How do I know if a former employee still has access to my systems?

Run an access audit across your core systems: check the admin console of your email platform (Google Workspace or Microsoft 365), your cloud storage (Google Drive, Dropbox, OneDrive), your project management tools, your CRM, and your password manager. Look for accounts belonging to former staff. If you don't have a centralized identity system, you'll need to check each application individually. A business password manager with admin controls gives you a single dashboard to verify and revoke access.

What should I do immediately when an employee leaves?

On the same day: disable their email account (don't delete it—preserve the records), revoke their sessions in Google Workspace or Microsoft 365, and offboard them from your password manager. Within 24 hours: rotate any shared credentials they had access to, remove them from cloud storage folders and project management tools, and revoke any billing or banking access. Within one week: transfer file ownership, recover or wipe company devices, and do a final review of any system they might have accessed.

How does a password manager help with employee offboarding?

A business password manager replaces shared logins with individual vaults. Each employee logs in with their own credentials. When they leave, you revoke their account from the admin console and they immediately lose access to every credential stored there. You can also see which shared vaults they had access to, transfer those to their replacement, and get prompted to rotate any sensitive credentials. This replaces the manual process of changing every shared password—which is impractical and often never fully completed.

What's the most dangerous access to leave open after someone leaves?

In order of risk: (1) Email accounts—a former employee with email access can reset passwords for almost anything linked to that address. (2) Admin or billing accounts—access to Stripe, QuickBooks, or bank portals carries obvious financial risk. (3) CRM access—client data and contact lists are a competitive asset. (4) Cloud storage with client files or IP. (5) Code repositories and API keys. Email access is the most dangerous because it's the primary recovery method for every other service.

Is it illegal for a former employee to access company systems they still have credentials for?

In the United States, unauthorized access to computer systems after termination can violate the Computer Fraud and Abuse Act (CFAA) and equivalent state laws, even if the company never formally revoked the credentials. However, enforcement requires you to prove the access was unauthorized—which is significantly harder if the employee was never told their access was revoked and credentials were never changed. The legal and practical burden falls on the employer to revoke access proactively. Relying on legal deterrence instead of access revocation is not a security strategy.

Former Employee Still Has Access? How to Fix It

Six months after a senior manager left a Miami marketing agency, someone noticed files were still being accessed from outside the office. They pulled the audit log. The former employee had been browsing the shared Dropbox folder—not maliciously, as it turned out, but out of habit. Old files they'd worked on. Nothing they copied. But the access had never been removed.

That scenario replays constantly across small businesses. Not because anyone is careless, but because offboarding is treated as an HR event when it's also a security event. The resignation letter gets processed. The final paycheck gets calculated. The access audits don't happen—because most businesses don't have a list of what to audit.

This is how you fix that.

Affiliate Disclosure: This article contains affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you.

Key Takeaways

Offboarding failures happen because most businesses lack a centralized inventory of employee access across all SaaS applications
Email is the highest-risk access to leave open—it functions as the recovery key for every other connected service
Shared credentials are the structural cause; individual admin-controlled vaults are the fix
A business password manager ($4–$8/user/month) gives you one dashboard to revoke all access in a single action
The offboarding checklist below covers same-day, 24-hour, and 1-week actions with hardware recovery included
Compliance frameworks including SOC 2, HIPAA, and GDPR require demonstrable access revocation on departure

Why Does Former Employee Access Go Unnoticed?

Businesses lose track of former employee access because they lack a centralized inventory of all active software accounts and credentials.

The average small business uses dozens of applications, most of them adopted independently by different teams over time—not through a governed IT procurement process. A project manager signs the company up for Asana. A designer creates a Figma workspace under their personal email. A salesperson configures HubSpot and invites the team. Each of those is a separate credential that needs active management when the person leaves. There is no master list because no one was responsible for creating one.

Three specific patterns make this worse:

Shadow accounts. Employees create accounts for tools IT never approved or tracked. A team member who signed up for Notion or Loom under their work email might be the only person with admin access to that workspace. When they leave, the account persists invisibly.

