When an employee leaves your company — whether they resign, are laid off, or are terminated — there is a window of vulnerability that many small businesses completely overlook. During that window, the departing employee may still have access to company email, cloud storage, customer databases, financial systems, and sensitive files.

TL;DR — Key Takeaways

  • A complete security checklist for employee offboarding
  • Understand why Offboarding Security Gets Neglected
  • Explore the Complete Offboarding Security Checklist

Visual Overview

flowchart TD
    A["Employee Departure"] --> B["Revoke System Access"]
    A --> C["Collect Devices"]
    A --> D["Transfer Data Ownership"]
    A --> E["Disable Email Account"]
    B --> F["Secure Offboarding Complete"]
    C --> F
    D --> F
    E --> F

Studies consistently show that a significant percentage of data breaches involve current or former employees. Some are malicious — a disgruntled worker downloading customer lists before walking out the door. Many are accidental — a former employee who still has access to shared drives inadvertently exposes data months after leaving. Either way, the risk is real and the fix is straightforward: a documented offboarding security process.

This guide provides a complete checklist you can implement today, regardless of your company size or technical sophistication.

Why Offboarding Security Gets Neglected

In most small businesses, the offboarding process — if one exists — focuses on HR tasks: final paycheck, benefits termination, exit interview, and returning the office key. Security rarely gets the same attention, for a few predictable reasons.

No one owns it. HR handles the people side, IT handles the tech side, and often neither department knows the full scope of what needs to happen. In businesses without a dedicated IT person, the gap is even wider.

It feels awkward. Revoking access from someone you have worked with feels uncomfortable, especially during a friendly resignation. But comfort should not drive security decisions.

Nobody tracks all the accounts. Employees sign up for SaaS tools, cloud services, and third-party platforms throughout their tenure. Without a central inventory, it is easy to miss accounts during offboarding.

Urgency varies. When someone resigns with two weeks' notice, there is time to plan. When someone is terminated unexpectedly, every minute counts — and that is exactly when processes tend to break down.

The cost of a single data breach caused by a former employee with lingering access can dwarf the cost of implementing a proper offboarding checklist. This is not about trust — it is about process.

The Complete Offboarding Security Checklist

Use this checklist for every employee departure, regardless of the circumstances. The specifics will vary based on the employee's role and access level, but the categories apply universally.

Immediate actions (day of departure)

  • Disable the primary email account. Do not delete it immediately — you may need to access emails for business continuity. Instead, disable login access, set up email forwarding to the employee's manager, and change the password.
  • Revoke single sign-on (SSO) access. If you use Google Workspace, Microsoft 365, or another identity provider, disable the account at the identity provider level. This cascades to all connected applications.
  • Change shared passwords. If the departing employee had access to any shared accounts — social media, shared email inboxes, vendor portals, or admin consoles — change those passwords immediately.
  • Revoke VPN and remote access. Disable any VPN accounts, remote desktop connections, or other remote access tools the employee used.
  • Collect company devices. Retrieve all company-owned laptops, phones, tablets, USB drives, and access cards. If the employee used personal devices for work, ensure company data is removed.
  • Disable physical access. Deactivate key cards, change door codes, and collect physical keys. If the employee had access to a server room, supply closet, or other secure areas, make sure those access methods are revoked.

Within 24 hours

  • Audit cloud application access. Review all SaaS and cloud applications the employee used: project management tools, CRM systems, accounting software, file sharing services, communication platforms, and any industry-specific applications. Disable or remove their accounts from each one.
  • Review file sharing permissions. Check Google Drive, OneDrive, SharePoint, Dropbox, and any other file sharing platforms. Remove the employee's sharing permissions and transfer ownership of critical files to their manager.
  • Check for data exfiltration. Review recent file download, email forwarding, and file sharing activity. Look for large downloads, forwarding rules set to personal email addresses, or unusual sharing activity in the days before departure. This is especially important for involuntary departures.
  • Remove from distribution lists and groups. Remove the employee from all email distribution lists, Slack channels, Teams groups, and any other communication channels.
  • Update emergency contacts and authorization lists. If the employee was an authorized contact for bank accounts, vendor relationships, insurance, or other business services, update those authorizations.

