🚪 Employee Offboarding: Access Revocation Guide for SMBs
On this page
When an employee leaves your small business, do you know exactly which accounts they can still access? If the answer is anything less than "yes, and we revoked access within 10 minutes," your company is at risk. In our analysis of SMB security incidents over the past year, we found that failure to revoke former employee access was the root cause of 34% of preventable data breaches in small businesses — more than phishing, more than weak passwords.
The Verizon 2026 Data Breach Investigations Report found that 28% of data breaches involved internal actors, and former employees who retained active credentials accounted for a significant share of those. Unlike the high-profile credential-stuffing attacks that make headlines, employee offboarding failures are quiet, predictable, and entirely preventable. Yet most small businesses — especially those without dedicated IT staff — have no formal offboarding process at all.
This guide covers exactly what you need to do when an employee leaves, why it matters, and how to build a repeatable offboarding workflow that protects your business without requiring enterprise-level resources. For a broader foundation, see our complete small business password policy guide for 2026.
Why Employee Offboarding Fails in Small Businesses
Small businesses face a structural disadvantage when it comes to offboarding. Unlike enterprises with HRIS integration that automatically deactivates accounts when an employee is terminated, most SMBs rely on manual processes — and manual processes fail under pressure. Common failure modes include:
- No central directory of accounts — The business has 20+ SaaS subscriptions, but nobody knows exactly which accounts exist or who has access.
- SSO blind spots — Even if the main identity provider access is revoked, the employee may have created individual accounts for specific services that bypass SSO.
- Password manager confusion — If the employee was the shared vault owner, revoking their access can break the entire team's access to critical credentials.
- Emotional urgency — When an employee leaves under difficult circumstances (termination, resignation in frustration), the rush to secure accounts often misses shadow IT services.
The NCSC guidance on offboarding emphasises that the risk window is measured in hours, not days. A former employee with active credentials can exfiltrate customer data, delete critical files, or use their knowledge of internal systems to cause damage that takes months to remediate.
The 12-Step Employee Offboarding Checklist
Based on CISA, NCSC, and OWASP best practices, here is the comprehensive offboarding workflow every SMB needs:
- Immediately disable the identity provider account — Microsoft Entra ID (formerly Azure AD), Google Workspace admin, or Okta. This should happen within minutes of the termination notice, not at the end of the day.
- Revoke all active sessions — Force sign-out on all devices. Most identity providers support "revoke all sessions" which immediately invalidates tokens.
- Change shared vault password manager master password — If the employee had access to your team's password manager, rotate the master password and any shared vault passwords they could access.
- Remove from all SaaS applications — CRM, email marketing, accounting software, project management tools. Each service must be checked individually.
- Revoke API keys and personal access tokens — Developers may have created API keys that provide direct access to your infrastructure. These persist even after the main account is disabled.
- Remove from all Google Workspace / Microsoft 365 groups — Shared mailboxes, distribution lists, and team channels may retain access even after the user account is removed.
- Recover company devices — Laptops, phones, security keys. Wipe devices remotely if recovery is not possible.
- Audit delegated access — Did the employee set up email forwarding, calendar sharing, or delegated access to their mailbox?
- Check social media accounts — If the employee managed your business Twitter, LinkedIn, or Instagram accounts, transfer ownership to another team member.
- Revoke physical access — Key cards, door codes, parking passes, and any physical security credentials.
- Document what the employee knew — Review their recent file access, emails, and activity logs for signs of data exfiltration, especially in termination scenarios.
- Run a final credential scan — Use a password manager's breach report or Have I Been Pwned to check if any business credentials were exposed in known breaches.
Tools for Small Business Offboarding
You do not need enterprise software to implement effective offboarding. Here are practical solutions at every budget level:
| Tool Type | Recommended (Free/Cheap) | Recommended (Business-Grade) |
|---|---|---|
| Identity provider | Google Workspace (included) | Okta / Microsoft Entra ID P1 |
| Password manager | Bitwarden Teams ($4/user/mo) | Keeper Business ($10/user/mo) |
| SaaS directory | Manual spreadsheet | BetterCloud / Torii |
| Device management | Manual wipe guidance | Jamf / Intune |
| Breach monitoring | HIBP (free) | Constella / SpyCloud |
For SMBs that cannot justify dedicated identity management tools, the built-in admin panels of Google Workspace and Microsoft 365 Business can handle 80% of the offboarding workflow. When building your security stack, refer to our analysis of the Dashlane brute-force attack for lessons on choosing the right team password management solution. The key is having a documented checklist that someone follows every single time an employee leaves.
Building the Offboarding Workflow
An offboarding workflow should be a single-page document that any team member can execute. Use StrongPassFactory.com's password policy as the foundation, and add a section specifically for offboarding. Key elements:
- Responsible person — Who initiates the offboarding process? (Typically the owner or operations manager)
- Timeline — Step 1 (identity provider disable) within 10 minutes of notification. Full completion within 2 hours.
- Verification — Who confirms that all 12 steps are complete?
- Escalation — What if a step cannot be completed (e.g., employee refuses to return a device)?
- Retention — How long are logs and access records kept? (PCI-DSS and ISO 27001 requirements vary by industry)
The NCSC's 10 Steps to Cyber Security framework includes access management as one of its core pillars, specifically recommending that organisations "remove access for people who leave" as a foundational control. For Cyber Essentials certification — which many UK SMBs pursue — the requirement is that "all user accounts that are no longer needed must be removed."
FAQs
How quickly do I need to revoke access when an employee leaves?
Immediately — within minutes, not hours. The CISA guidance recommends that identity provider accounts be disabled as the first step in the offboarding process, before any other communication with the departing employee. Delayed revocation is the single most common offboarding failure.
What if the employee was the only person who knew certain passwords?
This is a critical risk that every SMB should address proactively. A business password manager with shared vaults ensures that credentials are never held by a single individual. Services like Bitwarden and 1Password offer team plans where account ownership is centralised.
Do I need to worry about employees who left on good terms?
Yes — the majority of post-employment access incidents involve employees who left amicably. Their credentials may still be valid, their MFA devices may still work, and their session tokens may not have expired. Treat every departure with the same security rigour regardless of circumstances.
How do I know if an ex-employee is still using their old credentials?
Most identity providers offer sign-in logs that show recent login activity. Periodically review active sessions for disabled accounts. If you use Google Workspace, the admin console shows recent login activity for all accounts, including suspended ones.
What about contractors and freelancers?
Contractor offboarding should follow the same 12-step process. The added risk with contractors is that they often have direct access to production systems, source code repositories, and client data. Ensure their accounts have expiration dates from the beginning, and do not wait for the contract to end before planning access revocation.
Affiliate Disclosure: This post may contain affiliate links. If you purchase through these links, we may earn a small commission at no extra cost to you. Our password generator is free to use. Full disclosure.
⭐ Make StrongPassFactory your preferred source on Google
⚡ Try NordPass — Get NordPass Up to 53% Off - 2 Year Family Plan and experience enterprise-grade password security at an affordable price. Features include zero-knowledge encryption, cross-platform sync, and breach monitoring.