When an employee leaves a company, the process is often familiar: an exit interview, the return of a laptop, and well-wishes for the future. Leaders naturally focus on succession planning and filling the vacant role. But beneath this standard offboarding routine waits a silent and pervasive threat that many organisations are only just beginning to comprehend: the “shadow employee.”
A shadow employee is a former staff member who retains access to company systems long after their departure. They are digital ghosts, possessing the keys to the kingdom without any official presence. And according to a recent study, they are far more common than most businesses realise, a staggering 89% of former employees keep valid logins, and 45% retain access to confidential data.
The threat isn’t always born of malice. Consider the marketing manager who left six months ago, their personal laptop still holding a cached login to a shared cloud drive. Months later, an innocent mistake, dragging a folder to the wrong cloud storage, could inadvertently expose sensitive client proposals to the open internet, leading to a catastrophic data leak.
However, the risk of deliberate malfeasance is equally potent, as a striking example from Uganda laid bare in a courtroom. According to court documents, a former employee of Nile Breweries Limited (NBL) resigned and subsequently joined its direct competitor, Uganda Breweries Limited (UBL). This move prompted an investigation by NBL, which discovered that in the months leading up to his departure, the employee had sent 125 emails from his corporate account to his private email, systematically copying and sharing confidential business secrets without authorization. This case illustrates that the shadow employee threat is not just about retained access after departure, but also the misuse of legitimate access immediately before an exit—a period of heightened risk.
“The shadow employee phenomenon is more common than many realise, particularly in organisations with high staff turnover or fragmented and cloud-based systems,” asserts Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 Africa. She explains that this issue often goes undetected because access management is frequently skewed towards onboarding new hires, with offboarding treated as an afterthought.
“When IT and HR operate in silos or access isn’t centrally tracked, it’s easy for credentials, third-party accounts or shadow IT tools to be overlooked,” Collard comments. “It shouldn’t be seen as just a technical issue; it’s a human one, too, where attention to digital hygiene and processes are lacking.”
The risks posed by these dormant or misused accounts are serious and multifaceted. The Ugandan case demonstrates the direct financial and competitive damage, while a 2023 incident in the US serves as another stark warning; a major data leak was traced to a former IT consultant whose access was never revoked, resulting in a six-figure settlement and significant contract losses.
“Ex-employees with active credentials can intentionally or unintentionally cause data breaches, leak sensitive information, manipulate internal systems or impersonate staff,” Collard states. “In some cases, disgruntled employees may delete or sabotage critical data. Even with no malicious intent, these active credentials create vulnerabilities that threat actors can exploit through credential stuffing or phishing attacks.”
The root of the problem is that many organisations treat offboarding as an administrative HR task, not a critical cybersecurity event. To dismantle the shadow employee threat, companies must build strong, collaborative processes that bridge the gap between HR and cybersecurity.
“It starts with a shared mindset: offboarding must be seen as a collaborative security process, not just an admin task,” Collard emphasises.
In conclusion, the era of assuming offboarding is complete once the physical items are returned is over. In our hybrid and decentralised workplaces, the digital footprint of an employee is vast and often poorly mapped. The case of Nile Breweries is a powerful reminder that the threat is global, real, and can strike at the heart of a company’s competitive edge.
“Former employees shouldn’t keep the digital keys to your organisation’s kingdom,” Collard maintains. “As the workplace becomes more hybrid and decentralised, organisations must rethink offboarding as a critical component of cybersecurity hygiene.”
The shadow employee is a silent crisis waiting to happen, by transforming offboarding from an administrative checklist into a strategic security imperative, businesses can finally lay their digital ghosts to rest.