A company can have a secure website, well-maintained server, strong passwords and backups, but if former employees, partners or people who were granted temporary access can still access critical systems, the risk doesn't go away.
Sometimes there's no need for a breach - an active account that should have been disabled long ago is enough.
Why do access rights often remain active?
Over several years, an employee can be connected to the website, CRM, file storage, hosting, domains, code repository, supplier platforms or internal systems.
When someone leaves, the main accounts are usually handled, but if there's no clear access list, some accounts remain active.
Not because they're needed. Simply because no one knows they still exist.
The same applies not only to employees, but also to external partners: agencies, developers, designers, consultants or freelancers.
Access is granted for a specific job, but once it's completed, the access remains active.
Why is disabling just the main account not always enough?
If access is managed centrally in a company, disabling an employee's email or main work account can automatically revoke access to main systems. However, not all access is always linked to the central account.
Separate logins to website administration, advertising accounts, hosting, domains, code repositories, supplier platforms, project management tools or internal systems can remain active if they are not reviewed separately.
The same applies to shared passwords, API keys, document access, integrations and external partner accounts.
Therefore, in the employee departure process, it's important to check not only the main company account, but also all systems where access may have been created separately.
What's worth checking?
You can start with very simple questions:
What systems do we use?
Who has administrator rights?
Are there any former employee accounts?
What access do external partners have?
Do we use shared passwords?
Are there logins with personal email addresses?
Who has access to domains, hosting and servers?
Who can manage advertising accounts?
Who can access customer data?
When an employee leaves, do we have a clear list of what needs to be disabled?
If these questions are difficult to answer quickly, the problem is already clear: access is not fully controlled.
Where to start?
There's no need to start with a complex system.
The first step is a simple access list:
what systems you use
who is connected to them
who has administrator rights
which external partners have access
where shared logins are used
who is responsible for each system
what must be disabled when someone leaves
This will establish the foundation for an access management process.
One forgotten account can be a greater risk than a weak password.