top of page

Dormant Accounts and Permission Creep. The Hidden Cyber Risk.

  • Feb 23
  • 2 min read

Updated: 3 days ago



Most breaches don’t start with sophisticated zero-day exploits. They start with something far more ordinary: an account that should have been disabled… but wasn’t.

As businesses grow, employees change roles, contractors come and go, vendors rotate, and software tools pile up. Access is granted quickly to keep things moving. But it’s rarely reviewed with the same urgency. Over time, permissions accumulate. Accounts linger. Admin rights stick around long after they’re needed.

This is called permission creep, and for SMBs, it’s one of the most overlooked security gaps.


Why This Happens in SMB Environments

  • Speed over process: In smaller teams, access is often granted informally. There’s no structured approval or quarterly review process.

  • Role changes aren’t tracked carefully: When someone moves from operations to management, they often keep access to both systems.

  • Contractors and vendors are forgotten: Temporary access becomes permanent simply because no one remembers to remove it.

  • Offboarding gaps: HR processes may remove email access but overlook SaaS apps, cloud consoles, shared drives, or service accounts.


The Real Risk Behind Old Accounts

Dormant accounts are dangerous because they’re quiet. They don’t trigger suspicion. But attackers actively scan for them.

Here’s why they’re valuable targets:

  • Passwords are rarely updated: Old accounts often use weaker credentials.

  • Monitoring is minimal: If no one expects the account to be active, suspicious activity may go unnoticed.

  • Excessive permissions remain intact: A former admin account with elevated privileges can become a direct path to sensitive systems.


In many breach investigations, compromised credentials belonged to former employees or unused service accounts that had not been reviewed in years.


The Warning Signs You May Have a Problem


  • You don’t have a full list of active user accounts across all systems.

  • Access reviews happen “when someone remembers.”

  • Shared admin accounts are still in use.

  • There is no documented offboarding checklist covering every cloud and SaaS platform.

  • Service accounts don’t have owners assigned to them.

If any of these feel familiar, your exposure is likely higher than you think.


How SMBs Can Tighten Identity Control

  • Quarterly access reviews: Review all accounts and permissions across email, cloud, SaaS, and internal systems.

  • Enforce least privilege: Every user should only have the minimum access required for their current role.

  • Automate offboarding workflows: Account deactivation should be immediate and comprehensive—not manual.

  • Assign ownership to service accounts: Every non-human account should have a documented business owner responsible for review.

  • Eliminate shared credentials: Replace shared admin accounts with role-based access and proper logging.

  • Monitor for dormant activity: Set alerts for logins from accounts that have been inactive for extended periods.


The Bigger Picture: Access Equals Risk

In today’s environment, access is the new attack surface. Every active account represents a potential entry point. The more permissions accumulate without review, the wider that surface becomes.

For SMBs, this isn’t about complexity—it’s about discipline. Clean identity hygiene dramatically reduces breach probability without requiring massive infrastructure changes.


Summary: Remove What You Don’t Need

Cybersecurity isn’t just about adding more tools. Sometimes it’s about subtracting risk. Dormant accounts and excessive permissions quietly expand your attack surface over time. By implementing structured access reviews, tightening privileges, and automating offboarding, SMBs can significantly reduce exposure without disrupting operations.

 
 
 

Comments

bottom of page