Onboarding and offboarding: managing accounts and access

Bringing in a new hire means giving them what they need to work from day one: an email address, a workstation, access to the right tools. Offboarding someone is the reverse, and that is often where things get messy. People remember to collect the badge, far less to close every account.

Yet a forgotten account stays active for months, sometimes years. For a small business, this is a common and easily avoidable security blind spot. Here is a repeatable checklist to cleanly open access on arrival, and above all to fully revoke it on departure.

Why is a forgotten account a security risk?

An account that outlives its owner is a door left open. The person who has left can still read their email, open files, log in to a business application from home. Even without bad intent, the access exists and is beyond your control.

The risk does not depend on the relationship. A departure can be friendly or tense: in both cases, an active account is a weak point. A disgruntled former employee can take data with them. An inactive, unmonitored account is also an easy target for an attacker, because no one notices the suspicious logins.

The effect builds up over time. The more a company grows, the more dormant accounts it accumulates if revocation is not systematic. Each one widens your exposure without adding anything. The rule is simple: an access that is no longer used should be closed, not left to sleep.

How do you cleanly open a new hire’s accounts?

The goal is for the person to be operational on their first day, with no unnecessary access. It is better to prepare the openings the day before than to improvise them on the morning itself.

Email and identity. Create the professional email address and the main account (often Microsoft 365 or Google Workspace), which acts as the entry key to the other tools. Enable two-factor authentication from the start.

The workstation. Prepare the computer: personal session, disk encryption, basic software, up-to-date updates, active antivirus. A standardised workstation takes less time to prepare than one configured case by case.

Business software and file permissions. Grant access only to the applications and folders the role requires. The principle of least privilege (granting only what is useful) limits damage if a problem occurs and simplifies revocation later.

Shared accounts and occasional tools. Social media, billing platforms, client access: note what is entrusted and to whom. Prefer individual access where possible, easier to remove than a shared password.

What checklist should you follow when someone leaves?

This is the step most often rushed, and the most sensitive. A written checklist, followed point by point, prevents oversights. Ideally, trigger it as soon as notice is given and finalise it on the last day.

Disable email and the main account. Cut off access, then decide what happens to the emails: forwarding to a manager, automatic reply, archiving. Disabling before deleting lets you recover useful data.

Recover or reassign files. Transfer professional documents and personal work folders to the right person before any deletion. Check shared storage spaces and remove individual permissions.

Rotate shared passwords. Change every password the person knew, especially shared accounts without individual logins. Disabling their account is not enough if they still know the password to a common tool. We cover the use of a password manager and two-factor authentication in our article on passwords and two-factor authentication.

Revoke two-factor authentication and sessions. Remove trusted devices, log out active sessions and delete 2FA methods linked to the person, otherwise they may keep a way in even after a password change.

Cut off business software and external access. List every application, client access, VPN or third-party tool, and close them one by one. This is where the inventory kept at onboarding saves precious time.

Return the equipment. Collect the computer, phone, badges and any storage media. Before reassignment, wipe or reset the devices so that no data or session remains.

How do you keep an inventory of access up to date?

A checklist is only worth something if it reflects the reality of your accounts. Without an inventory, you will inevitably forget a tool subscribed to two years ago and used by a single person.

Keep a living list of accounts and subscriptions. Note each service, who has access, and the type of access (individual or shared). Update it at every arrival, departure or new tool. A simple shared, secured spreadsheet is enough to start.

Link the inventory to your backups. Before deleting an account, make sure its important data is backed up elsewhere. The 3-2-1 method, explained in our backup guide, ensures nothing essential disappears with a closed account.

Review access regularly. Once a year, go through the list and close what is no longer used: forgotten subscriptions, test accounts, access granted for a finished project. This review reduces your exposure and your costs.

Should you handle these steps in-house or get support?

In a small business, these tasks often fall to the owner or an assistant, squeezed between other priorities. They are simple once the method is set, but easy to postpone, and it is the repeated oversight that creates the risk.

IT support can take charge of opening and revoking access, keep the inventory up to date, and check that no account stays active after a departure. You keep the decision, the technical execution is handled. Our expert pool page explains how our specialists step in for this kind of need, quickly and without heavy commitment.

---

Managing arrivals and departures is not complicated: it is a matter of method and consistency. A written checklist, an up-to-date inventory and the reflex to close each access at the right moment are enough to eliminate most of the risks tied to forgotten accounts.

Our iokoo experts support small businesses across all these steps, from opening accounts to cleanly revoking them. Create an account to put reliable, worry-free access management in place.