Network Brainiacs
Tip #47·Insider threats

Offboarding: the checklist.

The day an employee leaves is the day your security posture gets tested. A written offboarding checklist turns a weak spot into a non-event.

Nearly every insider-threat incident we investigate traces back to incomplete offboarding. Access that should have been revoked on day one is still active three weeks later. A shared password never got rotated. A SaaS tool nobody knew about still had credentials. The fix is unglamorous — a written checklist — but it works.

Why offboarding is often the weakest control

Termination days are emotional. Revocations get deprioritized. The IT person is told 'by the end of the week' and something urgent bumps it. Meanwhile the ex-employee has their company laptop, their personal phone with email, their VPN access, their SaaS logins, and — if they're upset — motive. The gap between 'employee left' and 'access revoked' is the highest-risk window you have.

What gets missed

A terminated salesperson kept VPN access and downloaded the full CRM before the account was disabled.

Red flag: Account disabled four days after termination. Enough time to exfiltrate two years of client contacts.

An ex-marketing manager's OAuth grants for Zapier, Slack, and Meta Business still worked weeks after she left.

Red flag: She used one of the grants to send a mass email to clients from a copycat domain during a dispute over severance.

The one-page offboarding checklist

  • Disable the user account in Microsoft 365 / Google Workspace on day zero (at termination meeting).
  • Revoke all active sessions and set the password to a random value.
  • Remove from every SaaS tool. Use your OAuth audit from Tip #41 — every grant revoked.
  • Collect company devices. If not returned, remote wipe immediately.
  • Rotate any shared passwords the employee knew.
  • Transfer ownership of files, calendars, and shared mailboxes.
  • Update door access, alarm codes, and any physical keys.
  • Document everything revoked, for compliance and audit purposes.

We run offboarding for clients.

When an employee leaves, our clients open a ticket. We run the full checklist within 2 hours. You should have something equivalent.

Do this today
  • 1Write a one-page offboarding checklist this week. Cover every system.
  • 2Name the owner — HR, office manager, or MSP — who runs it, every time.
  • 3Commit to disabling access on day zero. No 'by the end of the week.'
  • 4Build OAuth revocation and SaaS deprovisioning into the checklist.
  • 5Review and audit completed offboardings monthly for completeness.

Want help securing your business?

Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.

Schedule a quick security review

Keep reading

Tip #13 · Insider threats

The dangers of shared logins.

Shared accounts feel convenient. They destroy audit trails, leak with every turnover, and turn one small breach into a company-wide incident.

ReadTip #24 · Insider threats

Why admin rights matter.

Every employee running as a local admin is one bad click away from company-wide compromise. Least privilege is free and astonishingly effective.

Read
Back to all tips