Someone’s leaving your business. Maybe they resigned. Maybe they were let go. Either way, in the rush of transition, it’s easy to forget about something important: their access to your systems.

Former employees with active credentials are a security incident waiting to happen. Let’s make sure it doesn’t.

Why This Matters

A few scenarios that keep me up at night:

The disgruntled departure. Someone was terminated and isn’t happy about it. Their email still works. They can still access the shared drive. Maybe they decide to delete some files or download customer data on their way out.

The accidental access. A former employee’s credentials get phished six months after they leave. The attacker logs in to your systems using the still-active account. You don’t notice because you’re not watching accounts of people who don’t work there anymore.

The forgotten service account. That developer set up their personal API key for a critical integration. They left. The key still works. Nobody remembers it exists until something breaks or gets exploited.

The compliance nightmare. An auditor asks for evidence that terminated employees have their access removed within 24 hours. You can’t prove it because you don’t have a process.

The Immediate Offboarding Checklist

The moment you know someone is leaving (or has left), these need to happen:

Core Identity and Access

• Disable primary user account (Active Directory, Azure AD, Google Workspace)
• Reset password as additional precaution
• Disable or remove MFA tokens/devices
• Remove from all security groups and distribution lists
• Revoke VPN access
• Disable remote desktop access
• Remove from any zero-trust/conditional access policies

Email

• Convert mailbox to shared mailbox or set up forwarding to manager
• Remove mobile device associations
• Check and remove any mail forwarding rules
• Remove from shared mailboxes
• Update out-of-office message indicating departure

Cloud and SaaS Applications

• Deactivate Microsoft 365 / Google Workspace account
• Remove from Slack, Teams, or other collaboration tools
• Revoke access to CRM (Salesforce, HubSpot, etc.)
• Remove from accounting software (Xero, MYOB, QuickBooks)
• Deactivate project management tools (Asana, Monday, Jira)
• Remove from password manager shared vaults
• Revoke social media account access
• Check for and remove any third-party app integrations they authorised

Physical and Network

• Collect laptops, phones, tablets
• Collect access cards, keys, fobs
• Disable building access
• Change alarm codes if they knew them
• Remove from any network or wifi guest lists

Secrets and Credentials

• Rotate any shared passwords they knew
• Revoke API keys or tokens they created
• Change any service account passwords they had access to
• Update wifi passwords if shared
• Invalidate any active sessions

Documentation and Records

• Document the date and time of access removal
• Log who performed each action
• Note any issues or exceptions
• Archive any relevant communications

The 24-48 Hour Follow-Up

Some things need a second look after the initial rush:

• Verify all account disablements are working
• Check for any login attempts (legitimate or suspicious)
• Review cloud storage for any bulk downloads before departure
• Check email for any suspicious forwarding that was added
• Confirm device collection and wipe
• Notify relevant vendors or clients of the departure

The Special Cases

Privileged Users and IT Staff

If the departing employee had admin access:

• Audit all admin actions in the weeks before departure
• Change all admin passwords they knew
• Review any configuration changes they made
• Check for any backdoor accounts they could have created
• Review firewall rules and network configurations
• Rotate encryption keys if they had access
• Consider engaging a third party for security review

The uncomfortable truth: a malicious admin can do a lot of damage, and hiding it. For departures that aren’t entirely friendly, professional paranoia is appropriate.

Contractors and Temporary Staff

These often get forgotten:

• Verify contract end date matches access expiry
• Remove access to any project-specific resources
• Recover any loaned equipment
• Remove from communication channels
• Update any project documentation with new contacts

Remote Workers

• Arrange equipment return shipping
• Verify all devices are returned
• Remote wipe any mobile devices
• Check for any personal devices with work data
• Revoke any home network access that was set up

Building the Process

Having a checklist is nice. Having an actual process is better.

Assign responsibility. Who owns offboarding? It might be HR, IT, or both. Make it clear, and make sure they know what’s expected.

Trigger the process automatically. When HR marks someone as terminated in your HR system, that should automatically trigger IT actions. Don’t rely on someone remembering to send an email.

Use a ticketing system. Create an offboarding ticket with the checklist. Track completion. Have a manager sign off.

Set SLAs. Critical access (email, financial systems, customer data) should be removed within hours. Secondary access can wait a day. Define what’s what.

Audit regularly. Monthly, review recently departed employees and verify their access is actually removed. You’ll be surprised how often something was missed.

What About Knowledge Transfer?

Offboarding isn’t just about removing access. You also need to capture what the departing employee knows:

• Where are their files?
• What projects are in progress?
• What passwords or secrets do they manage?
• What vendor relationships do they own?
• What processes exist only in their head?

This is hard to do in the last two weeks of someone’s employment. It’s better as an ongoing practice of documentation.

The Legal Considerations

For certain departures, you might need to:

• Preserve emails and documents for potential litigation
• Restrict access during a notice period without terminating
• Monitor activity without tipping off the employee
• Work with legal counsel on appropriate steps

If there’s any dispute, grievance, or potential legal action, involve your lawyer before taking any irreversible actions.

A Template for Your Business

Here’s a simple structure:

Day Zero (Departure Date)

• Disable all authentication (AD, email, VPN, MFA)
• Collect physical devices and access
• Set email forwarding or out-of-office
• Notify manager access is removed

Day 1

• Disable all SaaS applications
• Remove from shared resources and groups
• Rotate critical shared credentials
• Verify no login attempts

Day 7

• Complete equipment inventory
• Wipe returned devices
• Archive any preserved data
• Close offboarding ticket

Day 30

• Audit for any remaining access
• Delete or archive mailbox per policy
• Update any remaining documentation

Adjust the timeline based on your business and the nature of departures.

Don’t Wait Until Someone Leaves

The best time to build your offboarding process is before you need it. Take an hour this week to:

1. Document all systems where employees have access
2. Identify who’s responsible for each system
3. Create a master checklist
4. Assign an owner for the overall process

When the next departure happens - and it will - you’ll be ready.

Every active account belonging to a former employee is a risk you don’t need to take.