Shared credentials. Many small businesses rely on shared logins—one Gmail alias for the social media team, one Dropbox login everyone knows. Revoking one person's access requires changing the password for everyone, updating every device, and doing it at exactly the wrong time. So it gets delayed, then forgotten.

No automatic trigger. The access audit doesn't initiate itself. Whether a departure is planned or abrupt, someone has to start the checklist. In practice, that often doesn't happen.

Risks of Unrevoked Former Employee Access

Suspicious Login Attempt Alert

Unrevoked access allows former employees to view proprietary data, trigger password resets across connected services, and interact with client or financial records.

The practical risks span several categories:

Email accounts serve as the primary recovery method for every other business application. An active company email account gives the holder the ability to reset passwords for any connected service—effectively putting every tool behind that email address back in play.
Cloud storage houses client deliverables, contracts, financial records, and strategy documents. Someone with shared folder access can download the entire contents in minutes.
CRM systems contain your customer list, deal history, notes, and contact data. This is a competitive asset. A former employee who joins a competitor with that data is a material business risk.
Project management tools reveal active client engagements, timelines, and team capacity—proprietary operational information for any service business.
Billing and finance portals (Stripe, QuickBooks, business banking) carry direct financial risk if access is left open.

One additional risk worth noting: changing a password does not immediately terminate an active session. Session tokens—the credentials that keep a user logged in after authenticating—persist until they expire or are explicitly revoked. This is why signing out all active sessions in your identity provider is a separate, required step from simply disabling the account.

The Danger Isn't Always Malice

Most offboarding breaches are not sabotage. They are curiosity, habit, or accident. But the legal and compliance exposure is identical regardless of intent—and the cost of a breach notification, regulatory inquiry, or client confrontation is very real.

Failing to revoke access is also a compliance risk in its own right. SOC 2, HIPAA, and GDPR all include requirements around access control and timely deprovisioning. An auditor or regulator asking "when was this employee's access revoked?" requires a documented answer, not a guess. Our small business breach prevention guide covers the full access control and compliance framework for businesses working through that process.

The Access Audit: What to Check First

If you're reading this because you just terminated an employee and haven't revoked access yet, start here. This is the minimum viable audit for most small businesses:

Category	Where to Look	What to Do
Email (Google Workspace / M365)	Admin console → Users	Disable account immediately; do not delete
Cloud storage (Drive, Dropbox, OneDrive)	Sharing settings, organizational members	Remove from all shared folders and drives
Project management (Asana, Monday, ClickUp)	Settings → Members	Remove user; reassign open tasks
Password manager	Admin console → Users	Offboard user; initiate credential rotation
CRM (HubSpot, Salesforce, Pipedrive)	User management	Deactivate account; review recent data exports
Billing & finance (Stripe, QuickBooks, banking)	Team members or authorized users	Remove immediately; check recent transactions
Code repositories (GitHub, GitLab)	Organization members	Remove; revoke personal access tokens
Communication (Slack, Teams)	Admin → Members	Deactivate; message history remains accessible to admins
Domain registrar / DNS	Admin/billing contacts	Remove if they were a contact; change passwords
Any external client portals	Per-client account settings	Remove; notify client if necessary

Your actual list will be different. The point is to build this list before someone leaves—not reconstruct it after.

If you discover accounts you weren't aware existed, document them before removing access. A quick export of their profile data, access history, and any files or records they owned is useful both for continuity and for any potential legal review. For a structured approach to identifying these gaps, our small business security assessment guide provides a framework for auditing your entire technical stack.

If you want to avoid this audit by provisioning access correctly from the start, our new employee IT onboarding checklist covers the setup process that makes offboarding a documented reversal rather than a reconstruction.

The Root Problem: Shared Credentials and No Process

Most small business offboarding failures trace back to the same two issues.

Shared credentials make revocation impossible without disrupting everyone. If three people log into the company Instagram account with the same username and password, you can't remove just one person—you have to change the password and update it for everyone still on the team. That's disruptive, so people delay it. And then they forget.

