How do I securely onboard and offboard employees?

Here’s a scenario that happens more often than anyone wants to admit: An employee leaves the company. Two months later, IT discovers that their accounts were never disabled. They still have access to email, file shares, customer databases, and the company VPN.

Or the flip side: A new employee starts on Monday. They sit at their desk with no computer, no accounts, and no idea what tools they need. Someone eventually gives them a shared login “just to get started.” Six months later, they’re still using it.

Both situations create serious security risks. Let’s fix them.

Why This Matters More Than You Think

The Offboarding Problem

The statistics are concerning:

• 20% of businesses report data breaches connected to former employees
• 89% of former employees retain access to at least one corporate application after leaving
• Former employees with active credentials are a prime target for attackers who buy stolen credentials on the dark web
• The average time to fully revoke a departed employee’s access (without a formal process) is over 100 days

Real-world scenarios

• A departing salesperson downloads the entire customer database before their last day
• A terminated employee uses still-active VPN credentials to access and delete files
• An attacker compromises a former employee’s never-disabled account and pivots into the company network
• A contractor’s access is never reviewed after their project ends, leaving an open door for months

The Onboarding Problem

Poor onboarding creates different but equally serious risks:

• Shared credentials because individual accounts weren’t ready on day one
• Excessive permissions because it was easier to copy an existing user’s access than figure out what the new hire actually needs
• No security training until weeks or months after start date, leaving new employees vulnerable to phishing
• Unmanaged devices when employees use personal laptops because IT equipment wasn’t provisioned

Secure Onboarding Checklist

A secure onboarding process should start before the employee’s first day, not on it. Here’s what to cover.

Before Day One (IT Preparation)

Account Provisioning

• Create email account (Microsoft 365, Google Workspace)
• Create accounts for required business applications
• Set up VPN access if applicable
• Create accounts for communication tools (Teams, Slack)
• Provision access to file shares and cloud storage
• Set up phone system and voicemail

Access Permissions (Least Privilege)

• Define what systems this role needs access to - no more, no less
• Use role-based access templates where possible
• Avoid copying permissions from another user (they may have accumulated unnecessary access over time)
• Set up access with the minimum permissions needed to perform the job
• Document what access was granted and why

Why least privilege matters

The principle of least privilege means giving each person only the access they need to do their job. Nothing more. If a marketing coordinator doesn’t need access to financial systems, they shouldn’t have it. This limits the damage if their account is ever compromised.

Role	Needs Access To	Does NOT Need Access To
Marketing coordinator	Marketing drives, social media tools, CMS	Finance systems, HR records, server admin
Accounts payable clerk	Accounting software, vendor portal, AP email	CRM, engineering files, IT admin tools
Sales representative	CRM, proposal tools, product catalog	Accounting system, HR platform, IT infrastructure

Device Preparation

• Configure laptop or desktop with standard security settings
• Install required security software (EDR, encryption, VPN client)
• Enable full disk encryption
• Enroll device in mobile device management (MDM) if applicable
• Install required business applications
• Configure automatic updates

Day One (Employee Steps)

Security Setup

• Set up MFA on all accounts (not optional, not “do it later”)
• Create initial passwords using the company password manager
• Verify full disk encryption is active
• Review and sign acceptable use policy
• Review and sign data handling policy

Security Awareness Training

• Complete initial security awareness training module
• Review phishing identification basics
• Learn how to report suspicious emails or activity
• Understand the company’s password policy
• Know who to contact for security questions

Key point

Security training should happen on day one, not “when they get around to it.” New employees are prime phishing targets because they’re unfamiliar with company communications and eager to respond to requests from people they don’t yet know.

First Week (Verification)

• Verify all accounts are working correctly
• Confirm MFA is active on all required systems
• Ensure the employee is enrolled in ongoing security training
• Verify the employee can access everything they need (and nothing they don’t)
• Add the employee to the IT asset inventory

Secure Offboarding Checklist

Offboarding is where the bigger security risks live. A structured process ensures nothing falls through the cracks.

Before Last Day (Planning)

As soon as a departure is confirmed - whether voluntary or involuntary - IT should begin preparing.

Access Review

• Inventory all systems and applications the employee has access to
• Identify any shared credentials the employee knows
• Determine what data the employee has access to and what needs to be transferred
• Identify any personal devices with company data (BYOD)
• Check for any cloud services the employee signed up for independently (shadow IT)

Data Transfer Planning

• Identify files and data that need to be transferred to a successor or manager
• Plan email handling (forwarding, out-of-office, mailbox delegation)
• Determine what happens to the employee’s shared drives and collaboration spaces
• Back up the employee’s mailbox and files before any account changes

On Last Day (Immediate Actions)

Timing matters. For voluntary departures, these steps happen at the end of the last day. For involuntary terminations, they should happen simultaneously with or immediately after the termination conversation.

Account Revocation

Action	Details
Disable primary account	Disable (don’t delete) email, Active Directory, or Entra ID account
Revoke SaaS access	Remove access to all cloud applications
Remove VPN access	Immediately - this is a top priority
Disable remote desktop	Block any remote access capability
Revoke financial system access	Banking, accounting, payment platforms
Remove from shared accounts	Distribution lists, shared mailboxes, team accounts
Terminate active sessions	Force sign-out of all devices
Disable physical access	Building badges, door codes, alarm codes

Why disable instead of delete

Disabling accounts (rather than deleting them) preserves data and audit trails. You may need access to the former employee’s email or files for business continuity, legal holds, or investigations. Delete accounts after an appropriate retention period (typically 30-90 days, or as required by your retention policy).

