Offboarding Is a Security Event: What Burbank Businesses Need to Know

Overview

Every business has a process for bringing people in. Accounts get created, equipment gets issued, access gets granted. Far fewer have an equivalent process for the day someone leaves — and the day someone leaves is when the security stakes are highest.

Offboarding is the mirror image of onboarding, and it is routinely neglected. The access granted across months or years of employment is rarely unwound in full. Mailboxes stay open. Remote access credentials keep working. Shared logins continue unchanged. Subscriptions keep billing. The departing employee is gone, but their footprint remains — and a footprint nobody is watching is exactly the kind of gap that turns into an incident. Treating departures as a defined operational process, not an HR formality, is part of any mature managed IT practice.

The Challenge

A bookkeeper at an eight-person accounting firm gives two weeks' notice and leaves on good terms. HR processes the paperwork. Her desk is cleared. Everyone moves on.

What no one does is close her access. Her Microsoft 365 account stays active. The shared accounting-software login she used every day is unchanged. A payroll portal she set up two years earlier still lists her personal cell as the recovery number. Her laptop goes into a closet, still signed in, still syncing the firm's document library to its local drive.

Four months later, the firm's email is used to send a fraudulent invoice to a client. The investigation traces it to the bookkeeper's still-active account — reached from an unfamiliar location using a password she had reused on a personal site that was later breached.

She had nothing to do with it. Her credentials were simply still valid, still privileged, and no longer watched by anyone.

No malware was involved. No one broke in. A door that should have been locked on her last day was left open for sixteen weeks. This pattern is not rare. It plays out across legal offices, medical practices, and accounting firms throughout Southern California, and the common factor is never sophistication. It is the absence of a process.

Why It Matters

A departing employee's account is the most dangerous kind of attack surface: fully provisioned and completely unmonitored. While someone is employed, unusual activity on their account might be noticed. Once they leave, no one is looking — but the access is still live.

For Southern California SMBs, the exposure is compounded by conditions that are common across the region:

Orphaned accounts accumulate silently. Every account that is never disabled is a permanent entry point. Over years of staff turnover, a small business can carry dozens of dormant-but-active logins across email, line-of-business apps, and cloud platforms — each one a credential an attacker can target, or a former employee could still use.

Shared credentials cannot be individually revoked. When several people use one login for a tool or portal, a single departure should trigger a password change. It almost never does, because no one wants to disrupt the people still using it. This is closely tied to the unmanaged tools covered in Signal 0004 on shadow IT — you cannot revoke access to an account IT never knew existed.

Permissions outlive roles. People accumulate access as their responsibilities change, and that access is rarely trimmed back. By the time someone leaves, they may hold admin rights, mailbox delegations, and file permissions far beyond anything their final role required — all of which transfers intact to whoever, or whatever, reaches the account next.

For regulated organizations, the exposure is also a compliance one. A former employee with continued access to protected health information, client financial records, or privileged legal files is not just a security gap — it can be a reportable failure. Building offboarding into a documented compliance program is how financial services firms and other regulated businesses keep a routine departure from becoming an audit finding.

What Organizations Should Watch For

• Accounts that stay active after the last day. Email, remote access, VPN, and line-of-business logins that are never disabled when someone departs.
• Shared logins with no rotation plan. One password used by many people, never changed when one of them leaves.
• Mailbox forwarding and delegation left in place. Auto-forwarding rules or shared-mailbox access that quietly route a former employee's mail — a direct extension of the inbox risks covered in Signal 0013.
• Privileged access that was never downgraded. Admin rights or elevated permissions granted years ago and never reviewed.
• Company data on personal devices. Phones and home computers still syncing email, files, or saved passwords after the relationship ends.
• OAuth grants and app passwords. Third-party apps and tokens a departing user connected to company accounts, which survive a simple password reset unless they are explicitly revoked.
• No record of what the person could access. If you cannot list it, you cannot close it — and most organizations cannot list it.

Recommended Actions

• Keep an access inventory. Maintain a simple, current list of what each person can reach — accounts, systems, shared logins, and devices. You cannot offboard access you never tracked.
• Use a written offboarding checklist tied to the departure date. The same discipline onboarding gets. Every item granted on the way in needs a corresponding step on the way out.
• Disable on the last day — do not defer it. Disable accounts and reclaim mailboxes the moment access should end. Deletion and cleanup can follow; the lockout cannot wait.
• Rotate shared credentials and revoke tokens. Change any password the departing person knew, and revoke app passwords, OAuth grants, and registered MFA devices. As Signal 0012 noted, MFA only protects you while the enrolled devices still belong to current staff.
• Reclaim and wipe devices. Recover laptops and phones, confirm cloud sync is severed, and verify no local copies of company data remain.
• Document completion. Record who closed what, and when. For legal, medical, and accounting firms, that record is the difference between a clean offboarding and an unanswerable question during an audit or dispute.