Offboarding sounds administrative. Someone leaves, HR updates the record, IT switches off a few accounts, the laptop comes back, and everyone moves on. In practice, it is an easy moment for cyber risk to slip through the cracks.
A rushed departure can leave behind live accounts, stale guest access, saved passwords in browsers, active mobile sessions and shared credentials nobody rotates. None of that looks dramatic on its own. Together, it creates exactly the kind of quiet weakness attackers love.
That is why offboarding deserves more attention. It is not just an HR process. It is a security control, an operational control, and often a reputation control too.
A December 2025 public-sector audit in Western Australia made the point bluntly. It found that many weaknesses around access management, induction and offboarding were basic, inexpensive fixes that had simply not been completed, leaving systems more exposed than necessary.
This article shows how to build an offboarding process that works in the real world: a practical routine that makes sure when someone leaves, your systems, data and devices do not wander off with them.
Why offboarding fails so often
Most offboarding failures do not come from malice. They come from timing, assumptions and messy ownership.
Someone resigns on a Thursday afternoon. HR records the final day. Their manager knows which projects they touched, but not every system they used. IT hears about the departure late, so the obvious account gets disabled but the less visible ones survive. The shared mailbox keeps forwarding. The CRM account stays active. An old supplier portal still trusts their login because nobody remembered it existed.
Small businesses are especially exposed because they run lean, so a lot depends on memory and good intentions.
What good offboarding actually means
A good offboarding process answers four simple questions:
- What access did this person have?
- Which routes need to be removed, reassigned or rotated?
- What devices or local data might still be with them?
- Who confirms the work is complete?
That may sound obvious, but “disable email and collect the laptop” is only part of the job.
Real offboarding touches primary accounts, admin accounts, collaboration tools, finance systems, CRM access, file-sharing spaces, VPNs, MFA methods, browser profiles, shared passwords, API tokens and supplier portals. If you do not review them deliberately, some will stay open by accident.
Start with identity, not hardware
The returned laptop is visible, which is why people focus on it first. Identity is usually the bigger issue. Cloud sessions, saved tokens and delegated permissions can keep running quietly in the background.
Start with a live list of the person’s identities and systems: their main account, any elevated account, guest accounts, partner accounts and non-human credentials they created or managed. If you cannot produce that list quickly, that is already a warning sign.
This is also why wider endpoint discipline matters. If devices, identities and access routes are already well managed, offboarding becomes faster and far less chaotic. Our article on endpoint protection looks at that foundation: predictable devices, clean baselines and fewer surprises make every part of security easier, including exits.
The offboarding checklist that actually works
The offboarding checklist that actually worksYou do not need a beautiful flowchart. You need a checklist that people can use under pressure.
1. Confirm the timeline
Know the final working day, whether there is garden leave, and whether access should be reduced immediately or removed in stages. A resignation, a redundancy and a disciplinary departure may need different timing.
2. Reduce risky powers early
If the person can approve payments, export data, change contracts, alter payroll or administer systems, remove or reduce that access as soon as departure is confirmed.
3. Disable identity properly
Disable the primary account, revoke active sessions, remove MFA methods and block password resets to personal addresses or devices. If the user had privileged access, disable that separately and check older admin groups.
4. Reassign ownership before deleting anything
Mailboxes, calendars, reports, automations, shared folders and approval workflows often need a new owner before the account disappears. If you skip this, the account may be removed cleanly while the business loses continuity.
5. Recover devices and local data
Collect laptops, mobiles, tablets, chargers, security keys and removable media. Check whether local files, synced folders or browser-saved credentials remain on the device.
6. Review external and shared access
Check guest invitations, vendor portals, project spaces and client platforms. These often sit outside the main identity system, yet they can still expose files and conversations.
7. Rotate shared credentials
If the departing person knew shared passwords, recovery codes, API secrets, social logins or admin credentials, rotate them. This is not glamorous work, but it is one of the highest-value steps.
