They Left. Their Access Didn’t.
Let me paint you a picture. You run a small business in Delray Beach. Last month, you let go of a sales rep — nothing dramatic, just wasn’t a good fit. You shook hands, collected the laptop, and moved on.
Except right now, that former employee can still log into your company email. Your CRM. Your shared Google Drive. Your QuickBooks. Maybe even your bank account portal.
Think I’m exaggerating? A 2025 study by Beyond Identity found that 83% of employees admitted to maintaining access to accounts from a previous employer after leaving. Not because they were hackers — because nobody ever turned off their access.
This isn’t a hypothetical. This is happening right now at businesses across Palm Beach County.
Why This Matters More Than You Think
When most small business owners think about cybersecurity threats, they picture some hoodie-wearing hacker in a dark room halfway around the world. They don’t picture Dave from accounting who left two weeks ago and still has the Dropbox password saved in his browser.
But here’s the reality: insider threats — both malicious and accidental — account for nearly 60% of data breaches. And “insider” doesn’t just mean current employees. It means anyone who ever had access and still does.
Here’s what a disgruntled ex-employee (or even a careless one) can do with lingering access:
- Download your entire client list and hand it to a competitor
- Delete critical files from shared drives — sometimes out of spite, sometimes by accident
- Send emails from your company domain to clients, vendors, or worse
- Access financial systems and initiate unauthorized transactions
- Expose sensitive data that triggers compliance violations and legal liability
And here’s the kicker — if they use credentials you never revoked, it’s going to be very hard to prove it wasn’t an authorized action.
The Offboarding Checklist You’re Probably Missing
Most small businesses have some kind of onboarding process. New hire? Here’s your laptop, here’s your email, here’s the Wi-Fi password. Great.
But offboarding? That’s where things fall apart. There’s no checklist. No process. Someone gets let go on a Friday, and by Monday everyone’s moved on — except nobody disabled a single account.
Here’s the offboarding security checklist every small business should follow the same day an employee departs:
1. Disable Their Email — Immediately
This is step one, and it needs to happen within the hour. Not tomorrow. Not next week. A company email account is the skeleton key to everything else — password resets, client communications, internal systems. Disable it, set up a forwarding rule to their manager, and move on.
2. Revoke Access to Every Cloud App
Make a list. Google Workspace. Microsoft 365. Slack. Trello. Your CRM. Your accounting software. Your project management tool. Social media accounts. Every single one.
If you don’t have a master list of what each employee has access to, that’s a problem we’ll address in a second. But for now — go through everything and remove them.
3. Change Shared Passwords
Here’s where small businesses really struggle. If your team shares a login for your company Instagram, your website CMS, your alarm system app, or your supplier portal — those passwords need to change the day someone leaves.
Yes, it’s annoying. Yes, it’s necessary. A password manager makes this dramatically easier — and if you’re still using a shared spreadsheet or sticky notes, we need to talk.
4. Recover Company Devices
Laptops, phones, tablets, USB drives, security keys — all of it comes back. And don’t just take the laptop and throw it in a closet. Wipe it. You have no idea what’s on that device, what credentials are cached, or what browser sessions are still active.
5. Revoke VPN and Remote Access
If your departing employee had VPN access or could remote into your network, that access needs to die immediately. This is the one that keeps IT professionals up at night — an open VPN tunnel is basically an unlocked back door to your entire network.
6. Check for Personal Devices
Did the employee use their personal phone to check work email? Did they install Slack on their home computer? BYOD (Bring Your Own Device) policies make this messy, but at minimum you need to revoke access from any personal device that was connected to company systems.
7. Review File Access Logs
Before and after the departure, check for unusual activity. Did they download a massive number of files in their last week? Did they email themselves company documents? Most cloud platforms have audit logs — use them.
The Bigger Problem: You Don’t Know What They Had Access To
Here’s the uncomfortable truth — if you can’t quickly generate a list of every system, app, and tool a specific employee has access to, you have an access management problem.
This is incredibly common with small businesses. Access accumulates over time. Someone needs the social media login for a project. Someone else gets added to the accounting software for a quick task. Three years later, a part-time marketing assistant has admin access to half your business tools, and nobody remembers granting it.
The fix isn’t complicated, but it does require discipline:
- Maintain a central access inventory — a simple spreadsheet works. Every employee, every tool, every permission level.
- Use a password manager — tools like Bitwarden or 1Password let you grant and revoke access to shared credentials without ever revealing the actual password.
- Apply least privilege — only give people access to what they need for their specific role. The receptionist doesn’t need admin access to your cloud backup.
- Audit quarterly — every 90 days, review who has access to what. You’ll be surprised what you find.
What This Means for Your South Florida Business
South Florida’s small business community is tight-knit. Employees move between companies. People do freelance work on the side. Business partnerships form and dissolve. That fluidity makes access management even more critical — and even more likely to be neglected.
I’ve seen it firsthand working with businesses from Delray Beach to West Palm Beach. A former office manager still forwarding company emails to their personal account. An ex-contractor with active VPN credentials six months after their contract ended. A departed partner with full admin rights to the company’s entire Google Workspace.
None of these were malicious. All of them were dangerous.
Don’t Wait for a Breach to Fix This
If you’re reading this and realizing your offboarding process is basically “collect the laptop and wish them well” — you’re not alone. But you are at risk.
The good news? This is fixable. You don’t need enterprise software or a massive IT budget. You need a checklist, a password manager, and the discipline to follow through every single time someone leaves.
Or you can hand it off to someone who does this every day. A managed service provider can build your offboarding process, maintain your access inventory, and make sure that when someone leaves your business — their access leaves with them.
Your business is only as secure as the access you control. Time to take back the keys.