How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

AmirAmir · Cloud System Engineer
15 July 2026
5 min read
Cybersecurity
Microsoft 365
Offboarding
Data Protection
Perth Business

When someone joins your business, everyone remembers to set them up. When they leave, offboarding is often an afterthought — and that's exactly where businesses get caught out. A departed employee who still has access to email, files and cloud apps is a live security risk, whether they left on good terms or not. Add a lost laptop or a mailbox nobody thought to preserve, and a routine resignation can turn into a data breach or a lost-knowledge headache.

Here's a practical checklist for offboarding a staff member safely — protecting your data on the way out, without disrupting the rest of the team.

Why offboarding matters more than people think

The risk isn't only a disgruntled ex-employee. It's also the forgotten account: the mailbox still receiving customer enquiries, the shared login nobody rotated, the personal phone that still syncs company email months later. Attackers actively target dormant accounts precisely because no one is watching them. And under the shared-responsibility model, your data protection is your responsibility — not something Microsoft or Google does for you automatically.

Good offboarding closes every door the person had access to, and preserves anything the business needs to keep.

The offboarding checklist

Ideally this happens on the person's last day (or the moment a departure becomes involuntary), in roughly this order:

  1. Disable the account first — don't delete it. Blocking sign-in immediately cuts off access while preserving the mailbox and files. Deleting straight away can destroy data you still need.

  2. Sign the user out everywhere and reset the password. Revoke active sessions and tokens across Microsoft 365 / Google Workspace so an already-open session can't keep working. Re-registering multi-factor authentication removes their authenticator too.

  3. Convert the mailbox and keep the email flowing. Convert their mailbox to a shared mailbox (or set delegate access / forwarding) so client emails still land somewhere and nothing is missed. Set an auto-reply if appropriate.

  4. Reassign their files and data. Transfer ownership of their OneDrive, and check they weren't the sole owner of any SharePoint sites or shared documents. This is also where a proper third-party backup of Microsoft 365 earns its keep.

  5. Remove and wipe devices. Retrieve company laptops and phones. For any company or BYOD device managed in Microsoft Intune, remotely remove the company data — on a personal phone you can wipe only the work data, leaving their photos and apps untouched.

  6. Revoke third-party and app access. Don't stop at email. Xero, your CRM, the password manager, banking portals, social media, VPNs, remote-access tools, building/door access — anywhere the person had a login. Shared passwords they knew should be rotated.

  7. Reclaim the licence. Once data is safely reassigned, remove or reassign the Microsoft 365 / software licence so you're not paying for a seat nobody uses.

  8. Document it. Record what was disabled, transferred and revoked, and when. If anything ever comes into question, you have a clean trail.

The mistakes we see most often

  • Deleting the account on day one — and losing years of email or files the business needed.

  • Forgetting the "other" logins — the mailbox gets locked, but the ex-employee still has access to the CRM, a shared social account, or a VPN.

  • Not rotating shared passwords — if several people used one login, changing it is the only way to actually revoke the person who left.

  • Leaving personal devices connected — a phone that still syncs company email long after someone's gone.

  • No preservation plan — auto-deleting a mailbox that was the only record of a client relationship.

How we make offboarding safe and simple

For our managed IT clients, offboarding is a documented, repeatable process — you tell us someone's leaving, and we run the whole checklist: block access, preserve the mailbox and files, wipe devices, revoke third-party logins and reclaim the licence, with a record of exactly what was done. It's one of the quiet advantages of proactive managed security: the risky moments are handled properly every time, not left to whoever remembers.

If your business doesn't have a solid offboarding process — or you've got a departure coming up and want it done right — get in touch with the Computer Mechanics team or call (08) 9325 1196. We've been keeping Perth businesses' data secure since 1997.

Amir
Written by
Amir
Cloud System Engineer · 10+ years in IT

Amir is a Cloud System Engineer with over a decade of experience across server management, networking, cloud solutions and virtualisation. He designs and secures the Microsoft 365, Azure and network environments that Perth businesses rely on, turning complex infrastructure into scalable, efficient solutions.

Meet the IT Support Perth team →
Amir
15 July 2026
5 min read
Cybersecurity
Microsoft 365
Offboarding
Data Protection
Perth Business

Stay Updated with IT Insights

Get the latest cybersecurity tips and technology insights delivered to your inbox

Related Articles

5 Signs Your Business Has Outgrown Your Current IT Guy

One trusted 'IT guy' works — until it doesn't. Here are five clear signs a Perth business has outgrown break-fix IT and needs a proper managed IT team. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Passkeys vs Passwords: A Plain-English Guide for Perth Businesses

Passwords are behind most account breaches. Here's how passkeys work, why they're safer, and how your Perth business can start using them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Deepfake Voice Scams: The AI Fraud Threat Perth Businesses Can't Ignore

AI can now clone a voice from seconds of audio, and businesses are losing millions to fake 'CEO' calls. Here's how deepfake scams work, why Perth SMBs are targets, and the simple process that stops them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Need Expert IT Support?

Get personalized advice from our Perth IT experts. Free consultation available.

Related Content

Continue Reading

Explore more insights and expert advice on IT support, cybersecurity, and digital transformation

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.
CyberSecurity
ITSupportPerth

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.

Most small business owners believe end-to-end encryption means their messages are completely private. A recent FBI case proves that assumption is dangerously incomplete.

5 min read
4/15/2026
What’s new in SMB1001:2026?
SMB1001
SMB10012026

What’s new in SMB1001:2026?

SMB1001:2026 updates for Perth SMBs: Mandatory DMARC from Silver tier, 5 maturity levels, Essential Eight alignment. Get certified, cut insurance costs, win tenders—start your roadmap today!

5 min read
2/25/2026
Passkeys vs Passwords: A Plain-English Guide for Perth Businesses
Cybersecurity
Passkeys

Passkeys vs Passwords: A Plain-English Guide for Perth Businesses

Passwords are behind most account breaches. Here's how passkeys work, why they're safer, and how your Perth business can start using them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read
7/13/2026