Ex Employee Still Has Access to Company Data in 1 in 4 Cases: How to Fix That

According to a study by Beyond Identity, approximately 25% of employees can still access their past workplace’s accounts and emails after leaving. What is even more alarming is that over 41% of these former employees admitted to sharing their workplace logins with others. A similar study by OneLogin suggests that the number of ex-employees with active access could be as high as 50%.

The consequences are not theoretical. In the same Beyond Identity research, 56% of former employees admitted to using their continued digital access to actively harm a former employer, and 24% said they intentionally kept a password after leaving. That means more than half of ex-employees with active access are willing to use it against you, and nearly one in four walked out the door with your credentials on purpose.

If you are spending time and money protecting your business from external hackers, but you have not locked down what happens when someone leaves the company, you have a gap in your security that is bigger than most businesses realize. With normal employee turnover, this risk compounds at every stage of the employee lifecycle. This guide covers the real risks of failing to revoke former employee access, a same-day offboarding checklist your IT and HR teams can follow together, and the tools that make instant de-provisioning possible.

How Many Former Employees Can Still Access Your Data?

More than you think. The OneLogin study of 500 US-based IT decision-makers paints a clear picture of how widespread the problem is:

• 50% of former employees’ accounts remain active for longer than a day after they leave
• 48% of organizations are aware that former employees can still access corporate applications
• 32% of organizations said it takes over seven days to fully de-provision a former employee
• 20% of former employees’ accounts stay active for up to a month after departure
• 70% of companies take approximately one hour to de-provision a single employee from all corporate application accounts

Out of the 500 respondents, over 100 admitted that failure to terminate system access by former employees directly contributed to data breaches at their companies. The bottom line is that most organizations do not take de-provisioning seriously enough, and the longer lingering access stays active, the wider the window for something to go wrong.

The Real Risks of Leaving Former Employee Access Active

Former employees with active credentials are a type of insider threat, and insider threats are among the most expensive security incidents a business can face. According to the 2022 Cost of Insider Threats Global Report by Ponemon Institute, incidents involving insider threats surged by 44% in two years, costing businesses an average of $15.38 million per incident.

About 1 in 5 data breaches involve a former employee within six months of their departure, according to industry research.

Whether the threat comes from a disgruntled former employee acting with malicious intent, or simply from an account that was never properly disabled and got compromised by an outside attacker, the impact is the same. Businesses that invest in cybersecurity services typically have automated de-provisioning built into their security stack from the start.

Data Loss and Sabotage

When employees are laid off or terminated, some do not take it well. Disgruntled former employees with active credentials can access sensitive systems, delete critical files, corrupt databases, or shut down systems entirely. If access to the company’s network is not revoked promptly, there is a significant risk of sabotage, including unauthorized entry into sensitive systems and data. This is not hypothetical, a former IT administrator at Lucchese Boot Company used his still-active access to shut down the company’s servers and delete crucial files after losing his job.

Data Theft

According to the Ponemon Institute, over 50% of employees have stolen data from former employers. Of those, 40% said they intended to use the stolen information at their new workplace. Customer lists, pricing data, proprietary processes, and strategic plans are all at risk. If you do not secure data access on the day someone leaves, everything they had access to is fair game.

Compliance Violations

Regulatory frameworks like HIPAA, PCI-DSS, NIST, and the FTC Safeguards Rule all require organizations to control and revoke access to sensitive data. Maintaining IT compliance means protecting employee data, documenting your offboarding process, and proving that access was revoked in a timely manner.

Sensitive data breaches may trigger mandatory legal obligations, including notifying affected individuals and regulators. It is important to engage legal counsel experienced in trade secret law to guide your company’s response to any data breaches. Delaying the revocation of access can lead to compliance violations under regulations like GDPR or HIPAA. If a former employee accesses protected health information, payment card data, or customer records after their departure, your organization is liable, regardless of whether the access was intentional or accidental. Many cyber insurance policies also require documented offboarding procedures as a condition of coverage.

Wasted Spend on Unused Licenses

Every active account tied to a former employee is a license you are paying for that nobody is using. Microsoft 365, Google Workspace, CRM seats, project management tools, and other SaaS tools, these costs add up quickly, especially if de-provisioning is delayed by weeks or months.

Breach of Confidentiality

In today’s data-driven business environment, companies routinely poach employees from competitors specifically to gain access to confidential information. If a departing employee still has access to your systems after joining a competitor, your trade secrets, client data, and other sensitive information may be walking out the door with them.

Why Regular Access Reviews Matter

Revoking access on the day someone leaves is only the first step. Without ongoing access reviews, dormant accounts, shared accounts, and outdated access permissions accumulate silently across your cloud platforms, internal applications, and company network. These overlooked access points are a common source of unauthorized access, data theft, and insider threats.

