When I run a first-time security assessment for a new small business client, one of the first things I check is how many former employees still have working logins. The answer is almost never zero. I have found ex-employees with active email accounts eight months after their last day, VPN credentials that were never revoked, and a shared file drive still syncing to a personal laptop that left the building over a year earlier.
Offboarding gets far less attention than onboarding, because it usually happens during a stressful moment — a resignation, a layoff, a termination — when nobody is thinking about IT. That gap between "employment ends" and "access ends" is exactly where a former employee, or anyone who later gets hold of their credentials, can quietly walk back in.
Why the gap is bigger than owners think
A single employee typically touches more systems than a business owner can list from memory: email, a Microsoft 365 or Google Workspace login, a VPN or remote-desktop credential, a CRM, accounting software, a shared password vault, a handful of browser-saved logins, and often a personal phone with company email or Slack installed. Disabling the obvious one — the company email account — leaves most of that list untouched.
The risk is not usually a vengeful ex-employee. It is a stale account that becomes a target. A former employee's email, still active and still forwarding, is one phishing email away from compromise. A password they reused elsewhere and never changed is one dark web credential dump away from becoming an entry point into your Microsoft 365 tenant. The account does not need to be misused on purpose to cause a breach; it only needs to still exist.
The same-day checklist
A working offboarding process does not need to be complicated. It needs to run the same way every time, on the day employment ends, regardless of whether the departure was friendly or not.
- Disable identity first. Turn off the employee's primary directory account (Microsoft 365, Google Workspace, or on-prem Active Directory) immediately. Because most other business apps use single sign-on tied to that identity, this one step closes a large share of the total access footprint in a single action.
- Revoke MFA and active sessions. Disabling the account is not enough on its own — existing login sessions and app passwords can remain valid until they are explicitly revoked. Force a sign-out of all active sessions and remove any registered MFA devices.
- Reassign, don't delete, the mailbox and files. Convert email to a shared mailbox or forward it to a manager for a transition period, and transfer ownership of any cloud files, shared drives, and CRM records the employee owned to someone still on the team, before the account is removed.
- Pull the device. Recover any company laptop, phone, or hardware token. If the employee used a personal device for email or Slack (a common arrangement at small businesses), remotely wipe the company data and confirm the device is removed from your mobile device management enrollment.
- Rotate shared and vendor credentials. Any login the employee knew that is not tied to their personal identity — a shared social media account, a vendor portal, a shared password vault entry — needs its password changed, not just their individual access removed.
- Remove them from every third-party app. Check your password manager and any SaaS admin console for standalone logins that were never connected to the main directory account. These are the accounts that get missed most often because they live outside the systems IT normally watches.
Make it a checklist, not a memory
The businesses that get this right treat offboarding as a fixed procedure, not a task someone remembers to do. That means a written list tied to your HR process, so IT is notified the same day a resignation is accepted or a termination is decided, not after the employee has already left the building. For involuntary departures, access should be disabled before or during the termination conversation, not afterward.
It also means someone owns the list end to end. In a business without dedicated IT staff, that responsibility often falls through the cracks between HR and whoever happens to manage the router. A managed IT provider can run this as a standing procedure — a single ticket that triggers every step above and confirms each one is done, instead of hoping someone remembers the shared vault password.
The five-minute audit to run today
Pull up your employee directory and your active-user list in Microsoft 365 or Google Workspace side by side. Anyone on the active list who is not on payroll anymore is a live account that should not exist. If you find one, that is your offboarding process working in reverse — it caught the gap late instead of same-day, but it caught it. Use it as the reason to write the checklist down before the next departure happens.
Not sure who still has access to your systems?
30 minutes with a DoD-cleared engineer. We will check your directory against your current payroll, flag any stale or orphaned accounts, and hand you a written offboarding checklist you can run every time someone leaves.
Book your free security assessment