Are You Still Leaving Former Employees' Cloud Accounts Active?
Are former employees' email and shared-drive access still active? A look at a common blind spot in account management for small and midsize businesses, and fixes to start today.
Are You Still Leaving Former Employees' Cloud Accounts Active?
Account offboarding is the process of disabling or deleting the email, shared drive, and business-system access that an employee used, at the appropriate time when they leave or change roles. Account creation at hiring time is usually handled carefully, but shutting accounts down at departure is often deprioritized — it is not unusual to discover, years later, that an account belonging to someone who left long ago is still active.
Why This Happens So Often at Small and Midsize Businesses
Many cloud services can be signed up for and paid for by individuals, so it is common for a department or a single staff member to contract for a tool on their own. As a result, the company often has no central record of who has access to which service under which ID, and when someone leaves, nobody is quite sure which accounts should be shut down.
On top of that, offboarding is frequently treated purely as an HR and general-affairs task, with no involvement from whoever handles IT. If news of a departure never reaches the person responsible for IT (or an outsourced IT support provider), shutting down the account simply never becomes anyone's job.
The Risks of Leaving Unused Accounts Active
| Risk | Description |
|---|---|
| Data exfiltration | A former employee can keep accessing customer records or files they viewed while employed |
| An entry point for attackers | Unused accounts tend to have looser password management, making them an easier target for takeover |
| Findings in audits or partner reviews | Security audits or a business partner's credit/vendor review may flag poor account management, affecting business terms |
| Accidental or unintended sharing | Leftover access to shared drives or tools can lead to unexpected actions or information being shared |
Steps You Can Start Today
Rebuilding account management from scratch can feel daunting, but starting by simply mapping out the current state keeps the workload manageable. Most of the following can be done without a dedicated IT staff member.
- Build an account inventory: list which service, which person, and which ID has access
- Retire shared logins: if multiple people share one login, switch to individual accounts
- Add an IT step to the offboarding checklist: make "disable accounts" an explicit line item in the HR offboarding process
- Turn on multi-factor authentication: add authentication beyond just a password for key services
- Do a periodic review: every six months to a year, cross-check the list of active accounts against current staff
Watch for the Accounts That Are Easy to Forget
Account management usually brings email and shared drives to mind first, but plenty of other access points get overlooked just as easily. The login for the company's social media accounts, the ad platform's admin panel, the domain/DNS management console, or an administrator ID that was temporarily handed to an outside design or development firm — these are rarely touched day to day, and are exactly the kind of thing that falls off a checklist when someone leaves or a contract ends. When doing an inventory, it helps to include these high-privilege but rarely-used systems alongside the everyday tools like email, chat, and storage.
Building a Pre-Departure Checklist
One effective approach is to prepare an "IT departure checklist" to use as soon as someone's departure is confirmed. Listing the relevant services (email, chat, cloud storage, accounting/sales systems, etc.) along with who is responsible for disabling each account and by when, reduces the chance of a gap between HR and whoever handles IT. If this is also a good moment to review contracts or vendors, the pre-order checklist is a useful reference.
Outsourcing Account Management
For companies without the capacity for a dedicated IT staff member, outsourcing account management itself is an option. It is worth reviewing typical pricing for outsourced IT support and considering handing off routine tasks such as periodic reviews and offboarding to an outside partner. The risks of adding more systems without dedicated IT staff are covered in the guide to introducing systems without an IT staff.
What This Typically Costs
The cost of building out account management varies a great deal depending on how many services are already in use and whether outsourcing is part of the plan, so it is hard to state a single figure. Turning on multi-factor authentication is often free or low cost on its own, while building an inventory or outsourcing ongoing management adds a monthly running cost. It is worth getting quotes from multiple providers and comparing them; the complete maintenance guide is a useful reference for thinking about ongoing operational costs generally.
Pair This with a Broader Review of Cloud Usage
Account management is easiest to sort out at the same time as a broader review of cloud contracts and operating rules. If a cloud migration or a new service rollout is already being considered, the guide to planning a cloud migration is worth reading alongside this, since building account rules in from the start of a contract is far easier than trying to catch up later.
Frequently Asked Questions
Should a former employee's account always be disabled on their last day?
Depending on handover needs, a few days' grace period is sometimes necessary, but as a rule the account should be disabled on the last day or within a few days at most. Deciding the disable date in advance is what matters most.
We have many individually contracted cloud services and no full picture. Where should we start?
Start by asking the main departments and staff what services and accounts they actually use for work. Even just building a basic inventory significantly reduces the chance of missing an account at offboarding time.
Won't adding multi-factor authentication make daily work more complicated?
There is a small amount of added friction at first, but with a smartphone app it usually takes only a few seconds. Compared to the potential damage from unauthorized access, the added burden is generally considered small.
In Summary
Accounts that stay active after an employee leaves are a risk that many small and midsize businesses simply have not noticed yet. Building an account inventory, retiring shared logins, adding an IT step to the offboarding checklist, and enabling multi-factor authentication are all steps that require no major system investment and can start today. The first step is simply mapping out what services and accounts the company actually has.
Related free tools (no sign-up, instant results)
Feel free to contact us
Contact Us