A prospect I met with recently asked me about a much neglected area of IT management. We had already worked through the proposal, they were comfortable with what we had put together, and then they said: can you help me understand what we need to do from a security standpoint to protect ourselves when people exit? It is a question we are prepared for, because building onboarding and offboarding documentation with our clients is part of how we work.
They run a corporate office that supports multiple locations spread across roughly 125 miles. Sixty employees, dispersed, and like most businesses their size, they had grown fast enough that the processes around people never quite kept pace with the people themselves.
Here is what I told them.
The first thing most businesses discover when they actually look is that offboarding has no formal process. Someone gives notice, a manager shakes their hand, and two weeks later their email is still active, their logins still work, and if they were the kind of person who kept client contacts in their personal phone, those contacts left the building the day they did.
An offboarding checklist that mirrors your onboarding checklist is the baseline. Whatever access you granted on day one should have a corresponding revocation on the last day. Email, cloud platforms, shared drives, billing systems, scheduling software, everything. It sounds obvious. Most businesses are not doing it, and the gap is usually not intentional. It is simply that no one ever wrote it down. A well-constructed offboarding document also gives you the standing to require company assets back before the final paycheck is cut. Equipment, access credentials, devices, anything the company owns that walked out the door with that person.
But there is a problem that sits upstream of offboarding, and it is the one worth spending more time on. The checklist only works if the access you are revoking actually belongs to the company. And in a surprising number of businesses, it does not.
If your employees are conducting business on personal email accounts and personal cell phones, you do not have an offboarding problem. You have a process problem that offboarding simply makes visible. The personal account, the personal number, the text thread that started because it was convenient and never got corrected, those are not just security risks when someone leaves. They are operational liabilities the entire time that person is employed.
I used this example in our conversation: suppose an employee uses their personal cell for client calls. They take a week off. A client reaches out. That employee now has to respond in real time, from wherever they are, because you have no ability to reroute the call. You cannot give them what a vacation is supposed to be, time completely free of work obligation, because what they are using is beyond your control. That is the everyday cost. The departure cost is worse. The phone number belongs to them, not to you, and when they walk out the door for the last time, every contact, every conversation thread, every relationship built on that number goes with them.
What looks like a convenience in practice is actually a transfer of institutional knowledge onto infrastructure the company will never control. Most businesses do not realize that until they need it back.
The practical answer involves a few things working together. A password manager centralizes credential management so that access can be granted and revoked without depending on any individual to remember what they had. A clear policy about where business communication lives, and why, gives employees a reason to use the right tools rather than the convenient ones. And an honest look at why personal accounts became normalized in the first place usually reveals a gap in the tools the company provided, not a gap in employee judgment.
Security people talk about the insider threat as though it is always adversarial. Sometimes it is. More often, the person who left took things with them not out of malice but because those things were never formally the company’s to begin with.
That is the process failure worth fixing.
If your business has grown to the point where you are not entirely sure what access exists, who has it, or how you would remove it if you needed to, that is a conversation worth having before you need to have it urgently. I am happy to start there.
Have you ever inherited an access problem from a predecessor, or discovered accounts still active long after someone left? I am curious what that looked like from your side.
Until next time, keep IT simple.
Dave
CMIT Solutions of Wilmington (Your Technology Team)
If this issue raised questions about where your business stands, these are worth a look:
- Enterprise Data Security 101
- The Complete IT Compliance Checklist for Your Business
- eBook: The cybersecurity minimum has increased.
