Secure Offboarding: What Every Employee Departure Says About Your Cyber Maturity

Onboarding is polished, ritualised, and thought through in every detail. The first day is prepared, equipment is waiting on the desk, accounts are provisioned. Secure offboarding, by contrast, is too often treated as a piece of administrative housekeeping. That is a mistake that can prove very costly.

Every employee departure opens a window of risk. A badge not recovered, an Active Directory account still live, a VPN connection never revoked, shared passwords never rotated: offboarding processes are generally far less robust from a cybersecurity standpoint than onboarding processes, as Orange Cyberdefense notes. And that asymmetry is precisely where attackers look to gain a foothold.

This article is written for the IT and HR teams who manage employee departures together. Not to assign blame, but to share a concrete, structured framework proportionate to the real level of risk involved.
 

Employee Departures: A Threat That Is Consistently Underestimated

 
Cyber threats are often imagined as coming from outside: an unknown attacker, a phishing campaign, a technical exploit. The reality is more nuanced. A 2023 Beyond Identity survey found that 89% of former employees still retain access to at least one application from their previous employer, meaning nearly nine in ten departing individuals could potentially walk back into your digital systems at any time.

The risk takes several forms:

• Unintentional residual access: a former employee may continue to receive professional emails, consult shared documents, or access SaaS tools without being aware of it, simply because no one thought to revoke their rights.
• Orphan accounts as external attack vectors: an inactive account, unsupervised, with a known or outdated password, is an ideal target for an attacker seeking to enter the information system without triggering an alert. Inactive accounts are prime targets for cybercriminals,  if not promptly deactivated, they can be hijacked and used as entry points to your network, bypassing security measures entirely.
• Deliberate malicious acts: in the event of a conflictual departure, a disgruntled employee who retains active access to the information system may exfiltrate data, delete critical files, or compromise credentials. In 2018, a former Tesla employee was charged with sabotage and theft of confidential images, a case that illustrates how real this risk is.

The financial dimension is just as significant. The average employee uses 29 different SaaS applications, each representing a potential access point that must be systematically closed at the point of departure. Meanwhile, only 44% of companies ensure that all access rights are revoked within 24 hours of an employee’s departure, according to Gartner, leaving the majority of organisations exposed for longer than they realise.

Beyond access rights, Cyberhaven’s 2024 analysis revealed a 720% spike in risky data exfiltration activity in the days just before layoffs are announced, highlighting a critical window of vulnerability that many organisations fail to monitor.
 

The Golden Rule: IT and HR Must Speak the Same Language at the Same Time

 
The primary dysfunction in departure management is not technical. It is organisational. IT teams are too often unaware of departures, or informed too late, leaving them unable to carry out a quality offboarding. The employee is sometimes already gone when the IT department learns the news.

The solution lies in a formalised coordination mechanism between HR and IT, activated as soon as a departure is confirmed, whether it is a resignation, a redundancy, the end of a fixed-term contract, or a retirement.

This mechanism should include:

• A written procedure, known to both teams, setting out roles and timescales clearly
• An automatic trigger on the HR side that notifies IT as soon as a departure is confirmed
• An inventory of the departing employee’s access rights, ideally kept up to date throughout the life of the contract
• A defined cut-off date, ideally the last day of physical presence, not the last contractual day

In the most sensitive environments, access governance must be granular and adjustable in real time to limit the risks associated with unauthorised access, a principle that underpins Whaller’s approach to digital sovereignty and access control.
 

The Secure Offboarding Checklist: Non-Negotiable Actions

 

 

Physical Access

• Recover the building access badge on or before the last day, without exception
• Deactivate alarm codes and any biometric access associated with the departing employee
• Recover physical keys, car park passes, and hardware authentication tokens
• Recover all professional equipment: laptop, smartphone, tablet, and removable storage media

Information System Access

• Disable the Active Directory or LDAP account immediately — not at the end of the notice period if the employee has already left the premises
• Revoke all VPN credentials and remote access connections
• Disable the professional email account and set up a temporary forwarding rule if continuity requires it — with a defined and limited duration
• Remove or deactivate accounts on all business SaaS tools: CRM, ERP, project management platforms, collaborative workspaces, marketing tools, and so on
• Revoke access to shared storage: file servers, drives, and document repositories
• Remove access to source code repositories if the employee was a developer
• Revoke API tokens and any programmatic access credentials generated by the employee