Device Recovery

• Collect laptop, desktop, monitors, and peripherals
• Collect mobile devices (company-issued phones, tablets)
• Collect any removable storage (USB drives, external hard drives)
• Wipe company data from personal devices if BYOD was used
• Collect any physical access cards, keys, or security tokens

Credential Changes

• Change passwords on any shared accounts the employee had access to
• Rotate any service account credentials the employee knew
• Update WiFi passwords if the employee had access to network credentials not tied to individual accounts
• Review and rotate API keys or integration credentials the employee managed

After Departure (Verification)

Within 24 Hours

• Verify all access has been revoked (attempt to log in with the disabled account)
• Check for any automated forwarding rules on the former employee’s email
• Review sign-in logs for any post-departure access attempts
• Confirm all devices have been returned or wiped

Within One Week

• Complete data transfer to successor or manager
• Set up email auto-reply or forwarding as appropriate
• Update documentation with the offboarded user’s removal
• Close out any IT tickets associated with the former employee

Within 30 Days

• Review access logs for any anomalies during the employee’s final weeks
• Confirm the employee has been removed from all systems (including ones that may have been missed initially)
• Update emergency contact lists and security distribution groups
• Archive the employee’s data according to retention policy

Handling Involuntary Terminations

Involuntary terminations - especially ones involving conflict or poor performance - carry higher risk. The employee may be angry, desperate, or planning ahead.

Elevated Precautions

• Coordinate timing with HR - IT should be ready to disable access the moment the termination conversation begins
• Monitor for data exfiltration - Review recent file downloads, email forwards, and USB device connections in the days leading up to the termination
• Consider preserving forensic evidence - If there’s suspicion of policy violations, preserve the employee’s devices and logs before wiping anything
• Expedite device recovery - Don’t let terminated employees “bring the laptop back next week”

Automation Tools That Help

Manual checklists work, but they rely on humans remembering every step. Automation reduces the risk of missed steps.

Identity Management Platforms

Tools like Microsoft Entra ID, Okta, or JumpCloud can automate much of the provisioning and deprovisioning process:

• Automated provisioning - Create accounts across multiple systems from a single action based on role templates
• Automated deprovisioning - Disable access across all connected systems with one click
• Access reviews - Regular automated prompts to managers to verify their team’s access is still appropriate
• Lifecycle policies - Automatically disable accounts for contractors when their project end date arrives

IT Service Management (ITSM) Tools

Ticketing systems with onboarding and offboarding workflow templates ensure every step is tracked:

• Checklist items that must be completed before the ticket can be closed
• Automatic assignments to the right IT team members
• Audit trail showing who did what and when
• Escalation if steps aren’t completed within a defined timeframe

Mobile Device Management (MDM)

MDM platforms let you remotely manage and wipe company data from devices:

• Remotely lock or wipe lost or unrecovered devices
• Remove company data from personal devices without affecting personal data
• Enforce security policies (encryption, PIN requirements, app restrictions)
• Track device inventory

The Value of Automation

Manual Process	Automated Process
Relies on someone remembering every step	Runs the same way every time
Takes 2-4 hours per onboard/offboard	Takes minutes with human oversight
Accounts get missed (especially SaaS apps)	Complete coverage through integration
No documentation trail	Full audit log of every action
Varies by who handles it	Consistent regardless of who triggers it

Compliance Implications

If your business operates under regulatory or compliance frameworks, documented onboarding and offboarding processes aren’t optional - they’re required.

HIPAA

• Access to protected health information (PHI) must be tied to job function
• Access must be revoked promptly upon departure
• Access logs must be maintained
• Training on PHI handling is required for all workforce members

SOC 2

• User access provisioning and deprovisioning must be documented
• Access reviews must occur regularly
• Terminated user access must be removed in a timely manner
• Evidence of these processes must be available for auditors

PCI DSS

• Access to cardholder data environments must be based on business need
• Unique user IDs are required (no shared accounts)
• Access must be revoked immediately for terminated users
• Regular access reviews are mandatory

Even without specific compliance requirements

Documented onboarding and offboarding processes demonstrate due diligence. If your business ever faces a data breach investigation or lawsuit, having formal procedures shows you took reasonable security measures.

Common Mistakes to Avoid

During Onboarding

• Granting admin access by default - Start with minimum access and add as needed
• Skipping MFA setup - “They’ll set it up later” usually means they won’t
• Using shared accounts - Every employee should have their own credentials for every system
• Delaying security training - New employees are the most vulnerable to social engineering
• Not documenting what access was granted - You can’t revoke what you don’t know about

During Offboarding

• Forgetting SaaS applications - The employee probably has accounts in 10-20 cloud services beyond the core ones
• Not changing shared passwords - If the departing employee knew the WiFi password, the conference room TV login, or any shared service credentials, change them
• Deleting accounts immediately - You may need the data. Disable first, delete later.
• Letting the employee “wipe their own laptop” - Recover the device first, then wipe it with IT oversight
• Not monitoring post-departure - Watch for login attempts from disabled accounts for at least 30 days

The Bottom Line

Secure onboarding and offboarding aren’t just IT tasks - they’re business risk management. Every employee who joins your company gains access to sensitive systems and data. Every employee who leaves should have that access fully and promptly revoked.

The keys to getting this right:

1. Standardize the process - Use checklists so nothing is forgotten
2. Start early - Begin onboarding prep before day one and offboarding prep as soon as departure is confirmed
3. Apply least privilege - Give people access to what they need, nothing more
4. Automate where possible - Reduce human error with identity management tools
5. Verify and audit - Confirm that access was actually revoked, don’t just assume

A missed step during offboarding can leave your network exposed for months. A sloppy onboarding can create security vulnerabilities from an employee’s first day. Neither risk is necessary with a proper process in place.

---

Need help building secure onboarding and offboarding processes? Contact us and we’ll help you create documented procedures, implement automation, and close the access gaps in your organization.