🔐 Cybersecurity

Employee IT Offboarding: The Security Checklist Small Businesses Skip in 2026

83% of former employees still have active accounts after they leave. Here's the exact checklist every small business and childcare center needs to follow from day one.

By · · 9 min read

Most small business owners think about cybersecurity in terms of outside threats — hackers, phishing emails, ransomware. What they overlook is the gap that opens up every time someone leaves the company. That gap is just as dangerous, and far more preventable.

When an employee resigns or is terminated, the IT clock starts ticking. Every hour their accounts stay active is an hour of unnecessary exposure. Multiply that across the average small business — where staff turnover is common and IT processes are informal — and the risk adds up fast.

The numbers are sobering. According to 2025-2026 research across thousands of organizations, 83% of former employees retain access to company accounts after their departure. In the same period, approximately 60% of corporate data breaches were linked to accounts that remained active after the employee had already left. These aren't sophisticated nation-state attacks. They're open doors that nobody remembered to close.

Why offboarding is a security event, not just an HR task

Most small businesses treat employee departures as a paperwork and payroll problem. The HR side gets handled; the IT side gets forgotten until something goes wrong. The reality is that the moment an employee gives notice — or gets terminated — your exposure to data loss and unauthorized access jumps significantly.

Research shows that 70% of intellectual property theft happens in the 90 days before an employee resigns. By the time they hand in their key fob, the sensitive data may already be gone. This makes departure-day access revocation necessary but not sufficient. You also need to watch for unusual data transfers (large email attachments, unexpected downloads to personal storage) in the weeks before a known departure.

Then there's the post-departure window. Even employees who leave on good terms may still have active credentials months later — not because anyone intended it, but because nobody had a process to check. For a childcare center with five staff members and twenty different apps, that means five former employees potentially able to log into parent communication platforms, financial software, and child records systems.

The cost of getting this wrong: The average annual cost of insider-related incidents to a single organization reached $19.5 million in 2026, up 12% from the year prior. Once an insider incident occurs, it takes an average of 67 days to contain — and 53% of organizations say insider threats are harder to detect than external attacks.

The 7-step IT offboarding checklist

These steps apply whether an employee is resigning on good terms or being let go unexpectedly. The order matters — start at the top and work down.

Step 1: Disable the primary account first

If your business uses Microsoft 365, Google Workspace, or any centralized identity platform, disable the user account there first. This is the single most important action. When done correctly, a Microsoft Entra ID (formerly Azure AD) account disable cascades immediately — the former employee loses access to email, Teams, SharePoint, OneDrive, and every app that uses Microsoft sign-in in one step. Do this before the employee leaves the building, not after.

Step 2: Revoke access to every cloud application individually

Even with a centralized identity platform, some apps authenticate independently. Build a list of every tool your team uses — your CRM, accounting software, parent communication apps, project management tools, social media accounts, payroll systems, and any subscriptions tied to a specific employee's email. Log into each one and remove that person's access. This list should be maintained as a running document so you're not guessing on departure day.

Don't forget browser-saved passwords. If a departing employee used a shared browser profile or saved company credentials in their own browser, those credentials persist even after their accounts are deactivated. Change the passwords on any account they may have saved.

Step 3: Rotate every shared password the employee knew

Shared passwords are an offboarding landmine for small businesses. Team email inboxes, social media accounts, vendor portals, the alarm system code, the building Wi-Fi password — these are all shared credentials that a departing employee may have memorized or written down. Every shared password that person had access to needs to be changed on departure day. Not the next week. That day.

Real example: A preschool in Ventura let a classroom aide go after a staffing dispute. Three weeks later, parents started receiving unsolicited messages from a Facebook account the school ran — the former employee still had the login. The situation required a public response, damaged trust with families, and took weeks to fully contain.

Step 4: Recover company devices and issue remote wipes if needed

Collect laptops, phones, tablets, and any USB drives or security tokens issued to the employee. If they work remotely and the device can't be returned immediately, initiate a remote wipe from your MDM console. This erases company data from the device before the employee has time to copy or misuse it. Without MDM, you have no remote wipe capability — the device either comes back or the data on it is permanently out of your control.

Step 5: Transfer critical data and document ownership

Before disabling the account entirely, export or forward any business-critical data tied to that user. This includes their email inbox (forward to a manager or set an auto-reply), any documents they owned in shared drives, and any active client or project notes only they could access. In Microsoft 365, you can convert their mailbox to a shared mailbox for a limited period so the team can access historical correspondence without keeping the account live. Failing to do this often creates worse business disruption than the security risk itself.

Step 6: Revoke physical access

Deactivate key fobs, door codes, and any building access credentials the same day the employee leaves. If your business uses a cloud-managed access system, this takes about 30 seconds. If you're still using physical keys, re-key affected locks if the employee kept a copy. For childcare centers, this also means removing the individual from visitor management systems and parent pickup authorization records if they were listed as an authorized contact in any personal capacity.

Step 7: Create a written offboarding record

Document every action: what access was revoked, by whom, and when. Note which devices were returned and which were wiped remotely. Keep this log as part of your HR file for the departing employee. This documentation protects you in three scenarios — a future data breach investigation, a California CCPA audit that asks about access controls, and any legal dispute with the former employee about data misappropriation.

