Imagine a marketing manager who left a company six months ago, taking their personal laptop with them. On it, unbeknownst to anyone, was a cached login to a shared cloud drive containing sensitive client proposals and campaign strategies – access that was simply overlooked during offboarding. Months later, the ex-employee accidentally drags a folder from that shared drive onto a public-facing personal cloud storage, thinking it was their own. The link to this inadvertently exposed data is then discovered by a competitor or a data broker, leading to a massive leak of proprietary information, significant reputational damage, and a loss of client trust. This seemingly innocuous oversight, can spiral into a devastating corporate crisis. While this scenario is a little extreme, it is unfortunately not far-fetched in today’s complex digital landscape.
When an employee leaves an organisation, most leaders focus on succession, handovers and HR paperwork. But behind the scenes, another risk often goes unchecked: the “shadow employee”. Retaining access to company systems long after they’ve left, these ex-staff members pose a serious cybersecurity threat that can lead to data breaches, financial loss and reputational damage – even if everyone parted ways with smiles, hugs and pizza.
According to a recent study, 89% of former employees keep valid logins, while 45% retain access to confidential data after departure. Most disturbingly, almost half admitted to continuing to access company systems after leaving.
“The shadow employee phenomenon is more common than many realise, particularly in organisations with high staff turnover or fragmented and cloud-based systems,” asserts Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 Africa.
She says it often goes undetected because access management tends to focus more on onboarding than offboarding. “When IT and HR operate in silos or access isn’t centrally tracked, it’s easy for credentials, third-party accounts or shadow IT tools to be overlooked,” Collard comments. “It shouldn’t be seen as just a technical issue; it’s a human one, too, where attention to digital hygiene and processes are lacking.”
Risks of rogue access
The threat of shadow employees was brought into sharp focus in 2023 when a US company suffered a major data leak traced back to a former IT consultant whose access to internal drives was never revoked. The incident exposed client information and resulted in a six-figure (dollar denominated, no less) settlement on top of contract losses.
“The risks are serious and multifaceted,” states Collard. “They encompass operational risk, reputational risk and financial risk.” In terms of operational risks, she explains that outdated access rights can disrupt workflows, expose sensitive information or allow unauthorised changes to systems – even inadvertently.
Regarding reputational risk, a data breach caused by a former staff member can erode customer trust and damage brand credibility. “Ex-employees with active credentials can intentionally or unintentionally cause data breaches, leak sensitive information, manipulate internal systems or impersonate staff,” she says.
“In some cases, disgruntled employees may delete or sabotage critical data,” she elaborates. “Even if there’s no malicious intent, the mere presence of active credentials outside of an organisation’s control creates vulnerabilities that threat actors can exploit, especially through credential stuffing or phishing.”
The last risk to organisations involves financial risk. “Rogue access can result in regulatory fines, legal costs and lost revenue,” she says. The reason why this security breaches occur is that many organisations treat offboarding as an almost “optional HR thing”, not a cybersecurity event. “They fail to conduct thorough access audits or delay revoking credentials across all systems, especially cloud platforms, collaboration tools and unmanaged software-as-a-service (SaaS) applications,” argues Collard.
Why robust offboarding is key
To close the loop and reduce the shadow employee threat, organisations must build strong offboarding processes that bridge HR and cybersecurity. “It starts with a shared mindset: offboarding must be seen as a collaborative security process, not just an admin task,” she comments.
Another important step is to automate deprovisioning to revoke access in real-time. “Integrating identity and access management (IAM) tools and involving security or risk teams in offboarding governance can also help,” she says. Other action items include performing regular access reviews to identify dormant or unauthorised accounts and educating managers to close the gap on shadow IT.
“Make line managers accountable for flagging all tools and systems used by exiting staff and track unofficial tools in your access control system,” she recommends. The HRM Report also noted that “Shadow AI” use is a growing concern across Africa, with 46% of organisations still developing formal AI policies while staff increasingly use generative AI from work networks without checks on credentials or information sharing. This lack of governance around new technologies further underscores the need for robust offboarding processes that account for all forms of access, not just traditional systems.
In conclusion, Collard maintains that former employees shouldn’t keep the digital keys to your organisation’s kingdom. “As the workplace becomes more hybrid and decentralised, organisations must rethink offboarding as a critical component of cybersecurity hygiene,” she emphasises.
