Most businesses do the obvious things when an employee leaves. They collect the laptop. They cancel the keycard. They hold the farewell party.
What they miss is the 31 other accounts that employee quietly created over their time with the business. Their Canva login. The AWS account they set up for a side project. The CRM integration they connected with their personal Gmail. The shared social media password that nobody else knows.
When that employee walks out the door, those accounts stay open. And that is when your real offboarding risk begins.
Why This Problem Has Gotten Much Worse
A few years ago, offboarding meant disabling one or two accounts. Today, the average employee across a business of any size has created roughly 31 separate work-related accounts during their tenure. Many of these are "shadow IT" accounts, apps they signed up for outside of IT's visibility, using their work email address or via "Sign in with Google."
When you disable their Microsoft 365 or Google Workspace account through your identity provider, most of those shadow accounts keep working. The OAuth grant from "Sign in with Google" does not automatically revoke when you disable the Google account on your end. The SaaS tool they used to manage client outreach still has a valid session.
For a 20-person Australian business, this is not a theoretical risk. It is the most common access-control gap we see in security assessments, and it is almost never noticed until something goes wrong.
The Real Shape of the Risk
It is tempting to frame offboarding risk as a disgruntled employee actively stealing data. That does happen, but it is not the most common scenario. The more frequent risks are:
Accidental data retention. A former employee still has access to a shared Google Drive folder and opens it from habit six months later. Under the Australian Privacy Act, you have an obligation to ensure personal data is only accessible to those who need it. That accidental access can constitute a privacy breach.
Abandoned accounts as attack vectors. An account that nobody is monitoring is a perfect entry point for a criminal. Attackers specifically look for orphaned accounts because they generate no alerts and nobody notices the login. A former employee's dormant CRM account, breached through a credential leak, gives an attacker direct access to your client database.
Ghost subscriptions. Every SaaS seat that was not properly offboarded is a subscription you are still paying for. Across a business of 30 people with typical SaaS sprawl, this regularly adds up to thousands of dollars per year.
Operational disruption. When a departing employee was the sole owner of a domain registration, a social media account, or an AWS root account, and nobody transferred ownership, you can lose access to your own infrastructure.
The Three-Phase Offboarding Process
A proper IT offboarding process is not a single task. It has three distinct phases, each with a different urgency.
Phase 1: Day of Departure (Within Two Hours)
These steps must happen the moment the employee's final working hour ends, or immediately upon termination. Delay creates immediate exposure.
Disable the primary identity first. Whether you use Microsoft Entra ID (Azure AD), Google Workspace, or Okta, disable the account at the identity provider level. If you have single sign-on, this step blocks access to everything connected to SSO in one action. Do not stop here, because SSO does not cover everything.
Force sign-out of all active sessions. In Microsoft 365, this is "Revoke all sessions" in the Entra admin portal. In Google Workspace, it is "Sign out of all sessions" from the user admin panel. This terminates any devices currently logged in, including a personal phone or home laptop.
Revoke VPN and remote desktop access. If you use a separate VPN (Cisco, Fortinet, or similar), revoke credentials there immediately. This is often handled separately from the identity provider and is frequently missed.
Reset all shared account passwords. Social media accounts, shared departmental inboxes, and any other credentials the employee had access to must be changed now. Do not wait.
Disable physical access. Building access cards, server room codes, and alarm pin codes all need to be deactivated on the same day.
Phase 2: Within 24 Hours
Revoke OAuth grants. Log into your Google Workspace or Microsoft 365 admin portal and review the OAuth applications connected to the departing employee's account. Revoke access for each one. This is the step most businesses skip, and it is the one that leaves ghost access in place the longest.
Audit shadow IT accounts. Search the employee's email archive for sign-up confirmations and password reset emails from business-related tools. These reveal the accounts they created that IT did not know about. Reset credentials for each one, or close the account entirely.
Transfer ownership of critical assets. Before you close the email account, ensure ownership of the following has been moved to another team member:
- Domain registrations and DNS management accounts
- Cloud infrastructure accounts (AWS, Azure root-level access)
- Social media business accounts
- Project management workspaces where they were the admin
- Any shared credentials stored in a password manager
Review pre-departure access logs. Check what data the employee accessed in the five to seven days before their departure. Look specifically for: large file downloads from cloud storage, bulk exports from your CRM, and any activity outside normal working hours. This is not about assuming the worst. It is about knowing your exposure. If sensitive client data was downloaded, you may have obligations to notify affected parties under the Australian Privacy Act.
Secure the email account. Convert the account to a shared mailbox (in Microsoft 365) or set up delegation (in Google Workspace). Forward to the departing employee's manager. Do not delete the account yet. Set an auto-reply directing incoming contacts to the appropriate person.
Phase 3: Within 30 Days
Reclaim licensed seats. Remove the user from all paid SaaS subscriptions you are aware of. Use your password manager or SaaS management tool to audit the full list.
Archive and close the mailbox. After 30 to 90 days (depending on the role and your data retention policy), archive the mailbox and remove the forwarding. Delete the account only after confirming all data has been transferred.
Recover and wipe company devices. Collect laptops, phones, and any other company hardware. If a device cannot be physically returned, use your Mobile Device Management software to remotely wipe the company data partition. This is especially important for BYOD devices where a personal phone was enrolled in your MDM.
Document everything. Record what access was revoked, when, and by whom. This creates your audit trail for compliance purposes and gives you a reference point if a security incident is traced back to a former employee.
What the Australian Privacy Act Means for Your Offboarding
If your business holds personal information about clients, customers, or staff, and most do, the Australian Privacy Act requires that access to that information is limited to those who genuinely need it. A former employee who retains access to your client database or HR records is a direct compliance risk.
Under the notifiable data breaches scheme, if a former employee's lingering access results in a breach of personal information that could cause serious harm, you may be required to notify both the affected individuals and the Office of the Australian Information Commissioner. The reputational and financial consequences of that notification are significant.
The good news is that this is entirely preventable. A documented offboarding process that specifically addresses data access is all you need to demonstrate reasonable steps were taken.
Build a Process, Not a Memory Exercise
The single most dangerous approach to offboarding is relying on memory. No matter how thorough your intentions, a busy week, an unexpected resignation, or an emotionally charged termination will result in missed steps.
The solution is a written offboarding checklist that runs as a formal task every time an employee leaves. Assign it to a specific person (usually IT or operations), give it a completion deadline, and sign it off when done.
We have built a ready-to-use checklist covering all three phases above, with sign-off fields for your audit trail. Download it, print it, and run it on every departure from today.
Download the free Employee IT Offboarding Checklist
If you are unsure what access your current staff have, or you have never audited your SaaS footprint, a Cubit Cyber security assessment will map your exposure and give you a clear plan for closing the gaps.