When an employee leaves a business, most teams remember the obvious steps. They collect the laptop, remove the person from payroll, update internal records, and organise a handover.
However, one of the most important steps is often missed: removing access to business systems.
Ex-staff access can become a serious security risk, especially when businesses use cloud platforms, shared passwords, email accounts, supplier portals, file storage, accounting software, and remote access tools.
Even if the person left on good terms, old access should not remain active.
Why ex-staff access is risky
Former employees may still have access to sensitive business information without anyone realising.
This can include emails, customer records, financial data, internal documents, shared folders, passwords, supplier accounts, cloud applications, or confidential files.
In many cases, the risk is not caused by bad intentions. It happens because access was never properly reviewed or removed.
For example, an ex-staff member may still be signed into email on a personal phone. They may still know a shared password. They may still have access to a cloud folder. Their Microsoft 365 account may still be active. Or their login may still work for an industry-specific application.
Over time, these gaps can build up and become a serious business risk.
Common places where old access gets missed
Offboarding is not just about disabling an email account.
Many businesses use a mix of systems, and each one needs to be considered when someone leaves.
Common areas to check include:
- Microsoft 365 accounts
- Email access
- Shared mailboxes
- Teams and SharePoint
- OneDrive files
- Remote access tools
- Accounting software
- CRM systems
- Industry-specific applications
- Supplier portals
- Password managers
- Shared passwords
- Mobile devices
- Cloud storage platforms
- Phone systems
- Security camera systems
- Wi-Fi access
- Admin accounts
If there is no clear offboarding process, it is easy for one or more of these to be missed.
Shared passwords make the problem worse
Shared passwords are one of the biggest reasons ex-staff access becomes difficult to control.
If multiple people use the same login, it is hard to know who has access, who used the account last, and whether the password has been shared outside the business.
When an employee leaves, a shared password may need to be changed across multiple systems. If this does not happen, the business may still be exposed.
This is why individual user accounts, multi-factor authentication, and password management are important. They make access easier to control and easier to remove when someone leaves.
Access should match the person’s role
Another common issue is that staff often collect access over time.
Someone may start in one role, move into another, help with a project, cover for another team member, or temporarily receive access to extra folders and systems.
When that person leaves, businesses may not have a clear record of what they had access to.
This is why access reviews are important. Businesses should regularly check who has access to what, especially for sensitive systems and files.
A proper offboarding process protects the business
A strong offboarding process should be clear, consistent, and repeatable.
Before an employee leaves, the business should know:
- What devices need to be returned
- Which accounts need to be disabled
- Which passwords need to be changed
- Which files need to be transferred
- Which shared mailboxes need to be reviewed
- Which licences can be removed
- Which systems need access removed
- Whether MFA needs to be reset
- Whether any company data is stored on personal devices
This process should happen every time, not just when someone leaves under difficult circumstances.
Do not forget contractors and temporary staff
Ex-staff access does not only apply to permanent employees.
Contractors, temporary staff, consultants, external providers, and short-term workers may also have access to business systems.
Because these people may not go through the same HR process as permanent staff, their access can be easier to forget.
Any person who has access to company systems should have a clear start date, access approval, and removal process.
Final thoughts
When someone leaves your business, removing their access should be treated as a priority.
Old accounts, shared passwords, forgotten cloud access, and unmanaged devices can create unnecessary risk. The longer access remains open, the harder it becomes to know who can see or use your business information.
A clear offboarding process helps protect your data, your staff, and your customers.
If your business is unsure who still has access to your systems, Rosh Tech can help review your users, permissions, devices, and security settings so access is properly managed.

