IT Onboarding and Offboarding: How to Securely Add and Remove Employees

Most businesses focus their IT security on outside threats. Firewalls, antivirus, phishing training, all aimed at attackers who do not belong inside the network. What gets overlooked is one of the most common and damaging security gaps a business actually has: the way employees join and leave the company. A new hire who is given too much access on day one creates risk. A departed employee whose accounts are still active creates more. Industry research consistently finds that a substantial share of IT professionals are not confident that recently offboarded employees have actually lost their access, and incidents involving leaving employees have been rising. IT onboarding and offboarding are not just HR processes. They are core security processes, and getting them right is one of the most leverage-producing things a small business can do to reduce its risk. This guide explains what each side of the process should actually involve, the mistakes that cause real breaches, and how to build a defensible workflow that works whether you handle it internally or with outside help.

Why IT Onboarding and Offboarding Are Security Issues, Not Just HR Issues

HR sees onboarding as paperwork, orientation, and training. HR sees offboarding as a final paycheck, an exit interview, and a goodbye. From a security standpoint, both events are the moments when the business gives away or fails to take back the keys to its data. Every account, every device, every login, every system permission represents a potential entry point. The processes that grant and revoke them are therefore security processes whether anyone labels them that way or not.

The risk on the onboarding side is over-provisioning, giving new employees more access than their job requires, often because it is easier to grant blanket access than to think carefully about what each role needs. The risk on the offboarding side is under-revocation, failing to remove all of a departing employee's access before they leave or shortly after. Both create exposure. Both are extremely common. And both are largely preventable with a defined, repeatable process.

The IT Onboarding Process: What Should Happen Before Day One

Effective onboarding begins before the new employee walks through the door. Treating it as a structured workflow rather than a scramble on the first morning is what produces a secure outcome.

Provisioning Accounts and Access

Decide what accounts the new hire actually needs based on their role, not based on what previous people in similar roles happen to have. Each account should be created with a unique identifier so future activity can be traced back to the individual. Shared logins are a security anti-pattern that needs to be designed out, not inherited.

Applying the Principle of Least Privilege

Grant only the access required to do the job, and no more. If a role does not need access to the financial system or the client database, those should not be granted by default. Over-provisioning is one of the most common security findings in small business environments, and it usually starts on day one because the path of least resistance is to give a new hire what their predecessor had.

Issuing and Securing Devices

Devices should be prepared in advance, with the standard software stack installed, security tools enabled, encryption turned on for laptops and mobile devices, and the device tied to a tracked inventory so it is known to belong to that employee. Letting a new hire bring their own personal device into a business environment without controls is a significant risk for most businesses.

Multi-Factor Authentication and Password Setup

Multi-factor authentication should be enabled before the employee logs in for the first time, not added later when someone remembers. Initial passwords should be set securely, with a forced change on first login, and stored in an approved password manager rather than emailed or written down.

Security Awareness Training on Day One

Onboarding training should include security awareness from the start: how to spot phishing, what to do with suspicious emails, the company's acceptable use policy, what kinds of data must never be shared externally, and how to report a potential incident. Doing this in the first week is far more effective than waiting until a problem occurs.

Documentation

Record what was provisioned, when, and by whom. This record matters later, both for offboarding and for audits or investigations. A list of every account a new hire received on day one is exactly the list you need on their last day.

The IT Offboarding Process: Where Most of the Damage Happens

If onboarding sets the perimeter, offboarding closes it. This is the more dangerous of the two processes, and it is the one most often handled poorly. A defined, fast, complete offboarding workflow is one of the most valuable security controls a small business can have.

Disable Access Immediately

The moment an employee's departure is final, whether they resigned, were terminated, or completed a contract, their access should be disabled across all systems. This is not a tomorrow task. Active accounts of departed employees are a documented source of data theft, and the risk is highest in the first hours and days after departure. For a planned, amicable departure, the timing can be aligned with the last day. For an unplanned or contentious one, disabling access should happen before or at the moment the employee is informed, depending on circumstances and legal guidance.

Recover Company Assets

Collect every device the company issued: laptops, phones, tablets, security keys, external drives. Maintain a checklist tied to the inventory built during onboarding, so nothing is forgotten. If a device cannot be physically recovered, such as for a remote employee, it should be remotely wiped or rendered inoperable for company purposes.

Transfer or Archive Data

Decide what happens to the employee's email, files, and work product. Important business communications and documents should be preserved and transferred to a manager or successor, not deleted along with the account. Email forwarding, mailbox archiving, and file ownership transfers should follow a defined policy rather than being decided improvisationally.

