When an employee leaves your organization, what happens to their technology access? If the honest answer is “it depends on who remembers to do what,” you’re not alone. Most small businesses handle offboarding the same way: someone eventually gets around to disabling the email, maybe a manager remembers to collect the laptop, and the rest gets sorted out over the next few weeks. Or months. Or never.
We see the consequences of this all the time. As Managed IT Services Providers in Toronto and Durham Region, one of the first things we do with a new client is audit their user accounts. Almost without exception, we find active accounts for people who left the company months ago, software licenses still billing for staff who are long gone, and access permissions that were never revoked. These aren’t edge cases. They’re the norm for businesses without a structured offboarding process.
The good news is that fixing this doesn’t require a massive project. It requires a documented process, clear ownership, and an IT partner who handles it consistently every time someone leaves. Here’s what you need to know.
Why Offboarding Gets Overlooked
It’s worth acknowledging why this problem is so common, because it’s not a lack of caring. It’s a lack of structure.
When a new employee joins, there’s natural energy and urgency around getting them set up. They’re sitting at a desk. They need to work. Everyone feels the pressure to get them productive. But when someone leaves, the urgency runs in the opposite direction. The person is gone, the immediate disruption is over, and everyone moves on to more visible priorities. The dormant account sitting in your Microsoft 365 tenant doesn’t send anyone a reminder that it’s still active and still billing.
There’s also the coordination problem. HR knows the person is leaving, but does IT? Does the manager know which third-party platforms the employee had access to? Who’s responsible for recovering the laptop, and who handles the shared drives? In businesses without a defined process, the answer to all of these questions is “whoever thinks of it first,” which often means nobody.
The Money You’re Losing Right Now
Let’s start with the most concrete cost, because this is the one that surprises people. Every user account in your systems comes with licensing costs: Microsoft 365, CRM platforms, project management tools, industry-specific software. When an employee leaves and those accounts stay active, you’re paying for subscriptions nobody is using.
During a Deep Discovery engagement with a new client, we found they were spending over $7,200 annually on software licenses for former employees. That’s not unusual. For a business with 20 to 40 staff and normal turnover, orphaned licenses can easily add up to thousands of dollars per year. It’s money that could be reallocated to tools your current team actually needs.
Beyond licensing, there are mobile device plans that keep billing, cloud storage costs for data that should have been archived or transferred, and administrative overhead from managing accounts that shouldn’t exist. None of these costs are dramatic enough to trigger an alarm on their own, which is exactly why they accumulate unnoticed.
The Security Risks That Follow Former Employees Out the Door
The financial waste is frustrating, but the security implications are where things get serious. According to the 2024 Insider Threat Report from Cybersecurity Insiders, 83% of organizations reported at least one insider-related security incident in the previous year (Cybersecurity Insiders, 2024). And a significant share of those incidents weren’t malicious at all. They were the result of negligence, accidents, and access that should have been revoked but wasn’t.
When we talk to business owners about this, we break the risk into two categories: what departing employees might do, and what attackers can do with their abandoned accounts.
Why Employees Take Data When They Leave
Most people who take company data when they leave aren’t doing it with bad intentions. The most common scenario is simple: they have company files on a personal device or in a personal email, and they don’t think to delete them. This is especially common in businesses that allow remote work or personal device use without proper endpoint management controls.
The second common scenario is a misunderstanding about ownership. If someone created a document, built a spreadsheet, or developed a process, they may genuinely believe it belongs to them. The lines between professional and personal work product can blur, particularly with remote arrangements. This is why clear language in employment agreements matters. If you’re not sure yours covers data ownership adequately, consult with your legal counsel.
The third scenario is the one everyone worries about: an employee who is terminated or passed over and acts out of frustration. They email files to a personal account, copy data to a USB drive, or download client lists before their last day. It happens. Internal data security threats are real, and employee transitions are the period when they’re most likely to surface.
What Happens to Dormant Accounts
Even when a departing employee does nothing wrong, their abandoned account creates an open door. A dormant account is one nobody is monitoring. If an attacker compromises those credentials through a phishing attack, credential stuffing, or a data breach on another platform where the employee reused the same password, nobody notices. There’s no legitimate user checking for unusual activity. Password reset notifications go to an unmonitored inbox. Security alerts get dismissed as noise.
