flagged
Governance & Policy28 June 2025 · 6 min read

The Cyber Security Offboarding Checklist: What to Do When Staff Leave

When employees leave, their access often stays — here's how to close the door on ex-staff and protect your business from insider risk.

When a staff member walks out the door for the last time, most small business owners are focused on the handover — making sure work gets passed on and clients don't fall through the cracks. What often doesn't get the same attention is the security side: revoking access to every system that person could still reach from anywhere in the world.

Ex-employee access is one of the most common and most preventable causes of data breaches. It doesn't require malicious intent — a former employee might log into a shared Google Drive out of habit, or an old account might be compromised by a third party because nobody thought to close it. Either way, your business is exposed.

Why Offboarding Is a Security Gap Most Businesses Ignore

Small businesses often don't have formal HR processes, and offboarding tends to be informal. There's rarely a checklist. Access gets revoked when someone remembers to do it — which might be weeks later, if at all.

The problem is that modern businesses use a lot of software. Each app an employee could access is a potential entry point if their credentials remain active. And unlike a physical key, a login credential can be used from anywhere, at any time, without anyone noticing until damage is done.

What Access Needs to Be Revoked

Start by thinking through every tool your business uses and whether the departing employee had access. Common areas include:

  • Email and calendars — Microsoft 365, Google Workspace, or any hosted email account
  • Cloud storage — OneDrive, SharePoint, Google Drive, Dropbox
  • Accounting software — Xero, MYOB, QuickBooks, or similar
  • Communication tools — Slack, Microsoft Teams, WhatsApp groups
  • CRM and sales tools — HubSpot, Salesforce, or industry-specific platforms
  • Payroll and HR systems — Employment Hero, Deputy, or similar
  • Website and social media — WordPress logins, Facebook Business Manager, Instagram
  • Shared Wi-Fi passwords — if they worked on-site, change the Wi-Fi password
  • Physical access — keys, key cards, alarm codes, and combinations
  • Shared passwords — any credentials stored in a shared spreadsheet or password manager

How to Do It Systematically

The best approach is to maintain a simple access inventory — a list of every system in your business and who has access to it. This doesn't need to be complex: a shared spreadsheet with columns for the system name, the employee's role, and their account details is enough. When someone joins, update the list. When someone leaves, work through it.

Your offboarding checklist should include:

  1. Disable or suspend the employee's primary account (email/Microsoft 365 or Google Workspace — this often controls access to other apps via single sign-on)
  2. Revoke access to each SaaS application individually
  3. Remove from shared drives, folders, and project spaces
  4. Change any shared passwords the employee knew
  5. Revoke physical access (keys, codes)
  6. Forward or archive the employee's email if needed for business continuity
  7. Transfer ownership of any files, accounts, or projects they managed

Do It on the Last Day — Not Later

Timing matters. Revoking access on the last day of employment is the right approach in the vast majority of cases. For most departures — even amicable ones — this is simply good hygiene. Access that isn't needed shouldn't exist.

If the departure is sudden, contested, or adversarial, act faster. Suspend the primary account immediately, even if you haven't worked through the full list yet. A suspended account buys you time to complete the process without leaving the door open.

When the Departure Is Difficult

If you're dealing with a resignation under difficult circumstances — a dispute, a termination, or a staff member who's left unhappy — treat it as higher risk. This doesn't mean assuming the worst of every employee, but it does mean acting with urgency.

In these situations: suspend access before or at the moment of the departure conversation, ensure someone else can cover their responsibilities immediately, and keep a record of what was revoked and when. If anything unusual happens with your systems in the weeks following, you'll want that documentation.

Transferring Data and Knowledge Safely

Offboarding isn't just about cutting access — it's also about making sure the business retains what it needs. Before someone leaves, make sure:

  • Files stored locally on their work device are copied to a shared location
  • Client contacts and notes are transferred or remain accessible in your CRM
  • Any accounts where they're the primary contact are updated
  • Passwords they held individually are captured and stored in your business password manager

Keeping a record of the offboarding process — who did what, and when — also protects your business if there's any dispute later about data access or misuse.

Offboarding might feel like an HR task, but the security implications are real. A five-minute checklist run on an employee's last day can prevent a breach that takes weeks to untangle.

Free tool

Know your cyber risk in 15 minutes

50 plain-English questions. Prioritised recommendations. Free PDF report. No sign-up.

Start free assessment →

Frequently asked questions

How quickly should I revoke a staff member's access when they leave?

Ideally, access should be revoked on the last day of employment — or immediately in the case of sudden or adversarial departures. Every day that passes after someone leaves is another day they could access your systems, even unintentionally. If you're not sure where to start, suspend the account first and work through the full revocation list in the days that follow. Don't let it sit for weeks while you get around to it.

What systems do I need to remove access from when an employee leaves?

You need to cover every system the employee had access to — and that list is usually longer than people expect. At minimum: email and Microsoft 365 or Google Workspace accounts, cloud storage like OneDrive or Dropbox, accounting software like Xero or MYOB, communication tools like Slack or Teams, any industry-specific software, your Wi-Fi password if they had it, and any shared passwords stored in a password manager. Physical access like key cards, keys, and alarm codes should also be revoked.

What if a departing employee refuses to hand over passwords?

If a departing employee is uncooperative, your priority is control — not cooperation. Reset passwords on accounts you own (email, SaaS tools, shared accounts) without their input. For systems where they're the sole account holder, use admin-level access to reset credentials or contact the vendor directly. Going forward, avoid letting any individual be the sole holder of critical account credentials — shared accounts should use a password manager so the business always has access.

Tags

offboardingaccess managementstaff securitygovernancesmall business