Employee Offboarding: The IT Security Steps Most Businesses Skip

An employee puts in their two weeks. HR handles the exit interview, collects the badge, and processes final payroll. Done, right?

Not even close. If nobody revoked their access to email, cloud files, VPN, and a dozen SaaS apps - you just created an open door into your network. And it happens more often than you'd think.

A recent study found that 89% of former employees still had access to at least one corporate application after leaving. Some for weeks. Some for months. That's not a policy gap - it's a breach waiting to happen.

Why This Matters More Than You Think

Most business owners assume departing employees won't cause harm. And most won't. But "most" isn't a security strategy.

• Disgruntled departures happen. An employee who was let go still has access to your CRM, client data, and shared drives? That's a liability.
• Credentials get reused. If their corporate password was the same one they use everywhere else (it was), a breach on any platform exposes yours.
• Compliance requires it. HIPAA, PCI-DSS, and California's CCPA all require access controls. "We forgot to revoke it" isn't a valid defense.
• Shared accounts hide the problem. If three people share a login, you can't tell who's still using it after someone leaves.

The IT Offboarding Checklist

This should happen the same day an employee's last day ends - ideally within hours. Not next week. Not "when IT gets around to it."

1. Disable the Email Account

Don't delete it - disable it. Set up a forwarding rule to their manager or a shared inbox so nothing falls through the cracks. In Microsoft 365 or Google Workspace, convert the mailbox to a shared mailbox so it doesn't consume a license.

Why same-day matters: Email is the gateway to password resets on every other service. If the account stays active, they can reset their way back into anything.

2. Revoke All Cloud and SaaS Access

Go through every application the employee had access to:

• Microsoft 365 / Google Workspace
• CRM (Salesforce, HubSpot, etc.)
• Accounting software (QuickBooks, Xero)
• Project management (Asana, Monday, Trello)
• Communication tools (Slack, Teams, Zoom)
• Remote access (VPN, RDP, TeamViewer)
• Any industry-specific platforms

If you don't have a centralized list of who has access to what - that's problem number one. A managed IT provider maintains this as part of routine operations.

3. Reset Shared Passwords

Any shared credentials the employee knew about need to change immediately. This includes:

• Wi-Fi passwords (especially guest networks they may have shared)
• Shared service accounts
• Door codes and alarm PINs
• Admin passwords they had access to

4. Recover and Wipe Devices

Collect all company-owned devices - laptops, phones, tablets, USB drives. If the employee used a personal device for work (BYOD), remove corporate data through your MDM (Mobile Device Management) solution.

No MDM? That's another gap to close. Without it, you have no way to remotely wipe company data from a personal phone.

5. Revoke MFA and SSO Sessions

Disabling the account isn't always enough. Active sessions and authentication tokens can persist. Force sign-out on all devices and revoke any OAuth tokens or app-specific passwords.

In Microsoft 365: Admin Center → Users → Revoke sessions. In Google: Admin Console → Security → Sign out user.

6. Transfer Ownership of Files and Data

Before anything gets deleted, transfer ownership of:

• Google Drive files and shared drives
• OneDrive and SharePoint documents
• Shared calendars and contacts
• Any automation workflows they created (Power Automate, Zapier)

If you skip this step, you lose institutional knowledge. That project folder with three years of client history? Gone.

7. Review Access Logs

Check the departing employee's recent activity for anything unusual - large file downloads, email forwarding rules they set up, or data exports. This isn't about distrust. It's about due diligence.

Microsoft 365 audit logs and Google Workspace reports make this straightforward.

8. Update Your Access Inventory

Document that access was revoked, when, and by whom. Update your master access list. This matters for compliance audits and for the next time someone in the same role leaves.

The Biggest Mistake: No Process at All

The real problem isn't that businesses do offboarding wrong - it's that they don't have a process at all. IT offboarding gets treated as an afterthought because it's not HR's job, and IT doesn't get notified until days (or weeks) later.

The fix is simple: make IT part of the offboarding workflow from day one. When HR gets a resignation or termination, IT gets notified immediately. Same checklist, every time.

What About Contractors and Vendors?

Employees aren't the only ones with access. Contractors, freelancers, and vendors often have credentials to your systems too. When a project ends or a vendor relationship changes, the same offboarding steps apply.

This is especially common with IT vendors. If you switch providers, make sure the old one's access is fully revoked. Every admin account, every remote tool, every monitoring agent.

How a Managed IT Provider Handles This

A good MSP maintains a complete access inventory for every employee and automates the offboarding process. When someone leaves:

• All accounts disabled within hours
• Shared credentials rotated automatically
• Devices wiped and recovered
• File ownership transferred
• Compliance documentation generated

No checklist to remember. No steps to miss. It's built into the process.

The Bottom Line

Employee offboarding isn't glamorous. It doesn't make for exciting security conversations. But a single overlooked account can lead to data theft, compliance violations, or a full-blown breach - months after someone cleaned out their desk.

Build the process. Follow the checklist. And if you don't have the internal resources to do it consistently, that's exactly what we're here for.