Security, compliance & cyber insurance
How do we securely offboard an employee when they leave?
When someone leaves, their access needs to be removed promptly and completely — email, Microsoft 365, remote access, shared apps and any saved passwords — and their company data and devices retained. Done ad-hoc, forgotten accounts become a serious security hole. We use a documented offboarding checklist (ideally automated) so nothing is missed.
Staff offboarding is one of the most commonly botched parts of small-business security. In the rush of someone leaving, accounts get forgotten — and a former employee's still-active login (or a departing one's grudge) is a genuine risk to your data.
What proper offboarding covers
- Disable the account promptly — ideally the moment access should end, especially for a difficult departure.
- Revoke every access point — Microsoft 365, email, remote access/VPN, line-of-business apps, and any shared logins or saved passwords.
- Retain the data — preserve or reassign their mailbox and files so nothing important walks out the door or is lost.
- Recover and wipe devices — collect company laptops and phones, or remotely remove company data from personal ones.
- Reset shared credentials the person knew.
Why ad-hoc offboarding is dangerous
Forgotten accounts are exactly what attackers (and disgruntled ex-staff) look for — a live login nobody's watching. It's also a common finding in an IT audit and a red flag for cyber insurers.
How we handle it
We set up a documented offboarding process — often partly automated through Intune and Microsoft 365 — so that when you tell us someone's leaving, their access is cleanly and completely removed, their data is safe, and there's a record of it. It's the flip side of the smooth onboarding we do for new starters. Call (08) 9325 1196.
Still have a question?
Talk to a Perth-based IT specialist — a free, no-obligation chat about your setup.
Related questions
- Do you run phishing simulations and security-awareness training?
- Can you help us meet our cyber-insurance requirements?
- Can you help us implement the Essential Eight?
- What happens if we suffer a ransomware attack or data breach?
- How do you protect us from invoice fraud and business email compromise (BEC)?