Shared Passwords and Secrets

 
This is often the blind spot of offboarding. Employees frequently know shared passwords for various systems or accounts, and when they leave, those credentials must be changed immediately. In practice, this means:

• Identifying every application the employee accessed using shared credentials: generic email inboxes, company social media accounts, shared supplier logins, and so on
• Systematically rotating all those shared passwords
• Revoking access to any team password managers the employee used
• Changing Wi-Fi network passwords if access credentials were shared with the employee

The principle of least privilege, ensuring that users have only the access strictly necessary to perform their role, is the most effective safeguard at the point of departure: access traceability and the ability to restrict sharing to specific addresses are fundamental to maintaining control over what an employee can access, and for how long.
 

Multi-Factor Authentication (MFA)

 
MFA is one of the most effective defences against account compromise.

When an employee leaves, it is essential to:

• Deactivate any authenticator applications linked to their professional accounts (Google Authenticator, Microsoft Authenticator, and so on)
• Revoke personal phone numbers registered as a second factor on professional applications
• Regenerate MFA backup codes on sensitive accounts that were accessible to the departing employee

Accounts with Elevated Privileges: A Special Priority

 
If the employee held administrator rights, the priority must be absolute. 53% of IT leaders identify the risk of a cyberattack via an unmanaged account as their top concern when an employee is not properly deprovisioned, according to a Gartner peer survey.

Concretely:

• Revoke administrator rights before the employee’s physical departure, not after
• Transfer privileges and responsibilities to another authorised individual
• Change service account passwords managed by the departing employee
• Audit actions carried out on critical systems in the days leading up to the departure

After the Departure: Monitor, Audit, Document

 
Offboarding does not end on the last day. Post-departure monitoring is necessary for a period of 30 to 90 days, depending on the sensitivity of the role.

• Monitor connection attempts using the former employee’s credentials
• Set alerts on any suspicious activity linked to recently deactivated accounts
• Verify that temporary email forwarding rules have not been redirected to an unauthorised external address
• Carry out a full audit across all systems to confirm no residual access has been overlooked

Companies with automated offboarding processes reduce security incidents by 34%, according to research compiled by Newployee. Documenting each step is equally important: in the event of a subsequent incident, it allows the organisation to demonstrate that all necessary measures were taken, and provides essential legal protection.
 

Towards Automated Management: IAM and the Digital Workplace as Enablers

 
In organisations of significant size, manual offboarding management is structurally error-prone. Identity and Access Management (IAM) solutions centralise identity and access governance, synchronise with the HRIS, and automatically trigger account deactivation workflows across all connected applications as soon as a departure is recorded.

A well-designed Digital Workplace also contributes to simplifying this process. Whaller enables organisations to manage member access and maintain a full directory of users, with granular rights management by sphere and by role. When an employee leaves, their profile can be deactivated from the administration interface, instantly revoking all access to internal communication and collaboration spaces, without exception.

Whaller’s sphere-based compartmentalisation also means that shared folders can be made accessible in read-only mode to specific people or teams, without ever compromising the security of other internal resources. This strict separation of spaces significantly reduces the attack surface at the point of departure: resources the employee was never authorised to access remain inaccessible, without any additional manual action required.

For the most sensitive environments, Whaller DONJON, SecNumCloud 3.2-qualified by ANSSI, the French national cybersecurity agency, offers an additional level of control and traceability. The first French collaborative platform to have obtained this security visa, Whaller DONJON is designed to meet the requirements of critical information systems, operators of vital importance, and organisations handling information at the Restricted Distribution level.
 

Offboarding: A Mirror of Your Security Culture

 
A rigorous offboarding process is not simply a technical measure. It is a strong signal sent to the entire organisation about how it treats information security, not as a regulatory constraint, but as a continuous cultural practice.

Organisations that manage departures with the same rigour they apply to onboarding send a clear message to their teams: data protection is not the concern of a single department. It is everyone’s responsibility, right up to the last day.

And if this process is currently incomplete in your organisation, now is the right time to formalise it. Not after an incident.

Would you like to discover how Whaller can help you structure access management and employee departures within your organisation? Request a demonstration.