The Insider Threat You Overlooked: Proper Employee Offboarding

by | Mar 3, 2026 | Cybersecurity | 0 comments

The “Insider Threat” You Overlooked: Proper Employee Offboarding

When a paralegal leaves your law firm, what happens to their email account? Their access to your case management system? Their login to the document portal?

If your answer is “IT takes care of it,” the follow-up question is: how fast, and how completely?

In most small businesses — and a lot of law firms — the honest answer is that access removal is slow, incomplete, or both. A former employee’s login might stay active for days or Weeks. Their email might still be forwarding. They might still be able to pull documents from your cloud storage long after their last day.

This isn’t usually malicious. It’s disorganization. But the legal and security consequences are the same either way.

Why Law Firms Face Extra Exposure

Florida Bar Rules 4-1.1 (competence) and 4-1.6 (confidentiality) require attorneys to take reasonable steps to protect client data. That obligation doesn’t pause while you’re slow-walking an offboarding. If a former employee retains access to client files — intentionally or not — that’s a confidentiality breach, full stop.

Beyond ethics rules, the practical risks are significant. A departing employee with active credentials could:

  • Download client contact lists or matter files before leaving
  • Continue receiving emails containing privileged communications
  • Share credentials that get cracked and used as a re-entry point months later

Former employee accounts are prime targets for attackers precisely because they’re often forgotten. A breached personal account can match an old work password, giving a hacker trusted access that bypasses every perimeter control you’ve invested in.

The Access You Don’t Know About Is the Problem

The visible accounts are easy. Email, VPN, shared drives — most businesses catch those eventually. The problem is the accounts nobody remembers to check.

Every employee accumulates access over time: the billing platform added two years ago, the project management tool the team started using mid-year, the M365 apps provisioned during a specific project. Without a centralized inventory, something always gets missed.

Using Microsoft 365? A proper offboarding means more than disabling the user account. You need to revoke active sessions, review SharePoint and OneDrive sharing permissions, check Outlook delegation, transfer mailbox ownership, and confirm no forwarding rules were set up before departure. Managing that manually, across every app, for every employee — it doesn’t scale.

A Practical Offboarding Checklist

This is the minimum. Adapt it for your environment:

On the day of departure:
– Disable primary login and revoke MFA devices
– End all active Microsoft 365 sessions (force sign-out across all devices)
– Revoke VPN and remote access credentials
– Disable physical access cards and building codes

Within 24 hours:
– Remove from all shared mailboxes and distribution lists
– Transfer ownership of SharePoint sites, shared drives, and OneDrive content
– Set up email forwarding to a manager for 30–60 days, then close the mailbox
– Wipe and reclaim any company-issued mobile devices

Within the first week:
– Audit all SaaS applications for active user accounts (CRM, billing, document management, legal research platforms)
– Reset passwords for any shared accounts the employee had access to
– Review recent access logs — particularly large file downloads or exports in the days before departure
– Cancel or reassign any SaaS subscriptions tied to that user’s email

The Financial Leak Nobody Tracks

Poor offboarding creates two categories of financial exposure. The first is obvious: data theft or a breach. The second is quieter: ongoing SaaS billing for accounts that no longer have a user.

A Microsoft 365 Business Premium license that doesn’t get reclaimed after an employee leaves costs your firm roughly $264 per year ($22/month) — per forgotten account. Add the other tools most firms run, and you can easily be paying for ghost users that add up to real money with zero benefit.

A clean offboarding process is also a license audit. Run it consistently, and you’ll recover budget while closing security gaps at the same time.

Build It Into the Process Before Someone Leaves

The offboarding checklist shouldn’t be created in a panic on someone’s last day. It should be documented, stored, and ready to execute — ideally triggered the moment HR gives IT notice.

At SmartProIT, we handle offboarding as part of our managed services for clients on Microsoft 365. When someone leaves, we revoke access centrally, audit SaaS permissions, confirm device compliance, and document the process for your records. No chasing. No missed accounts.

If your current offboarding is less structured than it should be, we can help you close the gap before it becomes a problem.