Could a Former Employee Still Access Your Business Today?

When someone leaves your business, there is usually a checklist.

• Return the laptop.
• Hand over projects.
• Notify payroll.
• Redirect emails.
• Say goodbye properly.

But there is one part of staff offboarding that is easy to underestimate: removing access properly.

For many businesses, offboarding is treated as an admin task. In reality, it is also a cyber security task.

Every staff member has access to business systems, files, emails, apps, passwords, cloud platforms and client information. If that access is not removed or reviewed properly when they leave, your business may be carrying more risk than you realise.

And with more businesses relying on remote work, cloud-based systems and shared online tools, the risk is increasing.

Offboarding is not just about collecting the laptop

A common mistake is thinking that offboarding is complete once the physical device is returned.

But business access does not live only on a laptop.

A staff member may have access to:

• Microsoft 365
• Google Workspace
• Shared drives
• OneDrive or SharePoint
• Email accounts
• Xero or other accounting tools
• Canva
• CRMs
• Project management tools
• Password managers
• Website logins
• Social media accounts
• Cloud software platforms
• Shared inboxes
• Client folders
• Remote access tools
• Internal systems
• Supplier portals

If your business does not have a clear process for removing or reviewing this access, old logins can be left behind.

Sometimes this happens because no one knows the account exists. Sometimes it happens because the system was set up years ago and never documented. Sometimes access is shared across a team, so no one is quite sure who has the password or who needs to be removed.

That is where the risk starts.

The problem with forgotten access

Forgotten access can create serious issues for small and medium businesses.

It does not always mean someone will do the wrong thing. In many cases, the risk is simply that the business has lost visibility and control.

If a former employee can still access your systems, files or tools, your business may be exposed to:

• Sensitive business information being viewed or downloaded
• Client information being accessed after employment ends
• Emails being forwarded, deleted or misused
• Files being changed, moved or removed
• Business accounts being used without approval
• Old user accounts becoming entry points for hackers
• Passwords remaining active long after someone leaves
• Unclear ownership of important business information

The longer access is left open, the harder it becomes to know who has access to what.

That is a problem for cyber security, privacy, compliance, staff management and general business risk.

Old user accounts can become easy entry points

Inactive user accounts are one of the risks businesses most often overlook.

A former staff member’s account might not be used anymore, but that does not mean it is harmless.

If the account is still active, uses a weak password, or does not have proper multi-factor authentication, it may become an easy target for attackers.

Hackers do not always need to break into a current staff member’s account. Sometimes, they can find a forgotten login that no one is watching.

This is especially risky when:

• The account has not been disabled
• The password has not been changed
• Multi-factor authentication is not in place
• The account has access to sensitive files or systems
• No one is monitoring sign-in activity
• The business does not have an access register
• The account is linked to shared tools or external platforms

For businesses with remote workers, cloud platforms and multiple software systems, old access can quickly become a hidden doorway into the business.

Remote work and cloud systems have increased the risk

Staff offboarding has become more complex because the way businesses work has changed.

Years ago, a staff member may have primarily worked from an office computer connected to an internal server. Today, many staff can access business information from laptops, phones, tablets and personal devices, often from anywhere.

That flexibility is useful, but it also means access is more spread out.

Your business data may now sit across:

• Cloud storage
• Email platforms
• CRMs
• Accounting systems
• Shared folders
• Collaboration tools
• Apps connected through single logins
• Personal devices used for work
• Browser-saved passwords
• Third-party subscriptions

This means offboarding needs to be more thorough.

It is not enough to remove one email account and assume everything else is covered.

Businesses need to know where staff had access, what systems they used, what information they could view, and which accounts need to be disabled, transferred or reviewed.

Role changes can create access control issues too

Staff offboarding is not only relevant when someone leaves the business.

It also matters when people change roles internally.

For example, someone may move from finance into operations, from administration into sales, or from a management role into a different part of the business.

If their access is not reviewed, they may keep permissions they no longer need.

This can lead to staff having access to:

• Financial information
• HR records
• Client data
• Management folders
• Confidential documents
• Shared inboxes
• Admin-level system settings
• Files from a previous department

Good access control is based on a simple principle:

People should only have access to the information and systems they need for their current role. If access is never reviewed, permissions can quietly build up over time. This increases the risk of mistakes, misuse, data exposure and account compromise.

The missing piece? An access register.

One of the most common reasons offboarding becomes messy is that the business does not have a clear record of who has access to what.

Without an access register, businesses often rely on memory.

That can work when the team is very small, but it becomes unreliable as the business grows, changes systems, hires new people, adds cloud tools and introduces remote work.

