Someone quits on a Friday. By Monday, you've handed off their work, updated the org chart, and sent the all-hands announcement. But somewhere, their Slack account is still active. Their Google Drive still has full access. They can still log into your CRM.
This isn't hypothetical. It happens at almost every company that doesn't have a formal offboarding process — which is most SMBs.
The Numbers Are Uncomfortable
Studies consistently show that a significant percentage of former employees retain access to company systems after they leave. In some surveys, it's over 50%. The reasons are mundane: IT didn't get notified in time, the offboarding checklist was incomplete, or nobody was responsible for revoking access to the 14 different SaaS tools the person used.
The risk isn't always malicious. Sometimes a former employee accidentally stumbles into a system they still have access to. Sometimes they're not former at all — they left on bad terms and they know exactly where the sensitive data lives.
Why It's Harder Than It Sounds
Revoking access sounds simple. In practice, it requires knowing every tool a person used, having admin access to each one, and actually doing it before they walk out the door.
At most SMBs, that list doesn't exist anywhere. Tools get added constantly — a team adopts a new project management app, someone signs up for a niche analytics tool on their company card — and nobody keeps a master list. By the time someone leaves, IT is trying to reconstruct their software footprint from memory and email history.
The Tools Nobody Remembers
The obvious ones — email, Slack, Google Workspace — usually get handled. It's the second and third-tier tools that slip through. The password manager. The design tool. The customer support platform. The finance software. Each of these is a potential entry point for someone who shouldn't have access.
And unlike your core infrastructure, these SaaS tools often don't trigger security alerts when someone logs in from an unusual location. A former employee accessing your Intercom account six months after they left might never be noticed.
Building a Real Offboarding Process
The fix is simpler than most companies make it. You need three things: a complete inventory of every tool each employee uses, a clear owner for the offboarding process, and a checklist that gets executed every single time — not just when HR remembers to tell IT.
The checklist should be triggered the moment a resignation is accepted, not on the last day. That gives IT time to prepare the handoff without rushing. And it should be exhaustive: every app, every account, every access credential.
How CoreIT Handles This
CoreIT maintains a live record of every tool each employee has access to. When someone leaves, you see their complete software footprint in one place and can revoke access systematically. No guessing, no gaps, no former employees reading your internal Notion pages three months later.
The free trial takes less than a day to set up — and the first time you run an offboarding through it, you'll probably find three or four tools you would have missed.
The Honest Truth
Most companies only think about offboarding security after something goes wrong. A disgruntled former employee does something they shouldn't, or an audit reveals a dozen ghost accounts. By then, the damage is done.
Getting ahead of it is one of the highest-leverage things an IT manager at a growing company can do — and it's mostly a process problem, not a technology problem. The tools to fix it exist. The question is whether you'll act before you have a reason to.
