Employee Offboarding: The Security Risk Most Businesses Ignore

Hook: The Access That Nobody Revoked

A member of staff hands in their notice. HR sorts the paperwork. They return their laptop on the last day. Job done.

Except it is not done. Their Microsoft 365 login still works. Their VPN credentials are still active. They can still access your CRM, your shared drives, and your client database from their personal device at home. Nobody thought to check.

This is not a hypothetical scenario. It happens every week in businesses across Liverpool, the Wirral, and Cheshire. Recruitment agencies with high staff turnover are particularly exposed, but any organisation that has ever had someone leave without a proper IT offboarding process has this problem.

According to the UK Government’s Cyber Security Breaches Survey (DSIT 2025), 43% of UK businesses identified a cyber security breach or attack in the past year. Former employee accounts that nobody revoked are one of the easiest routes in. An old login becomes a backdoor. A forgotten SaaS subscription keeps billing you. Sensitive client data sits in a personal inbox that your organisation no longer controls.

Not sure if former employees still have access to your systems? Run a credential exposure check to find out which accounts are exposed, or call us on 0151 452 3060.

Why a Handshake and a Returned Laptop Are Not Enough

Digital identities are complex. Over months or years of employment, staff accumulate access to dozens of systems: email, CRM platforms, cloud storage, social media accounts, financial software, project management tools, and internal file servers. Without a structured offboarding process, something will be missed.

The real danger is what happens to those forgotten accounts afterwards. A breached personal credential might match an old work password, giving an attacker trusted access to your network. The IBM Cost of a Data Breach Report (2025) found that the average time to detect a breach is 241 days. That is eight months of an attacker sitting inside your systems before anyone notices.

For recruitment agencies handling candidate personal data under GDPR, or accountancy practices with access to client financial records, the compliance risk alone should be enough to take this seriously. An ICO investigation will not accept “we forgot to revoke their access” as a defence.

The Essential IT Offboarding Checklist

A proper offboarding process is not an HR task. It is a security measure. It needs to be fast, thorough, and consistent for every departure, whether the person resigned or was let go.

Here is the core framework:

1. Disable network access immediately

The moment someone’s departure is confirmed, revoke their primary login credentials, VPN access, and any remote desktop connections. Do not wait until their last day. If someone is being let go, this should happen before they leave the building.

2. Reset shared account passwords

This includes social media accounts, departmental email inboxes, shared folders, and any system where the departing employee knew the password. If you are still using shared passwords, this is your reminder to stop.

3. Revoke cloud and SaaS access

Remove permissions for Microsoft 365, Google Workspace, Slack, project management tools, and every other platform they had access to. If you use single sign-on (SSO), disabling the central account handles most of this in one step. If you do not, you are working through a list.

4. Reclaim and wipe all devices

Collect company laptops, phones, and tablets. Perform a secure data wipe before reissuing them. Use mobile device management (MDM) to remotely wipe any company data from personal devices enrolled in your systems.

5. Redirect and archive email

Forward the departing employee’s email to their manager or replacement for 30 to 90 days. Set an auto-reply noting their departure and providing a new contact. Then archive or delete the mailbox.

6. Transfer digital assets

Ensure critical files are not stored only on personal devices. Transfer ownership of cloud documents, project files, and any intellectual property.

7. Review access logs

Check what the employee accessed in the days before leaving. Look for bulk downloads of client data, unusual file transfers, or access to systems outside their normal role. This is not about distrust. It is about due diligence.

What a Cyber Risk Check Reveals About Your Leavers

Most businesses have never audited what happens after someone leaves. A Cyber Risk Check typically reveals active accounts for people who left months ago, shared credentials that were never changed, and SaaS subscriptions still billing for departed staff.

A Cyber Risk Check examines your network, external exposure, and credential security in one assessment. It shows you exactly where the gaps are, including the ones created by incomplete offboarding.

Even if you never work with us, start here: pick three people who left in the last 12 months and check whether their Microsoft 365, VPN, and CRM logins are still active. If any of them are, you have your answer.

Want a full picture? Book a Cyber Risk Check and we will map every gap, including the ones left by leavers. Call 0151 452 3060 or visit hiltdigital.co.uk.

The Cost of Getting It Wrong

The consequences are not theoretical. Consider what a disorganised offboarding process actually costs:

• Data exfiltration. A departing salesperson walks away with your entire client list. A disgruntled developer deletes code repositories. These things happen, and they happen more often than businesses admit.
• Compliance fines. Under GDPR, your organisation is responsible for controlling access to personal data. If a former employee still has access to client records, that is a data protection failure. The average cost of an impactful breach for UK businesses is now GBP 8,260 (DSIT 2025).
• Financial leakage. Unused SaaS licences keep billing you. Microsoft 365 seats, CRM subscriptions, project management tools. Individually small, but they add up. More importantly, they signal weak governance.
• Reputational damage. If client data is compromised through a former employee’s account, explaining that to your clients is a conversation nobody wants to have.

Build Offboarding Into Your Security Culture

Effective security does not stop at firewalls and email filtering. It extends to how people leave your organisation. Make the offboarding process clear from day one. Include it in onboarding training, so every employee understands that access is a privilege of employment, not a permanent entitlement.

Document every step. This creates an audit trail for compliance, provides evidence if issues arise, and ensures the process is repeatable as your organisation grows.

For recruitment agencies and businesses with regular staff turnover, this is not optional. It is a core part of your security posture.

What To Do Next

Treat every departure as a security event. Audit access, revoke credentials, wipe devices, and document the process. If you do not have a formal offboarding checklist, you have gaps. And those gaps are exactly what attackers look for.

Here is how we can help:

1. Credential exposure check – Find out if former employee credentials are already exposed online. Takes minutes, and you will know exactly where you stand.
2. Cyber Risk Check – A full assessment of your network, external exposure, and credential security. Identifies every gap, including the ones left by leavers.
3. H-Protect Standard (from GBP 55/user/month) – Ongoing security monitoring, credential breach alerts, and endpoint protection that closes these gaps permanently.

Book your credential exposure check or call 0151 452 3060 to speak with our team. We are based in Liverpool and cover the entire North West.

FAQ

What is the single biggest offboarding mistake?

Delay. Failing to disable network and system access immediately after someone leaves creates a window where data can be stolen or accounts can be compromised. Access should be revoked on the day of departure, not the following week.

Does offboarding matter if someone leaves on good terms?

Yes. Even an amicable departure carries risk. Accounts can be hijacked by third parties, credentials can appear in data breaches, and accidental data retention on personal devices can breach GDPR. Process must apply regardless of the circumstances.

We use dozens of apps. How do we manage offboarding across all of them?

Implement single sign-on (SSO). It provides a central point where disabling one account revokes access across all connected applications. If SSO is not feasible right now, maintain a master list of every system each employee can access, and work through it systematically on departure.

What should we do first if we have never had a formal offboarding process?

Start with a credential exposure check. It will tell you if any former employee credentials are already exposed online. From there, build your checklist and apply it to every future departure. We can help you set this up. Call 0151 452 3060.