When an employee leaves your company, they take institutional knowledge with them. The question is whether they also take your data. We’ve handled offboarding for hundreds of employees across our client base in Central Florida, and the pattern is consistent: businesses without a formal IT offboarding process almost always have data exposure they don’t know about.
The Risks Are Real and Common
A departing employee who downloads client lists before their last day. A salesperson who exports your entire CRM to a personal spreadsheet. A disgruntled team member who deletes shared files. An employee who simply keeps access to business email and cloud storage because nobody revoked it.
These aren’t hypothetical scenarios. Research shows that 70% of employees who steal data do so within 90 days of their resignation. And most businesses don’t discover the theft until long after the employee is gone, if they discover it at all.
The IT Offboarding Checklist
A proper IT offboarding should happen the moment an employee’s departure is confirmed, not on their last day. Here’s the sequence that works:
Before the employee’s last day: Begin monitoring for unusual data access patterns. Large downloads, bulk email forwarding, or USB drive usage should trigger an immediate review. Check audit logs in Microsoft 365 or Google Workspace for unusual file access volume. This isn’t about distrust; it’s about protecting business assets.
On the last day, within the first hour after departure:
- Disable all user accounts: email, VPN, cloud applications, CRM, financial systems, and any third-party SaaS tools
- Change any shared passwords the employee had access to (Wi-Fi, admin portals, shared logins)
- Revoke OAuth tokens and third-party app connections tied to their account
- Convert their email to a shared mailbox so their replacement can access client correspondence
- Transfer ownership of files, emails, and shared resources to their manager or replacement
- Collect and remotely wipe company devices (laptops, phones, tablets)
- Remove the user from all distribution lists, Teams channels, and shared mailboxes
- Disable their building access badge and any physical access credentials
Data Retention After Departure
Don’t delete a departed employee’s account immediately. Most businesses need to retain their data for at least 90 days, and some industries require longer retention. Healthcare organizations under HIPAA may need to keep records for six years. Legal firms often retain indefinitely for matters they worked on.
In Microsoft 365, convert the mailbox to a shared mailbox (this frees up the license) and place the account on litigation hold if there’s any possibility of legal proceedings. Archive their OneDrive files to a manager’s account or a shared archive. Document everything you did and when, creating a paper trail that protects your business if questions arise later.
Prevention Starts Before Anyone Leaves
The best protection against data theft at departure is access control implemented from day one. Give employees access only to the data they need for their specific role. Use Microsoft 365 sensitivity labels to prevent confidential documents from being downloaded or forwarded. Monitor for unusual file access patterns throughout employment, not just at the end.
Have employees sign an acceptable use policy when they’re hired that clearly states company data belongs to the company and outlines the consequences of data theft. This won’t stop a determined bad actor, but it establishes the legal framework you need if you discover data was stolen.
If your business doesn’t have a documented IT offboarding process, now is the time to create one. It takes an hour to set up and can save you from a data breach that costs tens of thousands of dollars. We build offboarding procedures for our managed IT clients as part of their onboarding with us, and we’ve seen the difference it makes when that first departure happens.
