When an employee leaves a company, the focus typically turns to handovers, farewell messages and HR paperwork. Yet behind the scenes, a far less visible risk often remains — one that could cost businesses millions.

The so-called “shadow employee” is a growing cybersecurity threat: ex-staff members who retain access to company systems, cloud drives or software long after they’ve gone. Whether through oversight or poor offboarding, these digital loose ends can expose sensitive data, damage reputations and open doors for cybercriminals.

A recent study found that 89% of former employees still had valid logins, while 45% retained access to confidential data after leaving. Even more alarming, almost half admitted to actively accessing company systems post-departure.

“The shadow employee phenomenon is more common than many realise, particularly in organisations with high staff turnover or fragmented and cloud-based systems,” says Anna Collard, Senior Vice President of Content Strategy and Evangelist at KnowBe4 Africa.

She explains that many breaches stem from gaps between IT and HR processes. “When IT and HR operate in silos or access isn’t centrally tracked, it’s easy for credentials, third-party accounts or shadow IT tools to be overlooked. It shouldn’t be seen as just a technical issue; it’s a human one, where attention to digital hygiene and processes are lacking.”

FROM OVERSIGHT TO OUTRAGE

In one high-profile case in 2023, a US firm suffered a major data leak traced back to a former IT consultant whose access to internal drives had never been revoked. The exposure triggered legal settlements and contract losses running into six figures.

“The risks are serious and multifaceted,” Collard warns. “They encompass operational risk, reputational risk and financial risk.”

Operationally, lingering access can disrupt workflows or allow unauthorised system changes. On the reputational front, a data breach caused by a former employee can quickly destroy client confidence. “Ex-employees with active credentials can intentionally or unintentionally cause data breaches, leak sensitive information, manipulate internal systems or impersonate staff,” she says.

Some cases turn malicious. “Disgruntled employees may delete or sabotage critical data,” Collard notes. “Even if there’s no malicious intent, the mere presence of active credentials outside of an organisation’s control creates vulnerabilities that threat actors can exploit, especially through credential stuffing or phishing.”

Financially, the fallout can be brutal — from regulatory fines and legal costs to lost revenue. “Rogue access can result in regulatory fines, legal costs and lost revenue,” she adds. “The problem is that many organisations treat offboarding as an optional HR process rather than a cybersecurity event.”

CLOSING THE DOOR — AND LOCKING IT

Experts say the solution lies in treating offboarding with the same rigour as onboarding. “It starts with a shared mindset: offboarding must be seen as a collaborative security process, not just an admin task,” Collard explains.

Automation can help close the gaps. “Integrating identity and access management tools and involving security or risk teams in offboarding governance can also help,” she suggests. Regular access reviews and manager accountability are equally vital. “Make line managers accountable for flagging all tools and systems used by exiting staff and track unofficial tools in your access control system.”

The challenge extends beyond traditional software. The HRM Report recently warned that “shadow AI” usage is emerging as a new risk across Africa, with nearly half of organisations still lacking formal AI policies while employees use generative tools without oversight.

Collard’s final warning is clear: “Former employees shouldn’t keep the digital keys to your organisation’s kingdom. As the workplace becomes more hybrid and decentralised, organisations must rethink offboarding as a critical component of cybersecurity hygiene.”