Authored by: Bryan Lachapelle, President & CEO
Many businesses don’t realize how much access employees still have after they leave. When someone exits an organization, every login, account, and permission they used should be carefully removed. When that process is rushed or unstructured, it leaves behind what’s known as an insider threat - even though the employee is no longer there.
Most of the time, this isn’t about bad intentions. It’s simple oversight. Old accounts get forgotten, unused software subscriptions keep billing, and sensitive information may still live in personal inboxes or cloud folders. Those loose ends can quietly turn into entry points for cybercriminals. Failing to remove access properly isn’t just risky - it’s an open invitation for problems that can range from awkward to business-ending.
Handing in a laptop and saying goodbye doesn’t mean the offboarding process is complete. Over time, employees collect access to many systems: email, shared drives, CRM tools, cloud platforms, social media accounts, finance software, and internal servers. Without a clear process, something will almost always get missed.
Old accounts are especially attractive to attackers. If a former employee reused a password and that password is later compromised, a hacker may gain trusted access without triggering alarms. Industry groups like ISACA consistently point out that former employee access is one of the most overlooked security gaps.
Beyond security, this can also create compliance headaches. Leaving access behind increases the risk of violating data protection and privacy requirements - often without anyone noticing until it’s too late.
IT offboarding isn’t just an HR task - it’s a core security practice. It should be fast, consistent, and thorough for every departure, whether someone resigns or is let go. The process should start before the employee’s final day. HR and IT need to work closely together, using a shared checklist and a clear handoff. The most important starting point is knowing what access the employee actually has. You can’t secure what you don’t know exists.
A checklist turns good intentions into action. Here’s a practical framework you can adapt to your organization:
-
Disable access immediately
Remove primary logins, network access, VPN credentials, and remote desktop connections as soon as employment ends. -
Change shared passwords
Update passwords for shared email accounts, social media logins, shared folders, and departmental tools. -
Remove cloud access
Revoke permissions for platforms like Microsoft 365, Google Workspace, Slack, project management tools, and other SaaS systems. Using single sign-on makes this much easier to manage. -
Collect and secure devices
Retrieve all company-issued equipment and securely wipe devices before reassigning them. Use mobile device management tools to remotely wipe phones or tablets if needed. -
Handle email properly
Forward emails to a manager or replacement for a defined period (usually 30–90 days), set an auto-reply, then archive or remove the mailbox. -
Transfer ownership of files and projects
Make sure important documents, folders, and cloud projects don’t live only in personal accounts. -
Review recent access activity
Look at what systems and data were accessed before departure, especially if sensitive customer or financial information was involved.
The risks of poor offboarding are very real. Sensitive data can be copied, deleted, or altered. Client lists can walk out the door. Critical systems can be damaged, intentionally or accidentally. Even unintentional data retention on personal devices can trigger compliance issues and fines under privacy regulations. There’s also a financial cost. Software licenses and subscriptions often continue billing long after an employee has left. This “SaaS sprawl” may seem minor at first, but over time it adds up - and it’s a clear sign that access isn’t being governed properly.
Good security practices don’t stop when someone joins your organization - they extend to how people leave. Make offboarding expectations clear from the beginning and include them in security awareness training. This reinforces the idea that system access is tied to employment, not personal ownership. Documentation matters, too. Recording each step creates an audit trail, supports compliance, and ensures the process stays consistent as your organization grows.
Every departure is an opportunity to tighten security, clean up unused accounts, and strengthen your overall access controls. When offboarding is treated as a standard, repeatable process, it closes gaps before they can be exploited. Former employees shouldn’t linger in your systems. A proactive, well-documented offboarding process protects your data, your finances, and your reputation - and gives your team peace of mind.
If you’d like help building or automating a secure offboarding process, we can help you put the right controls in place.
