure two-factor authentication? When the second factor is in a destroyed phone or a dead person's biometrics, you're locked out. Forever. No override. No exception.

Personal Emails = Legal Nightmares

When critical accounts are tied to personal Gmail addresses, you need court orders to access them. That's months of legal work while your business burns.

The Terrible Timeline:

  • Week 1-2: Realize the extent of lockout
  • Week 3-4: Gather legal documents
  • Week 5-8: Submit to vendors, get rejected
  • Week 9-12: Hire lawyers, file paperwork
  • Week 13-16: Some accounts recovered
  • Week 17-24: Rebuild what can't be recovered
  • Month 7+: Still finding locked accounts

The Bus Factor Assessment

"Bus factor" is tech speak for: How many people need to be hit by a bus before your project is doomed? If it's one, you're already doomed.

Calculate Your Bus Factor:

For each critical system, ask:

  • ☐ Who has admin access?
  • ☐ Where are passwords stored?
  • ☐ Who knows the architecture?
  • ☐ Who has vendor relationships?
  • ☐ Who can approve changes?
  • ☐ Who understands the code?

If any answer is "one person," you have a bus factor of 1. That's a crisis waiting to happen.

The Business Continuity Plan You Need

Here's what should exist BEFORE someone gets hit by that metaphorical (or literal) bus:

1. The Digital Vault

Critical Items to Document:

  • ✓ All admin credentials (use a password manager)
  • ✓ Account recovery information
  • ✓ Vendor contact details
  • ✓ System architecture diagrams
  • ✓ API keys and certificates
  • ✓ Domain and hosting details
  • ✓ License keys and subscriptions
  • ✓ Emergency procedures

2. The Access Matrix

Create a simple spreadsheet: System, Primary Admin, Backup Admin, Documentation Location. No single points of failure.

3. The Succession Protocol

  • Designate backup admins for everything
  • Use company emails, not personal
  • Enable account recovery options
  • Document decision-making authority
  • Test the handover process quarterly

Implementation: The 30-Day Plan

Week 1: Discovery

  • ☐ List all critical systems
  • ☐ Identify single points of failure
  • ☐ Document current access
  • ☐ Assess documentation gaps

Week 2: Documentation

  • ☐ Set up enterprise password manager
  • ☐ Document all credentials
  • ☐ Create architecture diagrams
  • ☐ Write emergency procedures

Week 3: Implementation

  • ☐ Migrate to company emails
  • ☐ Add backup administrators
  • ☐ Enable recovery options
  • ☐ Share documentation securely

Week 4: Testing

  • ☐ Simulate key person absence
  • ☐ Test recovery procedures
  • ☐ Update documentation
  • ☐ Schedule quarterly reviews

The Tools That Save Companies

Password Management

  • • 1Password Business
  • • Bitwarden Enterprise
  • • LastPass Teams
  • • Keeper Business

Documentation

  • • Confluence
  • • Notion
  • • SharePoint
  • • Git repositories

The Hard Conversation

Nobody wants to talk about death. But here's the thing: Not talking about it doesn't prevent it. It just ensures maximum damage when it happens.

Questions to Ask Today:

  • • If our IT lead disappeared today, could we access our systems tomorrow?
  • • Do we know where all our passwords are?
  • • Can someone else make critical decisions?
  • • Have we tested our continuity plan?
  • • Are we one tragedy away from closure?

The Bottom Line

Every day you operate with a bus factor of 1 is a day you're gambling with your company's existence. The fix isn't complicated. It's not expensive. It just requires facing an uncomfortable truth:

People die. Systems should survive.

That IT director who died? He was brilliant. He was dedicated. He was irreplaceable as a person. But the technical knowledge should have been replaceable. The access should have been shared. The documentation should have existed.

Don't let your legacy be the company that died because you did.

Need Help Building Business Continuity?

Get a fractional CTO who builds redundancy into everything. No single points of failure.

Protect Your Business →