Employee Offboarding Security Gaps Most SMBs Miss

When an employee leaves your company, HR collects their badge and IT disables their email. At most SMBs, that covers the entire offboarding process. The result is that former employees retain active access to company systems, data, and cloud services for weeks or months after their last day.

The Access Problem Extends Far Beyond Email

A typical employee at a 100-person company uses between 20 and 30 different applications, platforms, and cloud services to do their job. Some of those connect through your identity provider, usually Microsoft Entra ID or Google Workspace. When IT disables that identity, access to connected applications gets revoked automatically.

But a significant portion of an employee’s access lives outside that umbrella. SaaS tools registered with personal email addresses, shared credentials for vendor portals, API keys stored in automation scripts, VPN profiles on personal devices, and browser-saved passwords for systems that don’t support single sign-on. A Productiv State of SaaS report found that 56% of SaaS licenses assigned to departed employees were still active 90 days after their departure. Those aren’t just wasted license fees. They’re open doors into your environment.

When your IT team disables a departing employee’s Microsoft 365 account, they revoke access to the 10 or 15 applications connected to that identity. The other 10 or 15 accounts stay active, invisible to your security team, until someone discovers them or an attacker exploits them.

Five Gaps That Show Up in Every Offboarding Audit

We’ve reviewed offboarding processes at dozens of SMBs, and the same gaps appear nearly everywhere. These aren’t theoretical risks. They show up consistently when we onboard new clients and audit their existing environments.

SaaS accounts registered with personal email. An employee signs up for a project management tool or a design platform using their personal Gmail because the free tier didn’t require a corporate account. Company data flows into that tool for months or years. When the employee leaves, their corporate account gets disabled, but their personal login to that SaaS tool stays active with full access to everything they uploaded. We covered this broader pattern in our post on SaaS sprawl and the access gaps it creates.

Shared credentials and service accounts. Small teams often share login credentials for tools that don’t support multiple users: a vendor portal, a hosting control panel, or an analytics dashboard. When someone with access to those shared passwords leaves, the only secure response is to rotate every shared credential they knew. In practice, that almost never happens because nobody maintains a list of which shared credentials each employee used.

Cloud storage with direct sharing links. Google Drive files, Dropbox folders, and SharePoint documents shared via “anyone with the link” permissions remain accessible regardless of employment status. If a departing employee saved those links or synced folders to a personal device, they retain access to those documents indefinitely. Disabling their corporate account does nothing to invalidate direct share links.

Mobile device access. Company email, Teams, OneDrive, and other business applications installed on personal phones don’t get wiped when someone turns in their laptop. Without mobile device management (MDM) policies in place, your IT team has no mechanism to remove company data from a former employee’s personal phone. The data sits there, accessible and unmonitored.

Third-party vendor and partner portals. Employees who manage vendor relationships often have individual accounts in supplier portals, insurance platforms, banking interfaces, and regulatory filing systems. These accounts are created outside your IT department’s visibility, and they rarely appear on any offboarding checklist. A departing accounts payable employee might retain access to your company’s banking portal for months without anyone noticing.

What Incomplete Offboarding Actually Costs

The business impact of these gaps falls into three categories, and all of them surface in real audits and incident investigations.

Data exposure and exfiltration. The 2024 Verizon Data Breach Investigations Report found that 20% of breaches involved internal actors, including former employees. Incomplete offboarding makes this worse because the access isn’t even unauthorized from a technical standpoint. The accounts are still active. There’s no alert, no anomaly detection trigger, and no audit trail flagging the activity as suspicious.

Compliance violations. If your business handles protected health information (HIPAA), cardholder data (PCI DSS), or personal data under the Texas Data Privacy and Security Act, you’re required to maintain access controls and data inventories. Orphaned accounts for former employees are a direct compliance gap. Auditors treat them as evidence that your access management program is incomplete, because it is.

Cyber insurance consequences. As we covered in our post on 2026 cyber insurance renewal requirements, carriers now verify that companies enforce access controls, MFA, and identity management. If a claim investigation reveals that a former employee’s active credentials were the entry point, your carrier may deny the claim based on inadequate access controls. The 12 controls insurers verify during underwriting include identity and access management for exactly this reason.

Ongoing license costs. Every orphaned SaaS account is a license you’re paying for that provides zero value. Across a company with regular turnover, those costs add up. We’ve seen clients recover thousands of dollars annually just by cleaning up licenses tied to former employees.

An Offboarding Security Checklist That Works

The fix isn’t complicated, but it requires your IT team to be involved before the employee’s last day, not after.

1. Maintain a centralized application inventory. You cannot revoke access to systems you don’t know exist. Start with a full audit of every application your employees use, including the ones IT didn’t provision. Pull data from SSO logs, expense reports, and browser extension inventories. Your managed IT provider should maintain this inventory and update it quarterly.

2. Put everything behind SSO. Every business application that supports single sign-on should connect to your identity provider. When an employee’s SSO account is disabled, access to every connected application revokes automatically. Applications that don’t support SSO should be flagged for replacement or managed with a centralized password manager that allows credential rotation.

3. Include IT in the termination timeline. HR should notify IT of an upcoming departure at the same time they schedule the exit interview, not on the employee’s last morning. This gives IT time to inventory the departing employee’s access, prepare revocation steps, and coordinate with application owners. Same-day notification leads to gaps because the work is rushed.

4. Revoke mobile device access. If you use Microsoft Intune, Jamf, or another MDM platform, trigger a selective wipe that removes company data from the departing employee’s personal devices while leaving personal content intact. If you don’t have MDM in place, this gap is worth addressing before your next employee departure. Your managed security provider can deploy MDM policies across your existing device fleet.

5. Rotate shared credentials immediately. Pull the list of shared accounts and service credentials the departing employee had access to and rotate every one of them on the employee’s last day. A business password manager like 1Password Business or Keeper makes this fast instead of a guessing game.

6. Audit third-party portal access. Check with department heads to identify any external portals, vendor systems, or financial platforms where the departing employee had individual access. Disable or transfer those accounts. Pay special attention to banking portals, payroll systems, and any platform with access to financial transactions.

7. Verify 30 days later. Run a follow-up access review one month after the departure. Look for active sessions, login attempts from the former employee’s accounts, and any SaaS applications that didn’t get caught in the initial pass. This step catches the gaps every offboarding process misses on the first round.

Start With Your Last Three Departures

If you want to know how exposed your company is right now, audit the last three employees who left. Check whether their SaaS accounts are still active, whether shared credentials were rotated, and whether their personal devices still have company data. The findings from that exercise will show you exactly where your offboarding process breaks down and which gaps to close first.