8. Record completion
Have both a manager and an IT owner sign off. Assumption is not a control.
Do not forget non-human identities
A lot of offboarding guidance still focuses on people accounts only. That is not enough anymore.
The person leaving may also have created service accounts, API keys, scripts or automation credentials that live on after their own account is disabled. Those identities do not resign, and they do not tell you they still have permissions.
OWASP’s 2025 guidance on improper offboarding for non-human identities highlights this risk clearly. Machine identities often outlive their original owner, retaining access long after human oversight has gone.
For a small business, this means checking API keys in finance tools, service accounts tied to backups, automation credentials in no-code platforms and old CRM integrations. If nobody owns those identities clearly, they are risk by default.
HR, managers and IT need the same picture
Offboarding becomes messy when each team sees only part of it.
HR knows the employment timeline. The manager knows what work the person actually did and which suppliers or clients they dealt with. IT knows how to remove access. If those three views are not joined, gaps appear fast.
This does not require fancy software. One short coordination call and one shared checklist will often do the job. The real improvement comes from ownership.
Training helps here. Managers need to understand that offboarding is not just a polite exit process. It is one of the last chances to reduce avoidable risk. Our guide on cyber security training speaks mainly about awareness, but the same principle applies here: people make better decisions when they understand why the process matters, not just what box to tick.
Contractors, freelancers and agencies count too
Contractors, freelancers and agencies count tooOffboarding is not only about employees. External parties often end up with wide access because they need to move quickly.
Agencies may hold website admin rights, design files, ad-platform logins or analytics access. Contractors may be inside Teams, SharePoint, Git repositories or client workspaces. Freelancers may have shared password access because “it was the quickest way”.
When the engagement ends, that access should end with it. Do not rely on memory or contract dates alone. External access needs expiry dates, named owners and the same review discipline as staff access.
Why old logins are still a live risk
Recent UK reporting on SailPoint research found that more than three quarters of UK organisations fail to deactivate logins immediately when staff leave. The same coverage linked poor identity hygiene to credential-compromise incidents, showing why dormant accounts are more than housekeeping clutter.
The problem is simple: an old account can still be useful to an attacker. It may be less monitored than active accounts. It may sit outside modern MFA rules. It may belong to someone who no longer checks alerts. That makes it an attractive side door.
A sensible 30-day improvement plan
If your current offboarding process is patchy, do not try to solve everything at once.
Week 1: list the systems that matter most: email, collaboration, finance, CRM, admin accounts, remote access, mobile devices and shared credentials.
Week 2: create a one-page checklist covering account disablement, session revocation, ownership reassignment, guest access review, hardware return and credential rotation.
Week 3: test it on one recent leaver or a dry run. Note what was missed.
Week 4: add manager and IT sign-off, then store completed checklists somewhere easy to retrieve.
What to measure
Good offboarding should be visible, not assumed. Track a few simple metrics: time from departure confirmation to access revocation, orphaned accounts found, completed sign-off records, shared credentials rotated and contractor accounts with expiry dates. These figures are easy to review in an operations meeting and useful in an audit.
Keep it secure without turning it hostile
Most leavers are not threats. They are simply moving on. A good offboarding process protects the business without making the exit awkward or adversarial.
That means being clear, respectful and predictable. Tell people when access changes, how personal content on company devices is handled, and what is expected around hardware return. Calm handling reduces friction.
Clumsy offboarding creates work even when no security issue appears. Mailbox confusion, lost files and broken approvals all slow the team down after the person has left.
Final thought
Offboarding is really about finishing well. Finish the identity story, finish the device story, finish the access story and finish the evidence trail. When you do that consistently, you close a surprising number of easy openings.
It is not glamorous work. It is some of the most valuable security housekeeping you can do.
If you want help tightening your leaver process, reviewing stale access and closing the gaps that tend to linger after departures, contact Mustard IT.