An access register can help keep track of:

• Which systems the business uses
• Who has access to each system
• What level of access each person has
• Whether access is individual or shared
• Who owns each platform internally
• Which systems are linked to single sign-on
• Which accounts need to be removed during offboarding
• Which permissions need to be reviewed when roles change

This does not need to be overly complicated, the goal is visibility.

If you don’t know who has access to what, it is very difficult to protect your business properly.

What good staff offboarding should include

A strong offboarding process should be clear, documented and repeatable.

It should not rely on one person remembering every system manually.

At a minimum, businesses should consider the following steps.

1. Disable the main user account

Start with the staff member’s primary business account, such as Microsoft 365 or Google Workspace.

This should usually be done promptly when someone leaves, especially if the departure is sudden or sensitive.

2. Review email access and forwarding

Check whether their mailbox needs to be converted, archived, delegated or redirected.

Also check whether any forwarding rules have been set up and whether shared inbox access needs to be removed.

3. Remove access to cloud files and shared folders

Review access to OneDrive, SharePoint, Google Drive, Dropbox or other shared storage platforms.

Make sure ownership of important files is transferred before access is removed.

4. Check business software and third-party tools

Look beyond the obvious systems.

Staff may have access to Xero, Canva, CRMs, project management tools, website platforms, social media accounts, supplier portals and industry-specific software.

These accounts need to be reviewed and removed where appropriate.

5. Reset shared passwords where needed

If the person had access to shared logins, those passwords should be changed.

Ideally, shared passwords should be reduced or managed through a secure password manager so access can be controlled properly.

6. Recover devices and check personal device access

Collect company devices, but also consider whether the staff member had work email or business apps on a personal phone, tablet or home computer.

Mobile device management and clear BYOD policies can make this easier to manage.

7. Review MFA and authentication access

Remove the person’s authentication methods and make sure they can no longer approve sign-ins or access business systems.

This is particularly important if the staff member used an authenticator app for business accounts.

8. Document the process

Record what was removed, when it was removed and who checked it.

This gives the business accountability and helps reduce mistakes.

How single sign-on can help

Single sign-on, often called SSO, can make access management much easier.

Instead of staff having separate usernames and passwords for every system, SSO allows them to use one central identity, such as their Microsoft account, to access multiple connected platforms.

This can help because when someone leaves, disabling the central account can remove access to many systems at once.

SSO can also support:

• Stronger identity management
• Easier offboarding
• Fewer passwords for staff to remember
• Better visibility over access
• More consistent multi-factor authentication
• Reduced risk of forgotten logins
• Simpler control across cloud platforms

SSO is not a complete offboarding process on its own, but it can be a powerful part of a stronger access control strategy.

Why this matters for business owners

Access control is easy to ignore until something goes wrong.

But if a former staff member retains access to client files, finance systems, shared folders, email accounts or business tools, the impact can be significant.

The business may face:

• Data exposure
• Privacy concerns
• Financial loss
• Reputational damage
• Client trust issues
• Operational disruption
• Increased cyber security risk

This is why staff offboarding should not be treated as a quick admin task, it should be part of your broader cyber security and IT risk management process.

Questions to ask your business

If you are not sure whether your offboarding process is strong enough, start with these questions:

• Do we have a documented staff offboarding checklist?
• Do we know every system our staff can access?
• Do we maintain an access register?
• Do we remove access to cloud platforms, not just email?
• Do we review access when staff change roles internally?
• Do we use multi-factor authentication across key systems?
• Do we use single sign-on where appropriate?
• Do we know which staff have access to Xero, Canva, CRMs and shared drives?
• Do we reset shared passwords when someone leaves?
• Do we have a clear process for personal devices used for work?
• Do we check that access has actually been removed?

If the answer to several of these questions is “not sure,” it may be time to review your setup.

Staff offboarding is a security process

The way people join, move through and leave your business has a direct impact on your cyber security.

Onboarding gives people access, offboarding needs to remove it properly.

When this process is loose, undocumented or inconsistent, your business may be left with old accounts, forgotten permissions and unnecessary exposure.

The good news is that these risks can often be reduced with practical steps including better documentation, access reviews, single sign-on, password management, multi-factor authentication and a clear offboarding process.

If you are unsure who still has access to your business systems, IQPC can help you review your current setup.

Book a call with IQPC to talk through your staff offboarding, access control and business IT security processes.

Or complete IQPC’s Security & Risk Assessment to get a clearer view of where your business may be exposed and what practical steps can reduce your risk.