“We disabled their email the same day they left.” That’s what the office manager told us. She was right — the email was shut off within hours. But the departing employee still had active logins to Dropbox, the project management app, and the CRM they signed up for six months ago. Nobody even knew about two of them.
If you think your offboarding process covers everything, you’re probably wrong. And you’re not alone.
Industry research has found that roughly half of organizations have discovered former employees still accessing company SaaS applications months after their departure. For most of those companies, the discovery was accidental — not the result of anyone actually checking.
These are called “zombie accounts.” And for small businesses in Bradenton and Tampa Bay, they’re one of the most overlooked security risks hiding in plain sight.
5 Myths About Employee Offboarding That Put Your Business at Risk
Myth #1: “We Disabled Their Email, So We’re Covered”
Email is just the front door. The average company now uses over 100 SaaS applications. Your offboarding checklist was probably written when there were three.
When someone leaves your accounting firm or insurance agency, their email gets turned off. But what about the cloud storage folder they shared with a contractor? The Slack workspace? The scheduling tool they signed up for with their personal email? The accounting software they accessed from their home laptop?
Every one of those is still a live door into your business.
Myth #2: “Our IT Guy Handles All of That”
Your IT provider can only deactivate accounts they know about. The problem is that employees sign up for tools on their own — using work email, personal email, or both. This is called shadow IT, and it’s everywhere.
A study by Productiv estimated that shadow IT accounts for 50-60% of SaaS applications at many organizations. Your IT team can’t revoke access to apps they’ve never heard of.
Myth #3: “If They Haven’t Logged In, There’s No Risk”
A dormant account isn’t a safe account. It’s a target. If a former employee’s credentials get compromised in a data breach — and they reused their password (most people do) — anyone with those stolen credentials can walk right in.
The account is still valid. The permissions are still active. There’s no alert because the system has no reason to flag a “legitimate” login. For a wealth management firm or law practice handling sensitive client data, that exposure can go undetected for months.
Myth #4: “We’re Too Small to Worry About This”
Actually, small businesses are more vulnerable to this problem. Larger companies often have identity management systems that automatically revoke access across platforms when someone is removed from the directory. Most small businesses in Bradenton and the Tampa Bay area don’t have that.
You’re relying on a manual checklist — and manual checklists miss things. Especially when the person leaving set up accounts nobody documented.
Myth #5: “Former Employees Wouldn’t Do Anything Malicious”
Maybe not. But it doesn’t matter. A zombie account doesn’t require the former employee to do anything wrong. Their credentials can be stolen in an unrelated breach. A hacker who buys a list of compromised logins doesn’t care that the account belongs to someone who left your company in March. They just know it works.
The Verizon Data Breach Investigations Report consistently identifies credential abuse as a leading factor in breaches. Zombie accounts are valid credentials with no one watching them — the perfect entry point.
The Three Places Zombie Access Hides
Cloud storage. Google Drive, OneDrive, and Dropbox are where zombie access causes the most immediate damage. Former employees may still have shared folders with client data, financial records, or internal documents.
Project and communication tools. Slack, Microsoft Teams, Asana, Monday.com — collaborative tools often retain access until someone manually removes it. Conversations, files, and client details are all exposed.
Industry-specific platforms. Practice management software, CRMs, and billing systems that employees signed up for directly. These often fall outside standard IT oversight entirely.
What You Should Do Right Now
1. Run a SaaS audit. Make a list of every cloud application your business uses — and ask your team to be honest about what they’ve signed up for on their own. You’ll be surprised.
2. Build a real offboarding checklist. Go beyond email and laptops. Include every SaaS platform, shared folder, and third-party tool. Update it every time you add a new service.
3. Check for active sessions from former employees. Review login activity on your major platforms. If someone who left three months ago still shows recent access, you have a problem.
4. Use single sign-on (SSO) where possible. SSO ties all app access to one identity. When that identity is disabled, access to everything connected to it goes away automatically. It’s the closest thing to a “kill switch” for departing employees.
Most small businesses don’t have a zombie account problem because they did something wrong. They have one because the way people use software changed faster than their offboarding process did.
Book a free 15-minute risk assessment with Justin and Sara at Reef Cyber Security. We’ll help you find the zombie accounts hiding in your business and build an offboarding process that actually covers everything — not just email.
