Employee Offboarding Security Checklist

When an employee leaves your company — whether voluntarily or involuntarily — it creates a window of maximum security risk. Research consistently shows that over 20% of data breaches involve an insider, and a significant proportion of those incidents involve former employees who retained access they should have lost on their last day.

As a cybersecurity specialist who has conducted forensic investigations into insider threat incidents, I have seen the damage a single forgotten access point can cause. A former IT manager uses an unrevoked admin account to access customer data three months after departure. A sales rep downloads the entire CRM database the day before resigning. A disgruntled developer who kept their SSH keys deletes a production database two weeks after termination.

This checklist bridges the gap between HR and IT to ensure that when an employee walks out the door, your data stays in.

Phase 1: Day-Zero Actions (At Moment of Termination)

These steps must occur immediately at the moment termination is confirmed — before the employee is notified in cases of involuntary departure, or simultaneously with the notification in cases of resignation.

Identity and Access Management (IAM)

Disable SSO (Single Sign-On) account: If you use Okta, Azure AD, Google Workspace, or JumpCloud, suspend or disable the account immediately. For properly configured SSO environments, this single action will propagate to all connected applications within minutes.
Reset Active Directory / LDAP password and force session logout: This terminates any active authenticated sessions on corporate devices and applications.
Revoke MFA tokens: Disable or revoke their TOTP authenticator enrollment and any hardware tokens (YubiKey, FIDO2 keys) they held.
Revoke VPN access: Remove them from VPN user groups or disable their certificate. This closes remote network access immediately.
Terminate active sessions: In cloud platforms (AWS, Azure, GCP), invalidate active session tokens. Console access with active sessions can persist after password reset if sessions are not explicitly terminated.

Email and Communication

Disable email account or set to forward-only: Disable active sending capability but preserve the mailbox for evidence and business continuity purposes.
Set out-of-office auto-reply: Configure a response directing contacts to the appropriate successor or team inbox.
Check for email forwarding rules: Exfiltration via email forwarding rules set before departure is a common insider threat vector. Review inbox rules in Exchange/Google Workspace admin console.
Revoke calendar and shared inbox access: Remove from distribution lists, shared mailboxes, and calendar permissions.

Collaboration and Productivity Tools

Slack / Teams: Deactivate the account. Preserve message history per your retention policy.
Zoom / Google Meet: Remove admin rights and revoke any webinar host permissions.
Notion, Confluence, SharePoint: Revoke access and transfer ownership of pages they owned.
Project management tools (Jira, Asana, Monday.com): Deactivate account and reassign open items.

Phase 2: Days 1–3 (Physical and Hardware)

Asset Recovery

Laptop / workstation: Retrieve before or at the final day. Issue a remote lock command (Microsoft Intune, Apple MDM, Jamf) if the device is not returned immediately.
Mobile devices: If company-owned, retrieve. If BYOD with MDM enrolled, initiate selective corporate data wipe (removes corporate apps and data without affecting personal content).
Hardware security keys: Collect YubiKeys or other hardware tokens.
External drives and specialized hardware: Any equipment checked out for their role — USB drives, testing devices, specialized dongles.

Physical Access

Deactivate access badge / RFID keycard: Remove their card serial number from the building access control system.
Rotate shared alarm codes and server room PINs: If they had knowledge of shared codes, rotate them even if you have no reason to suspect malicious intent.
Update key locks: For any physical keys issued, change locks if keys cannot be recovered.

Phase 3: The "Shadow IT" Access Audit (Most Often Neglected)

This is where 90% of companies fail. Former employees routinely retain access to tools and accounts that were never connected to SSO and therefore were not disabled by the Day-Zero actions.

Developer and Technical Access

Code repositories (GitHub, GitLab, Bitbucket): Remove from organization, revoke personal access tokens (PATs), and rotate any service account credentials they created.
Cloud provider IAM (AWS, Azure, GCP): Remove IAM users, disable access keys, revoke federated access, and review service accounts and Lambda/function execution roles they may have created.
Server SSH keys: Remove their public key from ~/.ssh/authorized_keys on all servers — particularly critical for sysadmin and DevOps departures.
CI/CD platforms (Jenkins, CircleCI, GitHub Actions): Remove user access and rotate any secrets or API keys they had visibility into.
Database access: Revoke direct database credentials, not just application-layer access.
DNS and domain registrar access: Remove from GoDaddy, Cloudflare, or Route 53 account access.

