When an employee leaves, most businesses remember to collect keys, laptops, uniforms, or badges. Digital access is easier to overlook — and often more dangerous.
Former employee accounts can remain active in email, cloud storage, payroll systems, vendor portals, Wi-Fi, remote access tools, and line-of-business applications. Even if the former employee has no bad intent, an unused account can become an easy entry point for attackers.
Why old accounts are dangerous
Every active account is a door into your business. If an account belongs to someone who no longer works there, nobody may notice when it is used suspiciously.
Old accounts create several risks. Former staff may still be able to access confidential files or email. Attackers may compromise an unused account because the password was reused elsewhere. Shared accounts also make it difficult to know who performed an action.
The issue is especially common in growing businesses where access is granted quickly but removed informally.
Old accounts also create a visibility problem. If nobody is using the account day to day, suspicious login alerts may be ignored or missed entirely. An attacker can use that quiet access to read email, download files, create forwarding rules, or impersonate the former employee in conversations with customers and vendors.
What should happen when someone leaves
The best time to remove access is immediately when employment ends. That requires a repeatable checklist, not a memory test.
At minimum, offboarding should disable email and user accounts, remove access to cloud storage and business applications, revoke remote access, remove MFA devices, rotate shared passwords, recover company devices, and transfer ownership of important files or calendars.
Related service: Device Management
Admin accounts and shared passwords
Some employees have more access than others. Owners, managers, finance staff, office administrators, and IT vendors may have administrative access to systems that affect the entire business.
Admin accounts should be limited, documented, and reviewed frequently. If a former employee had admin rights, simply disabling their email is not enough. Check domain registration, DNS, website tools, accounting platforms, backups, social media, and cloud admin consoles.
Shared passwords make offboarding harder. If a password was shared, rotate it when staff changes occur. Better yet, move toward individual accounts and a password manager so access can be removed cleanly.
Vendor and cloud app access
Former employee risk is not limited to W-2 staff. Contractors, temporary workers, outsourced bookkeepers, marketing vendors, and IT providers may also have access to business systems.
Vendor access should be reviewed regularly. Ask which vendors have logins, whether they still need access, whether MFA is enabled, and whether access is limited to the systems they support.
Cloud applications deserve special attention because many are outside the normal company network. A former employee may still have access to CRM records, scheduling tools, project management software, file-sharing platforms, or social media accounts even after their computer account is disabled. That is why offboarding should include a list of business applications, not just email.
Related service: Email Security
How often to review users
Most small businesses should review user access at least quarterly. Review sooner after staff turnover, vendor changes, software migrations, or security incidents.
A simple review can be enough: export active users from email, cloud storage, and key business systems; compare the list to current staff and active vendors; disable accounts that no longer belong; and document what changed.
Do not forget privileged access. Admin accounts, billing owners, backup administrators, website administrators, and security tool administrators should be checked separately. These accounts can change settings, delete data, or create new users, so they deserve tighter control than ordinary user accounts.
A simple offboarding checklist
- Disable email and cloud accounts the same day employment ends.
- Remove access from business software and vendor portals.
- Revoke VPN, remote desktop, and device management access.
- Recover or wipe company devices.
- Rotate shared passwords the person may have known.
- Transfer ownership of files, calendars, and mailboxes.
- Review admin accounts separately.
- Document the completed steps.
Related service: Cybersecurity
How Affinity Tech Solutions can help
Affinity Tech Solutions helps Central Florida businesses clean up user access, improve offboarding, and put practical account management processes in place. If you are not sure who still has access to your business systems, now is the right time to find out.
Frequently Asked Questions
How quickly should former employee accounts be disabled?
Ideally, accounts should be disabled the same day employment ends. For sensitive roles, access should be removed immediately at the time of departure.
Should we delete former employee accounts?
Often, disabling is safer than immediate deletion because you may need to preserve email, files, or audit history. After data is transferred and retention needs are reviewed, accounts can be removed according to policy.
What if we use shared accounts?
Shared accounts should be minimized. If they cannot be eliminated immediately, rotate passwords when staff changes occur and move toward individual accounts over time.