Manual checklists get skipped under pressure. Planned departures are rare. Most terminations are rushed or emotionally charged. Even when an HR checklist exists, the IT steps are frequently the last to get completed—or never completed at all. "We'll get to the access thing later" becomes never.

The fix for shared credentials is individual accounts managed through a centralized admin system. The fix for manual checklists is a process that's triggered automatically at offboarding—not one that depends on someone remembering to initiate it.

A business password manager addresses both.

Using Password Managers for Secure Employee Offboarding

Access Revoked Management UI

Business password managers centralize credential control, allowing administrators to revoke an employee's access to all company accounts in a single action.

Here's specifically what this solves:

Individual vaults replace shared credentials. Every team member has their own vault. Shared credentials live in team vaults controlled at the admin level—not by knowing a shared password. When someone leaves, you revoke their account rather than changing passwords.

One action covers everything. From the admin dashboard, disabling a departing employee's account immediately removes their access to every credential in every vault—personal and shared. There is nothing to hunt down individually.

Access logs prompt credential rotation. When you offboard a user, the admin console shows which vaults and credentials that person accessed. You can transfer vault ownership to their replacement and get a clear list of which sensitive credentials should be rotated.

Audit trail for compliance. Activity logs document what credentials were accessed and when—relevant for both post-departure security reviews and any compliance documentation requirements.

One area worth addressing in 2026 is passkey management. As more services adopt passkey authentication, employees may store company-linked passkeys to their personal device keychain—Apple iCloud Keychain or Google Password Manager—instead of the company vault. If an employee leaves with a company passkey stored on their personal iCloud, revoking their password manager account won't help; the passkey persists on their device. Business password managers like 1Password let you enforce passkey storage policies so all company passkeys live in the company vault, where they can be revoked through the admin console like any other credential. For a deeper dive into this technology, see our passkeys small business implementation guide.

For most small businesses, the two strongest options are 1Password Business ($7.99/user/month) for the best-in-class admin experience and vault transfer workflow, and Bitwarden Teams ($4/user/month) for open-source transparency and strong admin controls at a lower price point. Both offer centralized offboarding, SCIM directory sync, and detailed activity logs.

Try 1Password Business Try Bitwarden Teams

For a full comparison including SSO support, SCIM provisioning, and rollout checklists, see our complete business password manager comparison.

SSO and Identity Providers: The Infrastructure-Level Solution

Single sign-on platforms like Microsoft Entra ID, Google Workspace, and Okta provide centralized identity management at the infrastructure level—one system that controls access to every connected application.

Password managers solve the credential storage and sharing problem. SSO solves the authentication problem at a deeper level: every application the employee uses is connected to a single identity provider. When you disable the user in the identity provider, they are locked out of every connected application simultaneously—not because you revoked a password vault, but because their identity no longer authenticates.

For small businesses already using Google Workspace or Microsoft 365, limited SSO capability is already included. Google Workspace and Entra ID both support SAML-based SSO for hundreds of third-party applications. Enabling SSO for your critical business tools—your CRM, project management platform, cloud storage, and password manager—means offboarding a user in one place cascades instantly across your entire stack.

Dedicated identity providers like Okta or JumpCloud extend this further, with automated provisioning and deprovisioning (SCIM), conditional access policies, and device trust requirements. For businesses scaling beyond 20–30 employees, investing in a proper identity provider becomes the most reliable offboarding control available.

Don't Forget the Files: Secure Cloud Storage Access

Cloud storage access is separate from credential access—removing someone from a password manager does not revoke their access to shared Dropbox or Google Drive folders.

Most small businesses use consumer-grade or lightly-managed cloud storage. Shared Dropbox folders, Google Drive with broad link-based sharing, OneDrive accounts where folder permissions were set informally years ago. These work well during active employment. They're difficult to audit and revoke cleanly when someone leaves—especially when the original access was granted by a person who also no longer works for the company.

