Security, compliance & cyber insurance

How do we securely offboard an employee when they leave?

Quick answer

When someone leaves, their access needs to be removed promptly and completely — email, Microsoft 365, remote access, shared apps and any saved passwords — and their company data and devices retained. Done ad-hoc, forgotten accounts become a serious security hole. We use a documented offboarding checklist (ideally automated) so nothing is missed.

Staff offboarding is one of the most commonly botched parts of small-business security. In the rush of someone leaving, accounts get forgotten — and a former employee's still-active login (or a departing one's grudge) is a genuine risk to your data.

What proper offboarding covers

  • Disable the account promptly — ideally the moment access should end, especially for a difficult departure.
  • Revoke every access point — Microsoft 365, email, remote access/VPN, line-of-business apps, and any shared logins or saved passwords.
  • Retain the data — preserve or reassign their mailbox and files so nothing important walks out the door or is lost.
  • Recover and wipe devices — collect company laptops and phones, or remotely remove company data from personal ones.
  • Reset shared credentials the person knew.

Why ad-hoc offboarding is dangerous

Forgotten accounts are exactly what attackers (and disgruntled ex-staff) look for — a live login nobody's watching. It's also a common finding in an IT audit and a red flag for cyber insurers.

How we handle it

We set up a documented offboarding process — often partly automated through Intune and Microsoft 365 — so that when you tell us someone's leaving, their access is cleanly and completely removed, their data is safe, and there's a record of it. It's the flip side of the smooth onboarding we do for new starters. Call (08) 9325 1196.

Still have a question?

Talk to a Perth-based IT specialist — a free, no-obligation chat about your setup.

Related questions