Within one week

  • Review third-party vendor access. If the employee had direct relationships with vendors or access to vendor portals, notify those vendors and revoke access.
  • Check for API keys and service accounts. If the employee worked with any integrations, APIs, or automated services, rotate any keys or credentials they may have known.
  • Update documentation. Remove the employee from organizational charts, contact directories, and any process documentation that references them as a point of contact.
  • Review the employee's calendar. Check for upcoming meetings, recurring events, and commitments that need to be reassigned.
  • Wipe company data from personal devices. If the employee used personal devices under a BYOD policy, ensure company data, email accounts, and applications are removed. Mobile device management (MDM) tools can do this remotely.

Special Considerations for Different Departure Types

Voluntary resignation

When someone gives notice, you typically have time to plan a smooth transition. Use this time productively: document their responsibilities, transfer knowledge, and prepare the offboarding checklist in advance. Be careful not to reduce access prematurely — the employee still needs to do their job during the notice period. But do increase monitoring of data access and downloads during this time.

Involuntary termination

When an employee is let go, the security checklist should execute simultaneously with the HR notification — or in some cases, slightly before. Coordinate with HR so that account access is disabled at the same time the termination conversation happens. For high-risk terminations (employees with admin access, access to sensitive data, or those who have expressed anger), consider having IT standing by to disable access immediately. This is not paranoia — it is prudence. For more on managing risks from current and departing employees, see our guide on insider threats.

Contractor and temporary worker departures

Contractors and temps are often given the same system access as employees but are overlooked during offboarding because they are not in the HR system. Maintain a separate list of all contractors and their access, and apply the same offboarding checklist when their engagement ends.

The Shared Account Problem

One of the biggest offboarding headaches is shared accounts. Many small businesses use shared logins for social media, online banking, vendor portals, and other services. When an employee who knew the shared password leaves, you have no choice but to change it — and then distribute the new password to everyone who still needs access.

This is a good reason to minimize shared accounts in the first place. Where possible:

  • Use individual accounts with role-based access instead of shared logins
  • Use a password manager that allows secure credential sharing with access that can be revoked per user
  • Enable multi-factor authentication on all accounts, with MFA tied to individual devices rather than a shared phone number
  • Document all shared accounts in a central, secure location so you know exactly which passwords need to change during offboarding

Building a Sustainable Offboarding Process

A checklist is only useful if it gets used consistently. Here is how to build offboarding security into your standard operating procedures.

Create a master access inventory. Maintain a list of every system, application, and account each employee has access to. Update it when new access is granted. This is your single source of truth during offboarding.

Assign a process owner. Designate one person (or role) as the owner of the offboarding security process. This person is responsible for ensuring every step is completed, whether they do it themselves or delegate to others.

Use a ticketing system or checklist tool. Turn your offboarding checklist into a template in your project management tool, IT ticketing system, or even a simple shared spreadsheet. Create a new instance for each departure and track completion of every step.

Coordinate with HR. Make sure HR notifies the offboarding process owner as soon as a departure is confirmed — ideally before the employee's last day, and immediately for involuntary terminations.

Conduct periodic access reviews. Even with a great offboarding process, gaps happen. Conduct quarterly reviews of active user accounts across all systems and compare them to your current employee roster. Disable any accounts that belong to people who are no longer with the company.

What Happens When You Skip Offboarding Security

If you need motivation to implement a proper offboarding process, consider what happens without one.

Data theft. A departing employee downloads your entire customer database, pricing sheets, or proprietary processes. They use this information at their next job or to start a competing business.

Unauthorized access. A former employee logs into your systems months later — either out of curiosity or malice — and accesses, modifies, or deletes data. You may not even notice until the damage is done.

Compliance violations. Regulators expect access controls to be managed throughout the employee lifecycle, including termination. Orphaned accounts that remain active after departure are a common audit finding.

Insurance implications. If a breach occurs through a former employee's active account, your cyber insurer may question whether you maintained adequate security controls — potentially affecting your claim.

Your Next Steps

You do not need to build a perfect process before you start. Begin with what you can do today and improve over time.

  1. This week: Create a master list of all systems and applications your employees access. Even a basic spreadsheet is a massive improvement over nothing.
  2. Next week: Adopt the offboarding checklist from this article and customize it for your business. Add any industry-specific systems or accounts that are unique to your operation.
  3. Within 30 days: Conduct a retroactive audit. Check for active accounts belonging to employees who have already left. Disable anything that should not still be active.
  4. Ongoing: Use the checklist for every departure going forward. Conduct quarterly access reviews to catch anything that slipped through the cracks.

Employee offboarding security is not about distrust — it is about discipline. Every business loses employees. The ones that handle it well are the ones that have a process and follow it every single time.