Audit user accounts and conduct access reviews quarterly, or at minimum during every employee transition. Review who has access to what across every system that holds sensitive data or intellectual property. Many compliance frameworks require this level of visibility, and regular reviews help security teams and HR departments close security gaps before they can be exploited. This proactive approach supports business continuity, reduces the risk of security breaches and data exfiltration, and ensures that only current employees retain the permissions they need.

The Same-Day Employee Offboarding Checklist

The number one question people ask about this topic is “how to make sure ex-employees lose access to data instantly.” Here is a concrete, structured process your IT and HR teams can follow on the day an employee departs. The key is coordination, HR should notify IT immediately when a departure is confirmed, ideally before the employee’s last conversation with their manager. If IT learns about a termination after the fact, you have already lost the window for clean de-provisioning.

Within the First Hour

Disable the primary account. Deactivate the employee’s account through their directory (Active Directory, Azure AD / Microsoft Entra ID, Google Workspace admin, or whatever identity provider your organization uses). This single action should cascade to disable access across all connected applications if you are using single sign-on (SSO). If you are not using SSO, you will need to disable access across multiple systems individually, which is exactly why SSO matters.

Reset passwords on any accounts not connected to SSO. Any standalone application the employee accessed that is not federated through your identity provider needs its password changed immediately. This includes shared accounts, service accounts, and any tool where the employee might have set up a personal login.

Revoke VPN and remote access. If the employee had VPN access, remote desktop access, or any other method of connecting to your network from outside the office, disable it immediately.

Terminate active sessions. Disabling an account does not automatically kill sessions that are already open. To prevent unauthorized access, force sign-out on all active sessions across email, cloud apps, collaboration tools, and any web-based platforms.

Within the First Day

Revoke access to shared documents and drives. Remove the former employee from all shared folders, cloud storage, SharePoint sites, Google Drive shared drives, Dropbox teams, and any other document collaboration platforms. This is the step most organizations miss, they disable the account but forget that the employee was a member of shared drives that other team members still use.

Audit document access and sharing history. Check whether the employee attempted to retrieve data by downloading, forwarding, or sharing files in the days or weeks before departure. Most cloud platforms (Google Workspace, Microsoft 365, Dropbox Business) have audit logs that show file access and download activity. If you see bulk downloads or unusual sharing activity, escalate immediately.

Remove from communication channels. Remove the employee from Slack channels, Microsoft Teams groups, shared email distribution lists, and any internal messaging platforms. Disable their voicemail and update any phone system routing.

Wipe company data from personal devices. If your organization has a BYOD (bring your own device) policy and the employee was accessing company email, files, or applications from personal phones or laptops, initiate a remote wipe of company data through your mobile device management (MDM) platform. This does not erase their personal data, it removes the company container and any managed applications.

Collect company devices. Retrieve laptops, phones, external drives, and any other hardware that belongs to the company. Do not wait until the end of the week.

Within the First Week

Reassign licenses. Transfer Microsoft 365, Google Workspace, CRM, and other software licenses to the employee’s replacement or back to the available pool. Stop paying for seats nobody is using.

Forward or archive email. Set up email forwarding to the employee’s manager or team lead for a defined period (typically 30-90 days) to ensure nothing critical is missed. After the forwarding period, archive the mailbox.

Collect physical assets. Retrieve laptops, phones, access badges, security tokens, keys, and any other company-owned devices or materials. Use a Receipt of Company Items form to track what was returned and confirm that nothing is missing, this documentation protects both the organization and the departing employee.

Document everything. Record what was revoked, when, and by whom. This documentation is essential for compliance audits and for demonstrating due diligence if a data breach does occur.

Managing Shared Document Access Across Your Organization

One of the biggest blind spots in employee offboarding is shared document access. Disabling an employee’s account is not enough if they were a co-owner of shared Google Drive folders, had edit access to critical SharePoint sites, or were the admin of shared Dropbox folders.

The problem compounds over time. Many organizations do not regularly audit who has access to what. Files get shared with individuals, teams grow, people change roles, and eventually nobody knows exactly who can see which documents. When an employee leaves, the IT team disables their account but has no visibility into the dozens of shared resources the employee was connected to.

The fix requires two things: a regular access audit schedule and a centralized identity management approach with strong access controls. Audit shared folder permissions quarterly, or at minimum during every employee transition. Use your identity provider to manage group-based user access rather than sharing files with individual email addresses. When someone leaves, removing them from the group automatically removes their access to everything the group could see.

Modern Identity Management Makes Instant Offboarding Possible

If your organization is still de-provisioning employees by manually logging into each application and disabling accounts one by one, you are operating with an approach that guarantees gaps. Manual de-provisioning across even a modest tech stack of 10-15 applications takes hours, and the OneLogin data shows that 70% of companies take about an hour just to remove one employee from all systems.

The solution is centralized identity and access management through a platform like Microsoft Entra ID (formerly Azure AD), Okta, or Google Workspace’s identity services. These platforms serve as a single source of truth for employee access. When you disable an account in the identity provider, you can revoke system access across every connected application simultaneously: email, file storage, CRM, cloud services, project management, and communication tools.

