Somewhere in your systems there is probably an account belonging to a contractor whose engagement ended months, or possibly years, ago. Nobody remembers to disable it because nobody owns that specific task once the invoice is paid and the project is closed out. It sits there quietly, fully functional, waiting for someone — anyone — to notice it still works.
Employee offboarding is usually handled reasonably well because HR owns the process and a leaving date triggers a checklist that includes disabling accounts. Contractor and third-party offboarding falls into a much murkier space: the contract might end quietly, the relationship might taper off rather than terminate formally, and often nobody in particular is responsible for confirming that access was actually revoked once the work concluded. The result is a slow accumulation of dormant accounts, each one a fully credentialed way into your systems that nobody is actively watching, month after month.
A properly scoped internal network pen testing specifically hunts for exactly this kind of forgotten access, because dormant accounts belonging to former contractors are consistently one of the most productive avenues into an internal network. These accounts often carry weaker password hygiene than employee accounts too, since a contractor rotating between multiple clients has little incentive to maintain the same discipline your own staff might follow, and even less reason to update a password for a project that finished long ago.
Third-party access is often broader than the work required
Contractors are frequently granted access broader than their actual task requires, because scoping access precisely takes more effort than granting a standard account with the usual default permissions. A contractor brought in to fix one specific application might end up with access to shared drives, internal communication tools, and systems entirely unrelated to their actual work, all because it was quicker to copy an existing account template than build a narrower one. That excess access does not disappear when the contract ends; it just becomes excess access nobody remembers even existed.
William Fieldhouse has used exactly this kind of account to demonstrate risk to clients more than once.
“I found a contractor account still active eighteen months after the project it was created for had finished, still using the same password the contractor had set up on day one, and it had access to far more than the original task ever needed. Getting into the network with it took less effort than parking the car outside the client’s building that morning.”— William Fieldhouse, Director of Aardwolf Security Ltd
Eighteen months of unnecessary exposure, created by a gap in process rather than any single technical failure, is a strikingly common finding rather than an outlier. Every dormant third-party account is pure risk with no offsetting benefit to the business, sitting there purely because nobody was assigned to close it down when the work finished.
Build offboarding into every contract, not just every hire
Assign clear ownership for revoking contractor and third-party access the moment an engagement ends, and audit existing accounts now to find what has already been forgotten. Aardwolf Security’s external network pen testing regularly uncovers dormant third-party accounts as a route into client networks during assessments. Get in touch to find out what old contractor access might still be sitting open in your own environment.
