Here’s a scenario we see way too often. An employee leaves a business in Marion. Maybe they gave two weeks, maybe they didn’t. Either way, a month later their email still works. Their login to the CRM still works. They can still pull up the shared drive from their personal laptop.
Nobody changed the passwords. Nobody revoked their access. Nobody even checked.
This isn’t rare. It’s the norm for small businesses that treat offboarding as “collect the laptop and wish them well.” And it’s one of the biggest security holes we find when we do assessments.
Why This Is a Real Problem
It’s not always about a disgruntled ex-employee going rogue (though that happens). More often, it’s just neglect. Old accounts sitting out there with valid credentials become easy targets for hackers. A breached personal email reuses the same password as the old work account. Now an attacker has trusted access to your systems.
The Information Systems Audit and Control Association (ISACA) calls access left behind by former employees one of the most overlooked vulnerabilities in business security. And they’re right. We see it constantly.
Then there’s the money side. That Microsoft 365 license? Still billing you $12.50 a month for someone who left in October. Multiply that across a few SaaS tools and a few former employees, and you’ve got SaaS sprawl eating into your budget.
The Offboarding Checklist You Actually Need
A handshake and a returned laptop aren’t enough. Here’s what should happen every single time someone leaves:
- Disable their primary login immediately. Network, VPN, remote desktop. The moment they’re out the door.
- Reset passwords on any shared accounts. Social media, department email boxes, shared folders.
- Revoke cloud access. Microsoft 365, Google Workspace, Slack, project management tools, CRM. If you’re using single sign-on, this is easier. If not, you need a list of every platform they touched.
- Get the devices back. Laptop, phone, tablet. Wipe them before they go to the next person. If you have MDM (mobile device management), remote wipe anything that’s not returned.
- Forward their email. Route it to their manager or replacement for 30-90 days. Set an auto-reply with the new contact. Then archive or delete the mailbox.
- Transfer their files. Make sure critical documents aren’t sitting only on a personal device or in a personal cloud account.
- Check the access logs. What did they access in their last few days? Any large downloads? Any unusual activity? Better to know now than find out later.
The Stuff People Don’t Think About
A departing salesperson could walk out with your entire client list on a thumb drive. A developer could delete code repositories. Even without malicious intent, data sitting in someone’s personal email or on their home computer could put you on the wrong side of HIPAA or GDPR.
For healthcare practices in Marion, law offices in New Castle, or any business handling sensitive client data, this isn’t theoretical. One missed account could mean a compliance violation and a very expensive fine.
Build It Into the Culture
The best time to think about offboarding is during onboarding. When someone starts, document every system they get access to. Keep that list updated. When they leave, you just work down the list. No guessing. No missed accounts.
Make it a standard process that runs the same way every time, whether someone left on great terms or got walked out. Consistency is the whole point.
Turn Every Departure Into a Security Cleanup
Every time someone leaves, it’s actually an opportunity. Clean up unused accounts. Review who has access to what. Check for old shared passwords. Tighten things up.
At Hoola, we help businesses across East Central Indiana build offboarding processes that actually work. We’ll audit your current access controls, set up the checklist, and automate what we can so nothing falls through the cracks.
Call us at (765) 233-2338 and let’s make sure your former employees aren’t still walking around in your systems.
—
This Article has been Republished with Permission from The Technology Press.