Employee Offboarding Security Checklist: How to Prevent Insider Threats (2026)
David Plaha
When an employee leaves your company—whether voluntarily or involuntarily—it is a point of maximum vulnerability. In fact, research shows that over 20% of data breaches involve an insider, often a disgruntled former employee who retained access they should have lost.
As a cybersecurity specialist who has conducted countless forensic investigations, I have seen the damage a single forgotten "admin" account can cause. A former IT manager logs in three months later to "check something," or a sales rep downloads the entire client database before their last day.
This Employee Offboarding Security Checklist is designed to close those gaps. It bridges the divide between HR and IT to ensure that when an employee walks out the door, your data stays in.
The "Day Zero" Critical Actions
These steps must happen immediately at the moment of termination or resignation acceptance.
1. The "Kill Switch" (Identity & Access Management)
- Disable Single Sign-On (SSO): If you use Okta, Azure AD, or Google Workspace, suspend the user immediately. This should propagate to connected apps (Slack, Salesforce, Zoom).
- Reset Active Directory Password: Change the password and force a session logout for all devices.
- Revoke VPN Access: Disable their certificate or remove them from the VPN user group to prevent remote network access.
2. Device Containment
- Remote Wipe Mobile Devices: If they used a company phone (or BYOD with MDM), initiate a corporate data wipe immediately.
- Lock Company Laptop: If you have management agents installed (Intune, Jamf), issue a remote lock command.
Physical & Hardware Security (Day 1-3)
3. Asset Recovery
- Collect Hardware: Laptop, phone, security keys (YubiKey), and building access cards.
- Verify Accessories: Don't forget external hard drives or specialized dongles that may contain sensitive data.
4. Physical Access Revocation
- Deactivate Badge/Keycard: Remove their serial number from the building security system.
- Change Codes: If they knew shared alarm codes or server room pin codes, these must be rotated.
The "Silent" Digital Access (Often Forgotten)
This is where 90% of companies fail. Former employees often retain access to "shadow IT" accounts that weren't connected to SSO.
5. Shared Accounts & Social Media
- Change Shared Passwords: Did they have access to the corporate Twitter, LinkedIn, or a shared
support@email inbox? Rotate those passwords immediately. - API Keys & Developer Secrets: If they were a developer, did they have personal API keys or access to AWS root credentials? Rotate critical keys. This is a common backdoor.
6. Third-Party SaaS Audit
- Review Independent Accounts: Check for services like Canva, Trello, or specialized marketing tools where they might have created an account using their work email but set a separate password.
- Transfer Data Ownership: Ensure their Google Drive / OneDrive files are transferred to a manager before deleting the account.
The Legal & Compliance Layer
7. Non-Compete & NDA Reminder
- Exit Interview: HR should formally remind them of their Intellectual Property (IP) obligations and confidentiality agreements.
- Data Return Attestation: Have them sign a document stating they have not kept copies of company data on personal devices or cloud storage.
Why This Matters: The Cost of Inaction
We recently handled a case where a terminated developer kept his SSH keys. Two weeks later, he deleted the production database. The recovery cost the company $400,000 in downtime and forensics.
Don't rely on trust. Rely on process.
Need a Security Audit?
If you are worried that former employees might still have access to your network, or if you need help automating this checklist, contact Cyberlord today. We can perform a full User Access Review to identify and close dormant accounts before they become insider threats.
employee offboarding security checklist guide overview
Key decisions, risks, and implementation actions for employee offboarding security checklist guide.