Managing departures: the hacker is your former user

François Poulet


Product Manager at Youzer


The departure of employees is a crucial stage in a company, yet it is the one that is least dreamed of and therefore neglected.


The departure of employees is a crucial stage in a company's life, yet it's the one that most people don't dream of, and which is therefore neglected.

There are many reasons for leaving a company, and if you look hard enough, you'll quickly find advice on how to give your employer an 'honest' reason.
The fact is, a high proportion of people leave their jobs for negative reasons (low pay, bad atmosphere, poor management, boredom, pressure, etc.), except you won't know it.

Some people leave their company with a strong feeling, and that's the problem.

The desire to do harm can be strong, and it's up to you to defuse these situations and make them safe.

desire to harm one's employer

IT offboarding

We have detailed the reasons for offboarding from a human point of view, with user management at stake.

I'd like to take a different angle here, and look at the benefits of offboarding for IT. If the manager and human resources have a strong interest in ensuring a proper offboarding, the role of IT in offboarding is just as crucial, but why?

In fact, it doesn't have a direct impact on the employee, but on the company's security. This is what we'll be looking at.

An employee who leaves his or her job also leaves a set of tools and software to which he or she had access accounts. Imagine forgetting to claim your company's access badge? The consequences could range from annoying to serious, depending on the sector in which you operate. Reclaiming keys and access badges is rarely something you forget to do when you leave.

Now imagine that you forget to retrieve all the accounts to which the employee had access and close them. If you can't visualize it, it's the same as the badge example, but at the level of company data.

These so-called active accounts of departed users are called orphan accounts, and are a form of shadow IT. If you'd like to find out more, we've explained what shadow accounts are in our previous article.

Orphan accounts

An orphan account is an active computer account that is not associated with a user, or whose user is no longer present in the company.

Orphan accounts are created indirectly by the employee lifecycle.

employee life cycle in a company

IT services are involved in parts 2, 3 and 4 of an employee's life cycle! It's also the dark side of the life cycle.

  • On integration, the employee becomes a user who needs physical hardware and software accounts. IT has to create a number of accounts for them, such as AD, e-mail, collaborative and communication tools, and those specific to their field.
  • As the user's career progresses, he or she will need new software and applications. They may even change jobs and departments. IT will have a role to play in this evolution, as the stakes are high: to avoid shadow IT at all costs, and thus the use of accounts not listed by the IT department. Dialogue must be open, and the list of accounts must be well catalogued and monitored. At this stage in the employee's life, the IT department must ensure that the access granted to the employee is in line with his or her position and hierarchical level. If necessary, monitor certain sensitive accounts. For example, if a person joins management, certain accesses become highly sensitive. If a person leaves the sales department for another department, certain customer/prospect accounts need to be suspended and closed.
    ⚠ Beware, it's in this phase that some orphan accounts appear!
  • The departure: the user leaves the company and heads off for new adventures in another company or for another project. At this point, IT plays a major role in the company's security. ALL the employee's accounts must be suspended and then closed. It's at this last stage that most orphan accounts are created.

For parts 3 and 4 (progression and departure), orphan accounts are often created because IT is unaware of job changes and employee departures. This is a problem of communication between HR departments, managers and IT.

  • The manager doesn't report certain account transfers from one person to another to the IS department, they don't talk about the new app they've been testing, etc.
  • HR people don't report job changes or departures to the IT department, because they're often overworked and don't think about the IT department, not out of contempt, but simply out of forgetfulness or ignorance.

Result: the HR file doesn't match the IT user file at all.

Go to our price list page!

Or speak to an expert at

Is there really any point in managing 'ghost' accounts?

We understand that the whole issue revolves around the transmission of information:

  • software and applications used
  • access rights granted
  • account transfers carried out
  • employee transfers
  • employee departures

At this point, you might say, "Okay, but how do we keep our AD and software healthy? Do you realize that we're overloaded with tasks too? Why bother with something that doesn't even add value to anyone in the company?

And therein lies the problem.

Yes, you're right, you're not giving the user any satisfaction by deleting their old accounts, nor their manager, nor even HR, so why all this article?

How does a cyber attack work in this case?

Once the accesses were discovered, the hackers explored the company's data for several weeks, finding other privileged administrator accesses and downloading as many gigabytes of data as possible.

Once the hackers have taken everything they need, they finalize their attack by deploying ransomware that will encrypt the entire company's data, or they will purely delete data such as virtual servers. This really is the final blow after a long attack.


It's a scary word! But what is it doing in the middle of this topic?

Your former employee may become your future security breach, directly or indirectly.

  • your former colleague has a grudge against the company + administrator accounts still active
  • your former colleague is approached by cyber-attackers who offer him a handsome sum of money in exchange for his still-open access.
  • your former colleague still has active accounts, but has no intention of harming you. However, hackers discover these active accounts and take them over.

Don't forget the more difficult, but just as high-risk cases, such as the death of an employee or leaving due to illness. Accounts remain open.

Cyberattack due to phantom accounts

How to protect yourself against phantom account attacks?

The simplest is the most obvious: avoid having ghost accounts ^^.

Clean up your orphan accounts

An identity and access management (IAM) tool will be your ultimate weapon in the fight against orphan and ghost accounts. An identity and access management solution will enable you to cross-reference two files: the HR file (HRIS) with employees and their arrival and departure dates, and the IT file (Active Directory) with users and their accounts.

In this way, you will receive alerts in the event of :

  • file mismatch (employees who have left)
  • employee departure
  • misalignment of rights for access to certain software and functions on their workstations.

The IAM solution will also report to you any duplicates, accounts not attached to any user... Your role will be to resolve these reports.

Easily detect the active accounts of departed users

Do you have a question?

Thank you, we've received your question and will reply as soon as possible.
If you have any questions about our offers, please consult our price list page or contact us on
See you soon!
Oops! a field has been filled in incorrectly 😖

Monitor your privileged accounts

If you still have some shadow IT, take a look at privileged accounts.

Attackers will always be looking for an account with broad privileges - that's their priority. It's almost a factor in the success of an attack.

The downside is that, with the rise of SaaS tools in the cloud, privileged accounts are proliferating, if only to maintain and protect SaaS applications.

That's why it's important to pay special attention to these accounts and make them secure. The more difficult it is to navigate your servers, the easier it will be to detect the hackers' movements. The idea, of course, is to detect their presence as early as possible in the attack.

Privileged accounts need to be monitored. You can also do this with an IAM tool.

View all users registered in each group

Carry out your updates

Configure your infrastructure protection tools correctly, and above all, keep up to date and apply patches. According to the Ponemon Institute, unpatched vulnerabilities led to 60% of data breaches in 2019.

Keep your software up-to-date

Departures, IT's weakest link

Departures are often the weakest point in corporate security. The orphan accounts and shadow IT created by these departures are currently an inexhaustible source of cyberattack.

Active administrator accounts of departed users represent just as high a risk as weak passwords, malicious attachments, phishing and so on.

If you'd like to discuss how to manage shadow IT, orphan accounts, duplicates... and clean up your AD, we'd be delighted to help.

Récap'IT the IT Newsletter

Get the best of the month's IT news.
Market developments, IT trends, cyberattacks in France... a digest of the month's IT news.

We have been unable to confirm your registration.
Your registration is confirmed! You'll receive your next Récap'IT at the end of the month 😊

Recommended items

Discover Youzer, the first
platform for easy management of your users and their access.