What Happens in IT When an Employee Joins or Leaves

| Posted on |

What Happens in IT When an Employee Joins or Leaves

Article summary: Poor onboarding means new employees start with too much access or borrowed credentials. Poor offboarding means departed employees may keep access for months. Neither outcome requires bad intent to cause problems. A consistent process for both makes your business measurably more secure without adding significant overhead.

A new hire arrives on Monday morning and their laptop isn’t ready. Their email still isn’t set up. By mid-afternoon, someone handed them a manager’s login just to them started.

It’s a frustrating experience for everyone, and it creates a security risk on day one.

The IT work behind onboarding and offboarding is meant to stay in the background. When everything runs smoothly, no one thinks about it.

But when something gets missed or delayed, the effects tend to show up much later: an account left active, a missing device, or access that nobody thought to revoke.

IT support for small businesses means getting these steps right every time, not just when there’s capacity to spare.

What Good Onboarding Looks Like from an IT Standpoint

Good IT onboarding answers two questions before an employee’s first day. What do they need? And what, specifically, should they have access to?

The logistics are straightforward: the device is ready, email is set up, software is installed. Access is where it becomes more critical.

Access should be granted according to the employee’s specific role: the systems they need, and nothing more. Not broad access given out “just in case.” Not inherited permissions from whoever previously held the position.

This is called least-privilege access, and it matters because over-permissioned accounts are among the most common things attackers find and use. 

Research cited by Envision Consulting shows that 43% of cyberattacks target small and mid-sized businesses. In many cases, rushed onboarding and offboarding processes can create security gaps that attackers are quick to exploit.

One of the most useful habits to build into onboarding is maintaining an access log. Every system, application, and tool a new hire is given access to gets recorded. When that person eventually leaves, the log becomes the offboarding checklist. Build it once, use it twice.

The Risk That Starts the Moment Someone Leaves

When an employee departs, the most time-sensitive IT task is also the most frequently delayed one: revoking access.

A study by Intermedia and Osterman Research found that 89% of former employees retained access to at least one corporate application after leaving a company.

That figure doesn’t reflect malicious intent. Most departing employees never use their residual access. 

Only a fraction of organizations fully remove user accounts when someone leaves. The rest often remain as dormant credentials, sitting in systems and creating potential security risks.

Best practice is to disable all accounts on the day someone leaves, not days later. For unplanned or sensitive departures, access should be revoked before or during the conversation. Any delay beyond that point creates unnecessary risk.

Zombie Accounts and What They Cost You

When offboarding doesn’t happen cleanly, accounts don’t disappear. They go quiet.

Zombie accounts are credentials that weren’t properly removed after someone left. They remain in systems, sometimes for years, still technically active. Attackers often target them because they carry normal access but receive far less scrutiny than active accounts.

Shared passwords are a related problem. When a team login exists and the person holding it leaves, that credential doesn’t change automatically. 

According to FirstHR, changing shared credentials on the day of departure is a critical offboarding step that many small businesses overlook. It’s also one of the simplest security gaps to fix.

Building a System That Works Without a Dedicated IT Team

Most small businesses don’t have an IT department. They don’t need one to get this right.

What they need is a documented process that HR and management can follow for every hire and every departure. The access log built during onboarding becomes the checklist at offboarding. Devices should be tracked from day one so recovery at departure isn’t a scramble.

A few steps get missed often. Email accounts should be forwarded before they’re suspended. Shared calendars, distribution lists, and file-storage permissions all need updating when someone leaves. 

Going passwordless with tools like Microsoft Entra reduces the credential rotation burden significantly and makes offboarding more reliable overall.

Review permissions for current employees too. 

Roles evolve over time, and access that was appropriate two years ago may no longer reflect what your team needs today. A quarterly check on active permissions, alongside a review of what’s included in your Microsoft 365 plan, keeps things current without requiring a full audit each time.

Keeping Employee Transitions from Becoming Security Events

Employee transitions don’t have to create risk. A consistent process, applied every time someone joins or leaves, closes most gaps before they have a chance to become problems.

C Solutions IT helps small businesses across Central Florida build onboarding and offboarding procedures that protect access, data, and devices without complicating day-to-day operations. Reach out at csolutionsit.com/contact.

Article FAQs

What is IT onboarding?

IT onboarding is the process of setting up a new employee with the devices, accounts, software, and access they need to do their job. Done well, it ensures they can work productively from day one and that access is granted only for what their specific role requires.

Why does IT offboarding matter for small business security?

When access isn’t revoked promptly after an employee leaves, their credentials remain active in your systems. That creates ongoing exposure regardless of whether the employee intends to misuse it. Prompt, documented offboarding is the only reliable way to close that gap consistently.

What is a zombie account?

A zombie account is a user account that was never properly disabled or deleted after an employee left. These accounts often retain the same access as the departed employee and can be found and used by outside attackers who scan for dormant credentials.

How quickly should access be revoked when someone leaves?

For planned departures, access should be disabled on the final day of employment. For unplanned or involuntary departures, access should be revoked at the same time as the departure conversation. Shared credentials should be changed immediately, before the employee’s final session ends.

What should a small business track during onboarding for offboarding purposes?

Keep a simple log of every account, application, and system each new employee is given access to, including the email used, the access level, and the date it was granted. This turns offboarding from a guessing exercise into a straightforward checklist and significantly reduces the chance of anything being missed.