Skip to content
Security, Simplified
GRC / Policy Beginner 6 min read

Secure Employee Offboarding: A Step-by-Step Guide for SMBs

When employees leave, their access must be revoked immediately. This practical offboarding guide helps you close security gaps and meet compliance requirements.

The Security Risk of Employee Departures

When an employee leaves—whether on good terms or not—their digital access remains active until you revoke it. Accounts that are no longer monitored become invisible entry points for attackers.

Former employees may retain access to:

  • Email and cloud storage containing sensitive business data
  • Customer records and financial systems
  • Shared credentials for social media, vendor portals, and internal tools
  • Physical access via key cards, alarm codes, and building keys

Even a trusted, departing employee presents risk. If their credentials are later compromised through phishing or a data breach, attackers inherit full access to your systems.

Why Delayed Access Revocation Is Costly

Leaving accounts active after departure creates multiple problems:

  • Data exfiltration: Departing employees—or anyone who gains access to their accounts—can copy sensitive data
  • Compliance violations: Privacy laws require you to control who accesses personal information. The OAIC expects organisations to revoke access when it is no longer needed
  • Audit failures: Insurers and auditors will flag active accounts for former staff as a control weakness
  • Ransomware entry: Dormant accounts are prime targets for attackers because unusual activity goes unnoticed

The ACSC Essential Eight includes restricting administrative privileges and user access as foundational controls—offboarding is where these controls are tested.

What Secure Offboarding Looks Like

A secure offboarding process ensures:

OutcomeWhat It Means
Immediate revocationAccess is disabled during or before the exit meeting
Complete coverageAll systems, tools, and physical access points are addressed
Documented processA signed checklist confirms every step was completed
Data preservationBusiness records are retained without the departing user retaining access

When done well, offboarding takes less than an hour and eliminates one of the most common sources of insider risk.

How to Offboard Employees Securely

Step 1: Disable Primary Authentication

Your identity provider is the master switch. Blocking access here immediately revokes access to email and any application connected via Single Sign-On.

Microsoft 365:

  1. Go to Admin Centre → Active Users
  2. Select the departing user
  3. Click “Block sign-in”
  4. Convert the mailbox to a Shared Mailbox to retain email history without consuming a licence

Google Workspace:

  1. Go to Admin Console → Users
  2. Select the departing user
  3. Click “Suspend User”
  4. Transfer ownership of Drive files and Calendar to a manager

Do not delete the account immediately. You may need access to emails, files, or audit logs.

Step 2: Rotate Shared Credentials

Any password that the employee knew—beyond their personal login—must be changed immediately.

Common shared credentials include:

  • Wi-Fi passwords
  • Alarm and security codes
  • Social media accounts (Twitter, LinkedIn company page)
  • Generic email accounts (info@, support@, sales@)
  • Shared vendor portal logins
  • API keys or service accounts they had access to

If you use a password manager, this process is straightforward. If you do not, this is a strong signal that you need one.

Step 3: Revoke Third-Party Application Access

Many employees use tools that are not connected to your central identity provider. These include:

  • Design tools (Canva, Figma)
  • File sharing (Dropbox, WeTransfer)
  • Project management (Trello, Asana, Monday)
  • Social media schedulers (Buffer, Hootsuite)
  • Industry-specific vendor portals

Maintain a register of third-party applications your business uses. Review and revoke access for each one during offboarding.

Step 4: Retrieve and Wipe Hardware

Collect all company-issued devices:

  • Laptops and desktops
  • Mobile phones and tablets
  • USB drives or external storage
  • Access cards, keys, and security fobs

Before reissuing hardware to another employee:

  1. Perform a factory reset or full disk wipe
  2. Remove the device from any mobile device management (MDM) system
  3. Re-enrol the device under the new user’s profile

If full disk encryption is enabled, a factory reset is sufficient to render data unrecoverable.

Step 5: Review Access Logs

After revoking access, review recent activity for signs of data exfiltration:

  • Large file downloads in the days before departure
  • Unusual email forwarding rules
  • Access from unfamiliar locations or devices
  • Bulk exports from CRM, accounting, or customer databases

This step is especially important for employees leaving under difficult circumstances.

Creating a Repeatable Offboarding Checklist

Offboarding fails when it depends on memory. Create a formal checklist that HR and IT complete together for every departure.

Your checklist should include:

  • Primary account suspended (Microsoft 365 / Google Workspace)
  • MFA tokens and trusted devices removed
  • Shared passwords rotated
  • Third-party applications reviewed and access revoked
  • Hardware retrieved and wiped
  • Access logs reviewed for anomalies
  • Physical access revoked (keys, fobs, alarm codes)
  • Signed off by IT and HR

Consider linking this checklist to your least privilege policy—if access was correctly scoped from the start, offboarding becomes simpler.

Action Item: Review your last three employee departures. Was access revoked the same day? If not, formalise an offboarding checklist and assign clear ownership between HR and IT.