This is how dormant accounts become persistent backdoors into your systems. Every active account that doesn’t belong to a current employee is an unnecessary entry point that makes your environment harder to secure. Your managed cybersecurity services should include thorough offboards for every exit, as well as screening for dormant accounts.
What a Proper IT Offboarding Process Actually Covers
An effective secure employee offboarding process isn’t complicated, but it does need to be documented, role-specific, and consistently followed. Here’s what it should include.
Immediate Access Revocation
The first priority is disabling access to critical systems: email, cloud storage, financial platforms, CRM, and any tools containing sensitive data. For an accounting employee, that means financial systems and banking access get disabled immediately. For a marketing employee, it means email, marketing platforms, and social media admin permissions. Every role has different critical access points, which is why your offboarding checklist needs to be customized by role.
This is where having an IT provider who already knows your environment makes a real difference. Our in-house team maintains documentation of every client’s systems, user permissions, and access points. When someone leaves, we’re not starting from scratch figuring out what they had access to. We already know.
Device Recovery and Data Handling
Company laptops, phones, and external drives need to be returned, inspected, and securely wiped before reassignment. Any business data on personal devices needs to be addressed, either through a remote wipe (if your security policies and device management allow it) or through a documented agreement with the departing employee.
Equally important is making sure business data stored in the departing employee’s workspace gets transferred to the right people. Documents in personal OneDrive folders, email correspondence with clients, project files, and institutional knowledge all need to land somewhere accessible to the team that’s taking over.
License Recovery and Cost Cleanup
Once access is revoked and data is transferred, the next step is recovering and reallocating licenses. This means removing the user from paid subscriptions, reassigning licenses to new or existing employees who need them, and cancelling any services that are no longer required. This is the step that directly saves you money, and it’s the step that gets skipped most often when there’s no formal process.
Documentation and Audit Trail
Every offboarding action should be documented: what was disabled, when, and by whom. This creates an audit trail that matters for compliance requirements, insurance claims, and any future investigation into whether access was properly terminated. Without this documentation, you can’t prove your offboarding was complete, and that gap can create real problems during security audits or vendor assessments.
High-Risk Departures Need a Different Playbook
Not every departure follows a two-week notice timeline. Involuntary terminations, departures involving employees with access to highly sensitive data, or situations where there are concerns about the employee’s intentions all require an accelerated process.
For these situations, the best approach is advance communication with your IT team. When you know a termination is coming, loop in IT confidentially before the conversation happens. This allows access revocation to be coordinated with the termination meeting itself, so critical systems are locked down at the same time the employee is notified. Waiting even a few hours can create a window of risk.
If you work with an IT provider, make sure you have an established protocol for this. At TUCU, we coordinate directly with our clients’ HR contacts so that high-risk offboarding is handled securely and discreetly, with critical access terminated at the moment it needs to be.
Building the Foundation Before Someone Leaves
The best offboarding processes don’t start on someone’s last day. They’re built on security infrastructure that’s already in place.
Role-based access control (RBAC) is the foundation. This means every employee has access only to the systems and data they need for their specific role, nothing more. When someone operates under least-privilege access from day one, offboarding is simpler because there’s less to revoke and less risk of data exposure during the transition.
Identity management and conditional access policies add another layer by ensuring that even valid credentials can’t be used from untrusted devices or locations. If a former employee’s password is compromised after they leave, conditional access can block the login attempt before it reaches your systems.
Proactive monitoring tools give you visibility into unusual behavior, like large file downloads or unexpected access patterns, that might indicate someone is preparing to take data before they leave. These tools work best when they’ve been in place well before the departure, establishing a baseline of normal activity that makes anomalies easier to spot.
Clear employment agreements that address data ownership, confidentiality obligations, and what happens to company data on personal devices round out the picture. Reinforce these during exit interviews, along with any non-disclosure agreements that remain in effect after departure.
Getting Started
If your business doesn’t have a documented offboarding process today, start with the basics: identify every system your employees access, assign clear ownership for the offboarding process (typically IT in coordination with HR), and create a role-based checklist that covers access revocation, device recovery, license cleanup, and documentation.
For most growing businesses, working with an experienced IT partner makes this significantly easier. At TUCU, we build customized onboarding and offboarding procedures for every client as part of our managed IT services. Our in-house team already knows your systems, your people, and your security requirements, so when someone leaves, the process is handled completely and consistently every time.
Want to talk about how this would work for your business? Schedule a conversation with our team.