Single sign-on (SSO) is the specific feature that makes this work. When all of your business applications authenticate through one identity provider via SSO, access revocation becomes a single action instead of a multi-hour, multi-application scramble. For organizations with 25 or more employees, partnering with a managed IT services company that configures SSO properly is not a luxury, it is a basic security requirement that pays for itself the first time you need to offboard someone quickly.

Automated de-provisioning takes this a step further. With directory-based provisioning, when an employee’s status changes to “terminated” in your HR system, automation tools within the identity provider can automatically disable their accounts across all connected applications without any manual intervention from IT. The employee’s access is revoked before they have finished their exit interview, closing the window before it opens.

Do Not Forget Personal Devices

The modern workplace runs on personal devices. Employees check email on their phones, access shared drives from personal laptops, use messaging apps on tablets, and store company files in personal cloud accounts. When someone leaves, disabling their network account does not automatically remove any of this.

If you have a mobile device management (MDM) solution in place, you can perform a selective wipe that removes company data and managed applications from personal devices without touching the employee’s personal photos, apps, or files. If you do not have MDM, you are relying on the departing employee to voluntarily remove company data from their personal devices, which is not a security strategy.

At minimum, as a baseline for safeguarding data, ensure that departing employees sign an acknowledgment that they have removed all company data from personal devices and that they understand accessing company systems after departure is unauthorized. But acknowledgment forms are a legal backstop, not a technical control. MDM is the technical control.

Frequently Asked Questions

How quickly should you revoke an ex-employee’s access? Immediately. The primary account should be disabled within the first hour of the employee’s departure. If you are using SSO and centralized identity management, this single action revokes access across all connected applications simultaneously. Full de-provisioning, including shared documents, communication channels, and license reassignment, should be completed within one business day. According to industry surveys, 85% of IT professionals consider the period during and immediately after offboarding to be a critical time for cybersecurity risk.

What percentage of former employees still have access to company data? According to Beyond Identity, approximately 25% of former employees can still access their past workplace’s accounts and emails. OneLogin’s research suggests the figure could be as high as 50%, with 32% of organizations taking over seven days to fully de-provision a departing employee.

Can a former employee access company data from a personal device? Yes. If the employee was accessing company email, files, or applications from a personal phone or laptop, that access may persist after their network account is disabled, especially if the device has cached credentials or offline access. A mobile device management (MDM) solution can perform a selective wipe of company data on personal devices.

What should an IT offboarding checklist include? A complete offboarding checklist should cover: disabling the primary directory account, resetting passwords on standalone applications, revoking VPN and remote access, terminating active sessions, removing access to shared documents and drives, auditing file download and sharing activity, removing from communication channels, wiping company data from personal devices, reassigning software licenses, forwarding or archiving email, collecting physical assets, and documenting all actions taken. Key actions after terminating an employee include conducting a forensic investigation and changing shared passwords.

What tools help automate employee de-provisioning? Centralized identity management platforms like Microsoft Entra ID (formerly Azure AD), Okta, and Google Workspace identity services allow you to disable an employee’s access across all connected applications with a single action. Combined with SSO and automated provisioning workflows tied to your HR system, the entire de-provisioning process can happen automatically when an employee’s status changes.

Is failure to de-provision a compliance violation? It can be. Regulatory frameworks including HIPAA, PCI-DSS, NIST, and the FTC Safeguards Rule all require organizations to control access to sensitive data. If a former employee accesses protected information after their departure because their accounts were not properly disabled, the organization may face compliance penalties, legal liability, and potential loss of cyber insurance coverage.

How should you handle email forwarding after an employee leaves? Forwarding emails to a manager or shared inbox is a common practice to ensure business continuity and prevent missed communications or service disruptions.

Stop the Bleeding Before It Starts

Every day a former employee’s account stays active is another day your business is exposed. The fix is not complicated, it is a combination of having the right process (a thorough, secure offboarding process with a documented checklist), the right tools (centralized identity management and SSO), and the right partner to make sure nothing slips through the cracks. Building a company culture where security is part of the departure process, not an afterthought, is what separates organizations that get breached from those that do not.

At LeadingIT, we help Chicagoland businesses build IT offboarding processes that revoke access instantly, audit shared document permissions, and ensure compliance with the frameworks that govern your industry. If you are not sure how long it would take your organization to fully de-provision a departing employee today, that uncertainty is the problem.

Schedule a free IT assessment and let us close the gaps before a former employee finds them first.

LeadingIT is a cyber-resilient technology and cybersecurity services provider. With our concierge support model, we provide customized solutions to meet the unique needs of nonprofits, schools, manufacturers, accounting firms, government agencies, and law offices with 25–250 users across the Chicagoland area. Our team of experts solves the unsolvable while helping our clients leverage technology to achieve their business goals, ensuring the highest level of security and reliability. Call us at 815-788-6041 or book a free assessment today.