When employees or contractors leave, their access should leave with them. Too often it does not. These forgotten “ghost accounts” remain active and create an invisible weakness inside business systems.
After a summer break, many employees come back with new priorities. Some decide it is time to move on, while others return from holiday and hand in their notice soon after. This wave of change creates churn in logins and permissions, and it is at these moments that ghost accounts are most likely to be forgotten.
“The risk is not that someone has left,” says Kamran Bahdur, CIO at FLR Spectron. “It is that their login still exists weeks or months later. That account is effectively a spare key lying under the doormat.”
Studies Show the Scale of the Problem
Brand new research has uncovered that over 70% of enterprise environments still contain dormant service accounts with elevated privileges
“This is not a small oversight,” explains Kamran. “These accounts often carry administrator rights, which means they can bypass normal restrictions. If attackers gain access to one, they are not just peeking at data. They can move across systems, change configurations, and even create new accounts to cover their tracks.”
Kamran notes that service accounts often go unnoticed because they are not tied to a person. A business might set one up to automate a process or to connect a system. Once the immediate need has passed, the account is easy to forget and can remain active long after it serves any purpose.
“Unlike personal logins, service accounts do not expire when someone leaves,” he notes. “That makes them easy to forget during access reviews. Yet they are often the accounts with the deepest reach into a business. Attackers know this, and they look for them because the reward is so high.”
Research shows the issue runs deeper than privileged accounts. A study by Varonis found that 34% of user accounts in the average business are inactive but still enabled. In almost half of the organisations surveyed, that meant more than 1,000 ghost accounts sitting idle.
Similarly, Oort reported a similar pattern, with around 24% of accounts in some businesses left dormant. Those accounts attracted over 500 takeover attempts each month on average, showing attackers are actively hunting for them.
“The message is clear,” Kamran says. “Dormant accounts are not background noise. They are actively targeted by attackers, and privileged accounts are the most dangerous of all. Businesses cannot afford to ignore them.”
Why Hybrid Workforces Face Greater Risk
Hybrid work has made identity management far more complicated. Each new tool or subscription brings another login to track. Add in contractors coming and going, or short-term project teams, and the number of accounts can quickly get out of hand.
“SMEs often underestimate how fast this sprawl grows,” Kamran warns. “One shared drive here, a project tool there, and suddenly you have dozens of platforms with little visibility of who still has access. When contractors finish, their logins are the ones most likely to be forgotten.”
Shared accounts remain common in smaller teams, yet they create a serious blind spot. When one person leaves and the password does not change, everyone who still knows the details can walk straight back in. That single oversight can put the whole organisation at risk.
How to Prevent Ghost Accounts
Dealing with ghost accounts is not about buying expensive tools. The businesses that stay ahead usually do a few simple things consistently:
-
Review access on a schedule. Check active accounts against a current list of staff and contractors. Any mismatch should be investigated, not ignored.
-
Put time limits on temporary users. Contractor or test accounts should expire by default unless someone has a reason to extend them.
-
Use identity management tools. A central view across cloud and on-premise systems makes it easier to spot logins that are no longer in use.
-
Treat offboarding as essential. Every staff departure should trigger an access review. A short checklist is often enough to stop mistakes.
-
Back it up with MFA. Even if an account is missed, multi-factor authentication makes it much harder for an attacker to use stolen credentials.
“Good identity management is no different from good housekeeping,” Kamran says. “If you keep on top of it, you avoid the clutter that later turns into risk.”
Staying Proactive on Identity Security
Ghost accounts may be invisible day to day, but their impact is real. They are silent exposures that undermine trust, and they can be the easiest way for an attacker to get inside. For SMEs balancing hybrid work and seasonal staffing changes, staying on top of identities is one of the simplest ways to stay secure.
At FLR Spectron, we help businesses take control of identity security. From access reviews to full audits of hybrid IT environments, our goal is to give leaders a clear view of where the risks are and how to close them.
If you would like to talk through your own setup, reach out, and one of our specialists will be happy to walk you through the options.