Preventing ‘Ghost User’ Account Security Risks

Updated October 6, 2023

Preventing Ghost User Account

[Images Source]

Today’s modern workplace is dynamic, with employee roles changing constantly. While some employees will resign or get fired, others get promoted. Roles change so often that even employees who seem not to be experiencing any change will eventually retire from their position in your organization.

This might feel like Monday for most departments in your organization, but for the keen IT leader, this transition poses some form of security threat. As employees change their standings with the company, there is the issue about inactive accounts, as most will have to be offered new accounts. For the employees who leave your organization, they leave behind inactive accounts.

Here is why such ghost accounts are a security loophole and how to mitigate the risks involved:

What Is The Security Risk?

Hackers tend to look for the easiest and least detectable route when trying to attack your organization, and having multiple inactive accounts increases the attack vectors. The fact that you have an access rights management policy in place plays in their favor, especially if they get their hands on an account with superior privileges. If they gain access into your systems, they can wreak havoc ranging from data theft to causing system downtimes.

Spiteful ex-employees too can gain access to these accounts, especially if you do not change the passwords for accessing them. With their previous understanding of how your organization works, they can move on to access various parts of your organization and steal your most valued company secrets. The security risk can further be increased in situations where there is no one monitoring the accounts.

Monitoring All Accounts Should Be the First Step

Regardless of whether accounts are active or inactive, no single account should be left unmonitored by the organization. You should set baselines to determine the normal functioning of all accounts. In case of any anomalies, then your IT team should investigate the affected account.

For instance, you might notice an account that normally downloads data during the weekend having increased download activity within the week. Such red flags should not only be looked into in the case of inactive accounts but also when monitoring the active ones.

Collaboration Between Departments Matters

It is one thing to have the infrastructure in place to remove inactive accounts and another to have the information to do so. The IT department cannot excel in account management alone and often has to work in tandem with other departments such as HR. Officials from the HR department are supposed to communicate with the IT department about an employee who has changed roles or has left the organization.

In case the employee was fired, then their accounts should be removed instantly. As for employees who have experienced a shift in roles within the last twelve months, assess the IT assets that they had access to under both accounts and determine whether their current role requires them to gain access to the same. You should then remove one account giving priority to the one that doesn’t fit the current access requirements.

Accounts Should Run Under Least Privilege Access

It’s vital to have limits to what employees can access and at what time of the day. With a least privileged access policy in place, you can mitigate the risk of insider threat. Periodically, you should also re-certify access to all accounts in the organization, regardless of whether they are owned by employees or key business leaders. This will limit the room for error since all inactive accounts will be stripped of their access. Such accounts can then be decommissioned.


Good IT housekeeping is never enough in countering the security risks that lie in inactive user accounts. It has to be a combination of monitoring user accounts as well as collaborating with other departments. Remember, removing ghost user accounts reduces the attack vectors that hackers can use.

Leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.