The Zombie SaaS Audit: Former Employees Who Can Still Access Your Systems

Someone leaves your practice on a Friday. By Monday, their email is disabled and their laptop is back in the drawer. What nobody checks is the project management tool they signed up for last quarter, the cloud storage folder they shared with a contractor during that big job, or the CRM access they have had since a previous role. Three months later, those logins are still active.

This is how zombie accounts form. Not through carelessness, but through an offboarding process built around physical assets - laptops, phones, building passes - that was never updated to reflect how people actually use software. The average business now runs well over 100 cloud applications. Most offboarding checklists were written when there were three.

A zombie account is an active login that belongs to someone who no longer works for you. What makes it genuinely dangerous is that it looks completely normal. The access was granted legitimately, and the system has no reason to flag it. If a former staff member walks back in through that door - or if their credentials are compromised after they leave - the access is sitting there waiting. Industry research suggests around half of organisations have found former employees still accessing cloud applications months after leaving, and most discovered it by accident rather than through any deliberate check.

Three categories of application account for most of the risk. The first is cloud storage - tools like OneDrive, Google Drive, or Dropbox. These are where offboarding gets messy fast. Files shared with a personal account during a project, folders set to open link access, guest permissions granted in a hurry - none of these get cleaned up when a licence is removed. The departure triggers a tidy exit on paper. The shared content stays accessible.

The second category is project management and client-facing platforms - tools like HubSpot, Salesforce, Notion, or Asana. These are frequently set up by team leaders rather than anyone in IT, which means they never appear on any offboarding checklist. A former account manager's CRM login, or a practice coordinator's workspace with access to internal strategy documents, can persist for months without anyone noticing.

The third category is the most dangerous: tools IT never knew existed. These are the applications staff signed up for using their work email address - a survey tool, an AI writing assistant, a document editor. They were never formally approved, and they were never formally switched off. When the person leaves, the account stays active, attached to a work email that may now redirect to a general inbox nobody monitors. This kind of ungoverned access is part of a broader pattern of cyber threats targeting small businesses right now.

Running a zombie SaaS audit does not need to be complicated. Start by pulling a list of every cloud application connected to your identity system - whether that is Microsoft 365, Google Workspace, or something else - and cross-reference it against billing records and recent login notifications. Then take the last 12 months of staff departures and check each name against that list. For any application with an admin console, look at who is still active and when they last logged in. Anything months old and belonging to someone who has left gets revoked immediately and documented.

The audit itself is a one-time cleanup. What matters is what comes after it. Use what you find to rebuild your offboarding checklist so it covers cloud applications, not just email and hardware. Enforce multi-factor authentication - a second verification step beyond a password - on all remaining active accounts. Then schedule a review every quarter. That cadence turns a one-off exercise into an ongoing control, and sits alongside the broader steps covered in reducing your risk of a data breach.

For professional services businesses handling client data, the stakes are higher than most. The NZ Privacy Act 2020 requires that personal information is protected from unauthorised access - and a zombie account belonging to a former employee is exactly the kind of gap that creates real exposure. If a breach were traced back to an account that should have been closed months earlier, that is a difficult conversation with the Privacy Commissioner and a harder one with clients. It is also worth knowing that dormant credentials are a common target for password spraying attacks that sweep across an entire organisation at once.

Most Canterbury businesses do not have someone whose job it is to run these checks. That is where managed IT support earns its place - not just keeping the lights on, but making sure the doors are properly locked when people leave.

If you want to know where your gaps are, ITstuffed offers a 15-minute IT Fit Check. Book one at /booking and we can take a look at how your offboarding process holds up.