End-to-end encrypted business cloud storage with admin-managed access controls changes this significantly. Every shared folder is an explicit permission that can be revoked from a central console. When an employee is offboarded, the admin removes them from every shared folder in one operation—and the files disappear from their local sync immediately, not just on next login. Our best cloud storage for small business guide compares the top encrypted options for teams requiring this level of control.

Tresorit Business Plus ($19/user/month, billed annually) is built specifically for this use case: end-to-end encryption with granular folder-level permissions, admin access revocation, and full activity audit logs. It's more expensive than consumer storage but appropriate for teams handling client data, contracts, or anything under compliance requirements. (Tresorit also offers a Standard tier at $14.50/user/month with a smaller feature set; the Business Plus tier includes the admin controls and audit logs referenced here.)

For teams that want a single suite covering both credential management and encrypted file storage, Proton Pass Professional ($4.49/user/month, billed annually) includes integrated Proton Drive access alongside password management, SSO, and SCIM—all under Swiss privacy law.

Try Tresorit Free (14 Days)Try Proton Pass Professional

Your Offboarding Checklist

Print this or keep it bookmarked. The timing matters: same-day action significantly reduces the window of exposure.

Same Day (as soon as you know)

Disable email account in Google Workspace or Microsoft 365 admin console — do not delete, preserve records
Sign out all active sessions in the identity provider (forces immediate logout from all devices and browsers)
Offboard from password manager admin console — revoke all vault access
Remove from shared cloud storage folders (Google Drive, Dropbox, Tresorit, OneDrive)
Remove from project management tools (Asana, Monday, ClickUp, etc.) and reassign open tasks
Collect company-issued hardware (laptop, phone, 2FA hardware keys such as YubiKeys, access badges)

Within 24 Hours

Rotate any credentials the employee had individual or shared access to — use the password manager access log to identify which ones
Remove from CRM and review data export activity from the past 30 days
Remove from billing and finance portals (Stripe, QuickBooks, bank accounts) — check for recent changes
Revoke GitHub, GitLab, or other code repository access — cancel personal access tokens and API keys
Remove from communication tools (Slack, Teams, Discord) — reassign any owned channels or webhook integrations
For BYOD devices: if you use an MDM (Intune, Jamf), issue a selective wipe to remove company data without touching personal content. If you don't have MDM, use Google Workspace basic endpoint management (included in most plans) to remotely sign the account out of enrolled devices — and ensure your standard employment agreement includes a clause acknowledging the company's right to wipe its data from personal devices used for work

Within One Week

Transfer cloud file ownership to their replacement
Remotely wipe any company-issued devices not yet physically recovered
Update external vendor or client portals where they were the listed contact
Remove from mailing lists, shared email aliases, and newsletter accounts
Final audit: run through the access audit table above and confirm nothing was missed
Document the completed offboarding in your records — required for SOC 2, HIPAA, and GDPR compliance

Build the Checklist Before You Need It

The worst time to create an offboarding process is in the hours after a contentious termination. Create this checklist now, store it somewhere both your operations lead and IT contact can access, and update it whenever a new application is added to your stack.

Start With What You Can Fix Today

The Miami agency in the opening story had the same starting point as most businesses their size: no central access inventory, shared credentials, and offboarding treated as an HR event. A business password manager at $4–$8 per user per month resolves 80% of that—individual vaults, one-click revocation, and a built-in audit log. Adding SSO and admin-controlled cloud storage closes the rest.

The goal isn't to be suspicious of departing employees. It's to have a process so that trust doesn't have to be your security strategy.

All four tools below offer free trials or free tiers—a low-commitment way to evaluate fit before rolling out to your team:

Try 1Password Business Try Bitwarden Teams Try Tresorit Free Try Proton Pass

New Employee IT Onboarding Checklist — The companion article: how to provision access correctly from day one so offboarding is easier when the time comes.
Best Business Password Managers 2026 — Full comparison of 1Password, Bitwarden, NordPass, and Proton Pass with IT admin feature breakdown and rollout checklist.
Cut Your Breach Risk in 90 Days — The bigger-picture security plan: MFA, patching, vendor access management, and incident response for small businesses.