The ‘Zombie App’ Audit: 3 Tools Former Employees Still Have Access To
Article Summary:
Most small businesses do a good job of removing email access when an employee leaves—but often miss all the other tools that person was using. “Zombie accounts” are leftover logins, permissions, and sessions that stay active after someone leaves or changes roles. A simple SaaS audit helps small businesses find these hidden risks and shut them down before they turn into a security problem.
Someone leaves your small business on a Friday. By Monday, their email account is disabled, and their laptop is returned.
Sounds like everything is locked down, right?
Not quite.
What often gets missed is everything else—like the project management tool they signed up for, the cloud folders they shared, or the CRM access they still have from a previous role.
Three months later, some of those accounts may still be active.
This is how “zombie accounts” happen. Not because anyone is careless, but because most offboarding processes in small businesses were built around securing devices and email—while today’s work happens across dozens of apps.
Even small teams now rely on a growing number of SaaS tools. The problem is, offboarding processes haven’t kept up.
What a Zombie Account Actually Is
A zombie account is an active login tied to someone who no longer works for your business.
The term may sound casual, but the risk is real—especially for small businesses that don’t have large IT teams constantly auditing access.
What makes zombie accounts dangerous is that nothing looks suspicious. These were legitimate logins that were never removed. If a former employee still has access—or if their credentials get compromised later—that door is still wide open.
Research has shown that many organizations discover former employees still accessing systems months after leaving—and for small businesses, those gaps can be even easier to miss.
The 3 Apps Small Businesses Most Often Forget
Cloud Storage and Collaboration Tools
Think Google Drive, OneDrive, and Dropbox.
For small businesses, this is usually where things get messy:
- Files shared with personal email accounts
- Guest access granted for one-time projects
- “Anyone with the link” permissions still floating around
Even if you remove a user’s license, these shared files and links often stay active.
Project Management and CRM Platforms
Tools like Asana, Monday.com, Notion, HubSpot, and Salesforce are commonly set up by team members—not IT.
In small businesses, this is especially common. A manager signs up for a tool to solve a problem quickly, and it never makes it onto an official checklist.
That means offboarding can miss things like:
- A former sales rep still logging into the CRM
- A past project manager still having access to internal documentation
The Tools You Didn’t Know Existed
This is the biggest blind spot for most small businesses.
Employees often sign up for tools using their work email—things like:
- Survey tools
- AI writing assistants
- Data or reporting platforms
If those tools weren’t formally tracked, they won’t be formally shut down.
When the employee leaves, those accounts just sit there… still active.
How Small Businesses Can Run a “Zombie App” Audit
Step 1: Build Your SaaS List
Start with what you know:
- Microsoft 365 (Entra ID) or Google Workspace
- Billing/subscription records
- Email notifications from app logins
Even a basic 30-minute review can uncover most of your high-risk tools—especially in a small business environment.
Step 2: Cross-Check Past Employees
Look back at employees who’ve left in the past 12 months.
For each app:
- Can you see active users?
- Are any former employees still listed?
- When was their last login?
If someone who no longer works for your business still has access—that’s a zombie account.
Step 3: Remove Access and Set a Process
Once identified:
- Remove the access immediately
- Document what you found
- Update your offboarding checklist
For small businesses, the goal is to make this repeatable—not complicated.
Going forward:
- Require multi-factor authentication (MFA)
- Schedule a quarterly review of SaaS access
This turns a one-time cleanup into a simple ongoing habit.
Turning Offboarding Into a Security Habit
Zombie accounts don’t go away on their own. Small businesses need to actively look for them.
The good news is, you don’t need a huge IT department to do it—just a simple process and a regular review cycle.
Taking the time to run a SaaS audit now can prevent a much bigger issue later.
FAQs
How are zombie accounts different from inactive accounts?
A zombie account belongs to someone who has left your small business entirely—there’s no reason for them to still have access. An inactive account might still belong to a current employee who just hasn’t logged in recently.
What’s the fastest way for a small business to find zombie accounts?
Start with your identity system (like Microsoft 365 or Google Workspace), then compare that list with employees who have left in the past year. That alone will uncover most issues.
Do shared logins create problems too?
Yes—and they’re harder to manage. Small businesses should avoid shared accounts whenever possible and switch to individual logins for better security and visibility.
How often should small businesses review SaaS access?
Quarterly is a solid baseline. You should also review access anytime an employee leaves.
If you want, I can also tighten this into a shorter version for your website or turn it into a client-facing email/campaign (this topic is perfect for security awareness outreach to your SMB clients).