Revoke All Credentials and Tokens

This is where most offboarding fails. Disabling the primary account is not enough. The employee may have access to dozens of systems and SaaS tools, may have personal devices remembered as trusted, may have active OAuth tokens that authenticate sessions even after the password is changed, and may have shared accounts whose passwords need rotating because they were known to the employee. A thorough revocation goes well beyond the company directory and reaches every place the employee's identity was trusted.

Remove Physical Access

Building access cards, alarm codes, keys, and physical security tokens are easy to forget and dangerous when missed. They should be retrieved and deactivated as part of the same workflow.

Document the Departure

Maintain a record showing exactly what was disabled, when, and by whom, along with the assets that were recovered. This record protects the business if a question later arises about whether access remained.

Common IT Offboarding Mistakes That Cause Breaches

The patterns that produce real incidents are not exotic. They are familiar, fixable, and repeated across small businesses constantly. Recognizing them is the fastest way to remove them from your own environment.

The most common mistake is incomplete revocation. A primary account is disabled, but secondary SaaS logins, VPN access, and personal devices remembered as trusted continue working. This is how former employees retain access for weeks or months without anyone noticing. A second frequent mistake is delayed action: waiting hours or days after a termination to begin offboarding, when the highest risk is in the first hours. A third is missing shared accounts; if any login was shared with the employee, its credentials need rotating immediately, because changing the departing employee's individual password does nothing about a shared one.

Another recurring problem is overlooking remote and contractor access. Vendors, freelancers, and remote staff often have access that lives outside the primary directory, and they fall through standard offboarding when their engagement ends. Finally, many businesses do not document offboarding at all, leaving no record that the work was done, which is both an audit problem and an evidence problem if a later incident traces back to a departed employee's account. Layered cybersecurity solutions that include identity monitoring help catch the gaps these mistakes leave behind, but the goal should be not creating the gaps in the first place.

The Special Case of Involuntary Departures

Terminations and contentious departures deserve their own playbook, because the risk profile is different. A frustrated departing employee with active access is a meaningfully higher risk than an amicable departure, and the response should reflect that.

For these situations, IT and HR should coordinate before the termination conversation occurs. Access should be disabled at the moment of, or immediately after, the conversation, rather than at the end of the day or the week. Devices should be recovered on the spot. Email and files should be preserved so that anything inappropriate is not deleted by the employee in the moment. The goal is not to be punitive; it is to remove the temptation and the opportunity that an open access window creates. The legal aspects of timing and method should be coordinated with counsel, but the security principles do not change: faster revocation, complete revocation, and documented revocation.

How to Build a Repeatable Onboarding and Offboarding Workflow

The goal is to turn these processes from one-off scrambles into structured, repeatable workflows that produce the same secure outcome every time, regardless of who is handling them on a given day. A workable approach follows a clear order.

1. Document the standard onboarding checklist by role. What does a new salesperson need? A new finance hire? A new clinician? Defined role-based templates make least-privilege provisioning the default rather than the exception.
2. Document the standard offboarding checklist. List every account type, system, device, and physical access point the business uses. The list should be reviewed and updated periodically as the technology stack changes.
3. Tie HR triggers to IT actions. The moment HR processes a hire or a departure, an IT workflow should automatically begin. Decoupled processes are where employees fall through the cracks.
4. Automate where you can. Identity management platforms can centralize provisioning and deprovisioning so that disabling one account propagates across connected systems, which dramatically reduces the chance of missed revocations.
5. Audit periodically. Review account lists against current staff at least quarterly to find accounts that should have been disabled but were not. This catch-net protects against the inevitable mistakes in any individual offboarding.
6. Maintain reliable backups. Robust data backup and disaster recovery ensures that data preserved during an employee's tenure remains recoverable even after their accounts are removed, which matters for both compliance and continuity.
7. Train everyone involved. The people running onboarding and offboarding need to know the process, follow it consistently, and feel empowered to escalate when something is unclear.

For most small businesses, parts of this workflow are best handled with outside help, because the technical work spans identity systems, device management, SaaS administration, and security tooling. Ongoing managed IT services can carry the operational load of provisioning and deprovisioning, while the business focuses on the HR and people side of the transition.

GlobeVM is a managed IT and cybersecurity firm providing managed IT services in Los Angeles and the surrounding area, with CCSP-certified expertise and practical experience helping small and mid-sized businesses build the onboarding and offboarding workflows that close the security gaps most often missed. For businesses that want these processes treated with the rigor they actually deserve, the right local partner makes the difference between a workflow that protects the business and one that quietly leaks access for months.

If you are not confident that every employee who has left your business has truly lost their access, a focused review with a knowledgeable local partner is the most direct way to find the gaps before someone else does.