When someone leaves your business, the focus is usually on handovers, exit interviews, and collecting equipment. Meanwhile, their digital access often carries on quietly in the background.
In many organisations, digital access is not switched off as cleanly as it should be. An email account remains live. A Microsoft 365 licence is still assigned. Permissions to the CRM, project platforms, or shared drives sit unchanged.
Often, nobody notices straight away.
This is rarely about a former employee trying to get back into systems. More commonly, it is a gap in process. Offboarding is handled as an HR formality, while the technical steps happen later or rely on manual follow-up. The result is an active account with no owner.
That dormant access is the real issue. Unused accounts are easier to overlook in monitoring, attractive to attackers, and costly when licences continue to run in the background. Sensitive data remains technically accessible when it should already be locked down.
For professional services, care providers, and regulated businesses in particular, that gap carries real consequences.
The Hidden Risks Behind a Casual Goodbye
A returned laptop and a handshake do not close the loop. Over time, employees accumulate access to far more than a single login. Email, CRM systems, finance platforms, shared drives, social media accounts, industry-specific software, remote access tools, and internal servers all become part of their digital footprint.
Without a structured process, something will be missed.
Dormant accounts are attractive targets. If a former employee reused a password that later appears in a breach, attackers may test it against your systems. Because the account is legitimate, activity can look normal at first glance. That creates a compliance headache as well as a security one, particularly where personal, financial, or clinical data is involved.
Access that should have expired becomes an unmanaged risk sitting inside your environment.
Offboarding Is a Security Control
IT offboarding should sit alongside your other core security controls. It needs to be consistent, documented, and triggered automatically whenever someone leaves, regardless of the circumstances.
The process should begin as soon as notice is given. HR and IT need to coordinate closely. That collaboration is what prevents last-minute scrambles or missed accounts.
Start with visibility. Maintain a clear inventory of systems, applications, licences, and devices assigned to each employee. You cannot revoke access to systems you have forgotten about. For organisations that have grown quickly or adopted new SaaS tools organically, this step alone often highlights gaps in governance.
From there, the goal is straightforward: remove access in a controlled and traceable way.
A Practical Offboarding Checklist
A checklist turns good intentions into repeatable action. While every organisation will tailor the detail, a solid framework usually includes:
Immediate account disablement:
Revoke primary network credentials, email access, VPN connections, and remote desktop privileges as soon as employment ends.
Password resets for shared resources:
Update credentials for shared mailboxes, social media accounts, finance systems, and team folders the individual could access.
Cloud and SaaS access removal:
Remove permissions across Microsoft 365, Google Workspace, CRM platforms, collaboration tools, and sector-specific applications. Single Sign-On can simplify this by centralising control.
Device recovery and data protection:
Collect all company devices. Apply secure data wipes before reissuing hardware. Where mobile devices are enrolled in MDM, ensure remote wipe capabilities are used if required.
Email management and continuity:
Forward email to a manager or replacement for a defined period, typically 30 to 90 days, to protect client relationships. Set an automatic response that directs contacts appropriately. Afterward, archive or remove the mailbox in line with your retention policy.
Transfer of ownership:
Reassign ownership of cloud documents, shared files, and project workspaces. Confirm critical information is not sitting solely in a personal folder or local device.
Activity review:
As part of standard governance, review recent access activity before closing accounts. This helps confirm that data handling aligns with policy and provides reassurance for compliance purposes, particularly where sensitive client or patient information is involved.
In regulated sectors, these steps support audit readiness as much as they protect data.
What Happens When It Goes Wrong
Poor offboarding can surface in uncomfortable ways.
A departing team member may leave with a full client database. A developer could retain access to code repositories. A healthcare provider might discover patient data stored in a personal mailbox. Even where there is no bad intent, accidental retention of sensitive data can trigger regulatory scrutiny under frameworks such as GDPR and sector-specific standards.
There is also the quieter issue of cost. SaaS sprawl is common in growing organisations. Licences remain active long after someone has left, slowly inflating monthly spend. Each forgotten subscription points to a wider governance issue that deserves attention.
Individually these gaps may seem minor. Collectively they erode control.
Building a Culture of Secure Transitions
Security is not only about firewalls and endpoint protection. It is also about how access is granted and how it is withdrawn.
Set expectations early. Make it clear in onboarding and security awareness training that system access is tied to employment and managed formally at every stage. When departures are handled consistently, it removes ambiguity and protects everyone involved.
Documentation matters too. A recorded, auditable process provides evidence for regulators, insurers, and clients. It also makes the process scalable as your organisation grows or restructures.
Turning Departures into an Opportunity
Every employee exit is an opportunity to tidy up access, review permissions, and validate your controls. Treated properly, offboarding becomes a routine security checkpoint rather than a reactive task.
If your current process relies on manual emails between HR and IT, or on someone remembering to disable accounts at the end of the day, there is room for improvement. Automation, centralised identity management, and clear ownership significantly reduce risk.
At PS Tech, we help organisations design and implement structured offboarding processes that align with compliance requirements and operational realities. It is about protecting your data, maintaining client trust, and keeping governance tight without adding unnecessary friction to your team.
Secure transitions are part of running a resilient business.
Offboarding FAQ's
What is the biggest mistake companies make during offboarding?
Delay. Even a short gap between departure and access removal creates unnecessary exposure. Immediate, coordinated action between HR and IT reduces that window.
Does offboarding matter if the employee leaves on good terms?
Yes. Risk is not limited to disgruntled staff. Accounts can be compromised, credentials can be reused elsewhere, and accidental data retention can still create compliance issues.
What is the first IT step when an employee gives notice?
Create or review a complete list of their systems, applications, devices, and access rights. That inventory drives the rest of the process and ensures nothing is overlooked.
How can we manage offboarding across multiple apps and tools?
A Single Sign-On platform centralises authentication. Disabling one account can automatically revoke access to connected systems, reducing the chance of missed applications.
