Somewhere in your environment right now, there's an active account belonging to someone who hasn't worked for you in months, possibly years. They can still log in to email, access shared drives, reach client records, and connect to systems that should have been locked the day they left. The access persists because nobody checked.
Access That Outlives Employment
When an employee leaves a business, whether voluntarily or not, the administrative tasks are familiar. Collect the keys, return equipment, process final payroll, update the org chart. Revoking digital access is a step that's most often missed, delayed, or done incompletely.
The cause is usually a lack of process rather than negligence. In most small and mid-sized businesses, there's no formal offboarding checklist that covers every system, application, and credential the departing employee touched. The person handling the departure may disable the main email account but forget about the VPN connection, the cloud storage login, the shared password for the accounting software, the project management platform, or the remote desktop access.
A 2025 Wing Security study found that 63% of businesses have former employees who still have access to corporate data through SaaS applications that were never deprovisioned. An Oomnitza study found that 68% of organizations cannot confirm with certainty that all access has been revoked when an employee departs.
How Access Persists After Departure
The modern business grants access to far more systems than most firms realize. A single employee at a typical professional services or construction firm might touch a dozen or more platforms during their tenure:
- Shared credentials (Wi-Fi passwords, alarm codes, building access)
- Microsoft 365 (email, Teams, SharePoint, OneDrive)
- Cloud storage (Dropbox, Google Drive, Box)
- Remote access (VPN, remote desktop, site-to-site connections)
- Accounting platforms (QuickBooks, Sage, billing systems)
- Vendor platforms (supplier portals, ordering systems)
- Industry-specific tools (Procore, Clio, CCH, Autodesk)
When a firm disables the employee's primary email account but doesn't touch the other systems on this list, access persists across most of the environment. The employee's Dropbox still syncs. Their project management login still works. The VPN credentials they configured on a personal device still connect. The Ponemon Institute found that the average organization takes 116 days to fully deprovision a former employee's access across all systems, and businesses without a managed IT provider handling offboarding often never complete the process at all.
The Risk Isn't Just Disgruntled Employees
When businesses think about former employee access, the mind goes to worst-case scenarios. A terminated employee sabotaging systems, stealing client lists, or deleting files in revenge. Research from the DTEX i3 team found that 76% of insider threat incidents involved employees who had already given notice or been terminated, with data theft being the primary objective.
The more common risk is exposure. A former employee's still-active credentials get exposed in an unrelated data breach, an attacker finds those credentials on the dark web, and the account works because nobody disabled it. IBM's 2025 data shows that compromised credentials remain the most common initial access vector across all breaches. Dormant accounts make particularly useful targets because they generate no legitimate activity that would flag suspicious use.
Compliance exposure follows the same pattern. The FTC Safeguards Rule requires firms to limit access to customer information to authorized employees. State privacy laws require that access to personal information be limited to those with a current business need. When a former employee retains access to client data, the firm is in violation regardless of whether that access is exercised. The same gap creates problems during audits and insurance assessments. When an auditor asks how the organization manages access at termination, an undocumented process or active accounts belonging to former staff produce immediate findings, and cyber insurance claims have been denied because the compromised account belonged to an employee who had left months before the incident.
The Numbers Behind the Problem
IBM's 2025 Cost of a Data Breach Report found that breaches involving stolen or compromised credentials, which includes dormant former-employee accounts, carry an average cost of $4.81 million and take the longest to identify at an average of 292 days. The Verizon 2025 DBIR found that privilege misuse and account compromise by insiders or former insiders show median time-to-discovery substantially longer than external attacks because the access looks legitimate.
Beyond breach costs, there's the matter of waste. Organizations pay for SaaS licenses assigned to people who no longer work there. Research from Zylo found that the average company wastes $5,500 per year per unused SaaS license, with departing employees responsible for a notable share of those orphaned subscriptions. For a firm with normal turnover, that adds up to thousands annually in licensing fees for accounts that should have been deactivated.
What a Proper Offboarding Process Looks Like
Effective offboarding eliminates by starting with a running access inventory. Every time an employee is granted access to a system, it gets recorded, so when they depart, the inventory becomes the deprovisioning checklist. On the employee's last day, or at the moment of involuntary termination, primary accounts get disabled within hours rather than days, including email, directory services, VPN, and remote access. From there, the team works through the access inventory and revokes every SaaS application, cloud platform, vendor portal, and internal system the employee touched, along with any OAuth connections, API tokens, and app registrations tied to the account.
Shared credentials get rotated next. Any password the departing employee knew, including shared logins, Wi-Fi passwords, alarm codes, and generic service accounts, is changed immediately. Mail forwarding rules, delegate access to the mailbox, and shared calendar access all get reviewed and removed. If the employee accessed company systems from personal devices, Mobile Device Management tools can remotely remove company data without affecting personal content. A second person verifies that all of the above is complete, and the verification gets logged and retained for compliance purposes. For most professional firms, the departed employee's mailbox is converted to a shared mailbox or placed on litigation hold rather than deleted, preserving records while removing active access.
How a Managed IT Provider Handles This
For businesses with an IT partner managing their environment, offboarding becomes a defined workflow triggered by a single request. The firm notifies the provider that an employee is departing, and the provider executes a documented deprovisioning process that covers every connected system, verifies completion, and confirms back to the firm.
The process runs the same way regardless of whether the departure is amicable or contentious, whether it happens on a Tuesday or a Friday evening, and whether the employee was there for six months or six years. For involuntary terminations, a managed provider can execute immediate lockout concurrent with the termination meeting, so the employee loses access before they leave the building.
If you're not confident that every former employee's access has been fully revoked, or you don't have a documented offboarding process across all your systems, a Network Discovery will identify active accounts, dormant credentials, and access that shouldn't exist.
Ready to take the next step? Contact the Connecting Point team today to discuss your organization's needs.
Fill out our Network Discovery Form to get started!
970.356.7224 | www.CPcolorado.com | sales@CPcolorado.com
Connecting Point is a trusted IT solutions provider based in Greeley, Colorado, helping businesses across Northern Colorado and beyond navigate technology decisions with confidence.
