Most companies have a hiring process. Very few have an equally rigorous departure process. The result: when employees leave, their credentials often don't. That unmonitored access — sitting open on email, VPN, cloud storage, and line-of-business applications — is one of the most underestimated security risks in any organization.
Consider the numbers for a 150-employee company with 15% annual turnover: roughly 22 employees will leave in any given year. If even a quarter of them depart with some form of active credentials — which industry data suggests is conservative — you have more than five unmonitored access points accumulating every year. Each one is a potential breach vector, compliance violation, and audit finding waiting to happen.
The problem isn't usually negligence. It's that offboarding is treated as an HR process when it's actually an IT security process. HR closes the personnel file. Payroll stops the direct deposit. But without a structured IT offboarding workflow, the digital footprint of that employee remains fully intact and largely unmonitored.
What Gets Left Behind
When an employee departs without a comprehensive IT offboarding, the access they accumulated over their tenure stays active across multiple systems. The scope is usually larger than leadership expects:
Corporate email & calendar
Often still accessible via mobile devices or webmail. A former employee with active email can receive sensitive communications, reset passwords for other systems, or maintain customer contact outside your awareness.
Cloud storage & file sharing
Google Drive, OneDrive, Dropbox, SharePoint — any shared file environment the employee accessed. Files they created or were shared with may still be accessible, and data can be exfiltrated without triggering obvious alerts.
VPN & remote access
An active VPN credential can provide access to your entire internal network from anywhere in the world. This is the highest-risk category — particularly for employees who had broad internal access.
CRM & customer data
Sales staff and account managers often have access to client contact data, deal history, and account information. This is both a data security issue and a competitive intelligence risk.
Finance & accounting systems
Access to QuickBooks, NetSuite, billing systems, or bank portals is particularly sensitive. Former employees with financial system access represent both fraud risk and regulatory exposure.
Shared & service accounts
The most frequently overlooked gap. Passwords the employee knew for shared accounts or service credentials remain valid after their departure unless specifically rotated.
The Compliance Dimension
For organizations operating under HIPAA, SOX, PCI-DSS, or similar frameworks, inadequate offboarding procedures aren't just a security risk — they're a compliance failure.
HIPAA requires that access to protected health information be revoked immediately upon termination. SOX requires documented evidence that privileged access controls are maintained. PCI-DSS requires immediate revocation of access for anyone with access to cardholder data. An audit that uncovers orphaned credentials from departed employees can result in findings that are expensive to remediate and damaging to regulatory relationships.
Most organizations discover their offboarding gaps during an audit or, worse, during a security incident investigation. A former employee who still had VPN access months after their departure is a difficult thing to explain to a regulator — or a client.
The Right Offboarding Timeline
Effective IT offboarding follows a structured timeline that begins before the employee's last day and extends into the weeks following departure.
| Timeframe | Action | Why It Matters |
|---|---|---|
| Day of departure | Revoke VPN, email, CRM, financial system access | Highest-risk systems require immediate action |
| Same day | Disable Azure AD / Google Workspace account | SSO disablement cascades to connected apps |
| Within 24 hours | Transfer ownership of files, emails, and calendars | Prevents data loss and maintains business continuity |
| Within 48 hours | Rotate all shared credentials the employee knew | Shared passwords don't expire when accounts do |
| Within one week | Reclaim device, audit all service accounts | Ensures no access paths were missed |
| Ongoing | Quarterly access reviews across all systems | Catches orphaned accounts from imperfect offboardings |
Why Quarterly Access Reviews Are Non-Negotiable
Even with a perfect offboarding process, access creep happens. Employees change roles and accumulate permissions from previous positions. Contractors and vendors receive temporary access that never gets revoked. System integrations create service accounts that outlive the projects they were built for.
Quarterly access reviews — a structured audit of all active accounts across your key systems — are the control that catches what offboarding misses. The goal is to confirm that every person with access still works at the company, still needs the access they have, and still has the right level of access for their current role.
For most organizations with 20–200 employees, a quarterly access review takes a few hours and can be structured as a simple spreadsheet process or handled automatically through an identity management platform. The cost of not doing it is substantially higher than the cost of running it.
Building an Offboarding Process That Actually Works
Effective IT offboarding requires three things: a documented checklist, clear ownership between HR and IT, and a system for tracking completion. Without all three, steps get skipped — especially during chaotic departures like involuntary terminations or sudden resignations.
The checklist should be system-specific, not generic. Instead of "revoke access," it should list every system the departing employee had access to and require a confirmed completion for each one. This creates an audit trail and ensures that one system doesn't get overlooked because whoever was handling the offboarding assumed someone else had covered it.
Planned departures give you time to prepare. Involuntary terminations — whether layoffs or performance-related exits — often happen quickly and under stress. These departures carry the highest risk of both malicious insider action and oversight. Your offboarding process needs to work fast under pressure, which means it needs to be practiced and documented before it's needed.
Frequently Asked Questions
Related reading: Cyber Insurance Requirements Are Changing: What Your Renewal Will Look Like in 2026 →
Renacy is a managed IT support provider serving businesses across New York, New Jersey, Pennsylvania, Connecticut, Massachusetts, Maryland, and Washington DC. Our team specializes in proactive device monitoring, helpdesk support, cloud backup & disaster recovery, and network infrastructure management. Learn more about Renacy →