Why childcare centers face extra risk at staff turnover

Early childhood education has one of the highest staff turnover rates of any industry — national estimates consistently place annual turnover above 30%. For a director managing a team of 8-12 staff members, that can mean processing two or three departures in any given quarter.

The data these employees have access to is unusually sensitive: children's enrollment records, family contact details, health and medication notes, custody and pickup authorization documents, and in many cases photos of children taken during the school day. Parent communication apps like Brightwheel, HiMama, and Tadpoles store all of this and often grant staff accounts that are provisioned with the employee's personal phone number — making account recovery more complicated after departure.

California's Title 22 regulations and CCPA both require childcare operators to maintain appropriate security controls over children's records. Failing to revoke a former employee's access to a child's records isn't just a security failure — it's a potential compliance violation. Document your offboarding process and keep the records.

The right way to handle this: automate your offboarding process

A manual checklist works, but it depends on someone remembering to run it every time, under the stress of managing a departure. The businesses that handle this best automate the process so that deprovisioning happens automatically when HR marks an employee as terminated in the system.

A properly configured Microsoft 365 environment with Entra ID as the identity hub makes this far simpler. When IT disables the user in Entra ID, access to every Microsoft-connected application is cut off instantly. MDM policies ensure that company devices can be wiped remotely and that data cannot be copied to personal storage while an employee is still active. Conditional Access policies block account logins from unmanaged devices — so even if a former employee has their credentials cached somewhere, an unrecognized device is blocked.

For small businesses and childcare centers, EDCON's Employee Lifecycle Hub — built inside Microsoft Teams — formalizes this entire workflow. Offboarding tasks are assigned to the right people automatically, completion is tracked, and an audit log is created without anyone having to remember the checklist. The system handles both IT and HR offboarding steps in one coordinated process, which is particularly useful for small teams where the same person is often handling both.

Don't forget contractors and part-time staff

The 83% statistic about retained access is even worse when you look specifically at contractors and part-time workers. Their offboarding tends to get skipped entirely — there's no formal termination meeting, HR doesn't always get involved, and the person just stops showing up. But the accounts they were provisioned remain active indefinitely.

Treat every contractor and part-time hire the same way you treat a full-time employee at the access level. If they had an email account, an app login, or a key fob, those get deactivated on their last day. Add a quarterly review to your calendar to audit every active account in your systems and verify that each one belongs to a current employee. This audit regularly surfaces forgotten accounts that nobody deactivated — a security problem you didn't know you had.

How EDCON handles IT offboarding for small businesses

EDCON works with small businesses and childcare centers in Southern California to build offboarding processes that are practical and repeatable. Most of our clients come to us after a close call — a former employee who still had access, a device that went missing, a shared password that wasn't changed in time. We help them get ahead of it before the next departure creates a problem.

For businesses already on Microsoft 365, we configure Entra ID as the single point of access control, connect all business applications to single sign-on, and set up Conditional Access policies that enforce additional verification from unmanaged devices. When an employee leaves, disabling one account takes care of most of the access removal automatically. The remaining manual steps — shared passwords, physical access, app-by-app cleanup — are handled through a structured offboarding checklist built into the Employee Lifecycle Hub.

For clients using MDM, we configure remote wipe capabilities for every company-owned device at enrollment, so the option is always available on departure day. We also help businesses conduct quarterly access audits to catch forgotten accounts before they become a problem.

The goal isn't to build a complex system — it's to make the right actions easy enough that they actually happen every time, regardless of who's handling the departure or how chaotic that week is.

Frequently asked questions

How quickly should you revoke a departing employee's access?

Critical access — email, VPN, company identity provider, and any system with financial or sensitive data — should be disabled on the employee's last day, ideally within the hour they leave. Non-critical app access and shared password rotations should be completed within 24 hours. The longer accounts remain active, the greater your exposure.

What if a departing employee has a company device and won't return it?

If you have MDM in place, issue a remote wipe from your management console. This erases company data from the device even if it's off-site and the employee isn't cooperating. Without MDM, your options are limited — you cannot guarantee that business data on that device is protected. This is one of the most important reasons to have MDM before you need it, not after.

Do small businesses have a legal obligation to document IT offboarding?

In California, CCPA requires documented access controls for businesses handling personal data, and that includes evidence of timely access revocation. Childcare centers regulated under Title 22 are expected to maintain documented security procedures over children's records. Outside of formal compliance requirements, an offboarding log also protects you if a former employee later disputes data misappropriation claims, or if your cyber insurer asks about access controls.

What about contractors, part-time staff, and volunteers?

Their offboarding gets skipped most often and the access they hold can be just as broad as a full-time employee's. Anyone provisioned with an account — email, shared drives, parent communication apps, security systems — needs to go through the same offboarding steps. Treat their departure the same way you would a full-time employee's, and add a quarterly account audit to catch any that were missed.

How does MDM help with employee offboarding?

MDM lets you remotely wipe or lock company devices the moment an employee leaves, even if the device is off-site. It also enforces policies that prevent employees from copying sensitive data to personal storage while still employed. Combined with a centralized identity platform like Microsoft Entra ID, MDM lets you cut both physical device access and application access in a single coordinated workflow.

Ready to make offboarding airtight at your business?

EDCON helps small businesses and childcare centers in Southern California build repeatable IT offboarding processes — from MDM configuration and Microsoft 365 identity management to structured checklists that run themselves. Book a free consultation and we'll walk through your current setup and identify the gaps.

Book a Free Consultation