Shared Accounts and Social Media

Rotate corporate social media passwords: Twitter/X, LinkedIn Company Page, Instagram, Facebook — any platform where they had posting access.
Shared email inboxes: support@, sales@, info@ — rotate passwords and verify access is limited to current employees.
Shared subscription accounts: Adobe Creative Cloud team plans, stock photo subscriptions, industry databases.

Third-Party SaaS Audit

Review independent SaaS accounts: Tools like Canva, Loom, Zapier, or specialized industry software where employees created accounts using their work email but with a separate password not tied to SSO.
Transfer data ownership: Ensure Google Drive, OneDrive, or Box files they owned are transferred to their manager's ownership before deleting the account. Deleting an account first may destroy its content.
CRM access (Salesforce, HubSpot): Revoke access and review recent data exports or contact list downloads in audit logs.
Password manager team vaults: Remove from shared vaults in 1Password Teams, Bitwarden, or LastPass Business.

Phase 4: Legal and Compliance Actions

Documentation

Exit interview documentation: HR should formally document the discussion of IP obligations and confidentiality agreements.
Data return attestation: Have the employee sign a document affirming they have deleted or returned all company data from personal devices and cloud storage. While not technically enforceable as a hard control, it creates legal exposure for them if they later misuse retained data.
NDA and non-compete reminder: Formally document that the employee was reminded of their post-employment obligations.

Evidence Preservation

Preserve device forensic image: For any departure involving known or suspected data theft, preserve a forensic image of the device before wiping it. This evidence is required for any subsequent legal action.
Export access logs: Preserve 90 days of access logs for the departed employee's accounts before deleting or archiving the account.

Phase 5: 30-Day Monitoring Period

Access revocation is not the end of the offboarding process — it is the beginning of a monitoring period.

Monitor for Residual Access Indicators

Alert on use of former employee credentials: SIEM rules should fire on any authentication attempt using the former employee's identity (username, email, SSO) after their offboarding date.
Watch for use of shared credentials they had access to: If shared passwords were not rotated, monitor for access from unexpected IPs or at unusual hours.
Monitor for data access from new accounts: If you suspect data exfiltration, implement DLP rules watching for the departed employee's name, department, or project names in outbound data transfers.

Vendor and Partner Notification

Notify key vendors and partners: If the employee was a primary contact for external vendors with access to your systems, notify those vendors to revoke their credentials as well.
Update emergency contact lists: Remove from on-call rotation documentation, emergency escalation lists, and vendor support portals.

The Cost of Getting This Wrong

The financial and legal consequences of inadequate offboarding are significant and well-documented:

A disgruntled developer with retained SSH access deleted a production database, costing a client $400,000 in downtime and forensic recovery.
A sales representative who downloaded the CRM database before departure took the company's customer list to a direct competitor — a breach that resulted in a multi-year trade secret litigation.
An IT administrator with retained admin credentials accessed the network 6 months post-departure, triggering a GDPR reportable breach and a €180,000 fine.

None of these scenarios required a sophisticated external attack. Each was a preventable access control failure.

Automating the Offboarding Process

For organizations with 50+ employees and frequent turnover, manual checklists are insufficient — they are error-prone and time-consuming. Consider:

Identity governance platforms (SailPoint, Saviynt, Microsoft Identity Governance) that automate access revocation across all connected applications triggered by an HR system status change
HRIS integration: Configure your HR system (Workday, BambooHR) to trigger automated IAM deprovisioning workflows on offboarding events
Quarterly user access reviews: Independently of offboarding events, quarterly reviews of all privileged accounts and third-party SaaS access catch orphaned accounts from previous offboardings that were not fully completed

If you need help auditing current access or building an automated offboarding workflow, contact Cyberlord. We perform User Access Reviews to identify dormant and orphaned accounts before they become insider threat vectors.

Frequently Asked Questions

What is the most common insider threat after an employee departs? Based on forensic investigation data, the most common scenarios are: (1) use of retained cloud service credentials (GitHub, AWS, SaaS tools not covered by SSO), (2) data exfiltration before departure via personal email or cloud storage, and (3) use of shared passwords that were not rotated after departure.

How long should I monitor for residual access attempts after an employee departs? Minimum 90 days. High-risk departures (involuntary terminations, employees with significant data access, departures to direct competitors) warrant 6–12 months of monitoring.

What should I do if I discover a former employee still has access? Immediately revoke the access, preserve logs of all activity during the unauthorized access period, assess whether any data was accessed or exfiltrated, and consult legal counsel before contacting the former employee. If data was accessed without authorization, this may constitute a reportable breach under GDPR, HIPAA, or state privacy laws.