An employee just gave notice. Maybe they're leaving on good terms, maybe not. Either way, you're thinking about transition plans, exit interviews, and knowledge transfer.

But there's something else that needs to happen, often faster than you'd think: you need to manage their IT access.

Even employees who leave on excellent terms shouldn't retain access to your business systems after they're gone. And employees who leave on bad terms definitely shouldn't.

Here's what needs to happen to your IT when someone leaves your company.

Why This Matters

Security risk:
Former employees with access to your systems can - intentionally or accidentally - cause problems. They can access information, make changes, or simply create security vulnerabilities.

Compliance:
Many regulations require you to promptly remove access for former employees. "We forgot" isn't an acceptable answer during an audit.

License costs:
You're often paying per-user for services. Inactive accounts still count. Remove them, save money.

Data hygiene:
Orphaned accounts clutter your systems and make it harder to know who actually has access.

Protection for them:
If something goes wrong with your systems and a former employee still has access, they might be blamed. Removing access protects everyone.

The Timeline

Last day of work:
Revoke access to critical systems. They shouldn't be able to access anything sensitive after their last day.

Within 24 hours:
Revoke access to all business systems. Change any passwords they knew.

Within 1 week:
Audit all systems to ensure no access remains. Transfer ownership of anything they controlled.

Within 1 month:
Complete documentation of what access was removed and what was transitioned.

This isn't about trust. It's about proper security practices. Even your most trusted former employee shouldn't have access to your business systems after they leave.

The Access Revocation Checklist

When someone leaves, systematically revoke their access:

Email Account

Remove their ability to log in
Set up email forwarding if needed (to their manager or a role account)
Eventually delete the account or convert to a shared mailbox
Remove them from email distribution lists
Update any auto-responders or signatures they set up

Don't immediately delete:
You might need to forward their emails or access information for a transition period. Remove login access, but keep the account accessible to appropriate people.

Website & CMS Access

Remove their login to your website admin panel
Remove their authoring/editing access
Check if they created any admin accounts you don't know about
Verify they can't access via FTP, SFTP, or other backend methods

Domain & Hosting

Remove their access to your domain registrar
Remove their access to hosting control panels
Check if they had SSH access to servers
Verify they're not listed as admin contacts

Cloud Services

Google Workspace / Microsoft 365: Remove user, transfer file ownership
Cloud storage (Dropbox, Box, etc.): Remove access, transfer ownership
Project management tools: Remove account, reassign tasks
Communication tools (Slack, Teams, etc.): Deactivate account
Any other cloud services your business uses

Financial Systems

Accounting software access
Payment processor access
Banking system access (if they had any)
Expense reporting systems

Social Media & Marketing

Facebook, LinkedIn, Twitter, Instagram business account access
Email marketing platform access
Analytics platforms
Advertising account access

Developer & Technical Access

GitHub, GitLab, or other code repositories
API keys they may have generated
SSH keys on servers
Database access
Any technical accounts or access they had

Physical Access

Return of company computers, phones, or equipment
Remote wipe of company data from devices they're keeping
Removal from VPN access
Deactivation of any security keys or tokens

Two-Factor Authentication

If they were the 2FA contact for any accounts, change this immediately
Remove their phone number from any account recovery options
Update security question answers they may have known

The Transition: What They Controlled

Some employees didn't just have access - they controlled things. That's different, and harder to handle.

Accounts Registered Under Their Email

If they registered business accounts using their personal email:

Transfer these accounts to business email addresses
Update contact information
Update billing information

This is why business accounts should never be registered under personal emails.

Domain or Services in Their Name

If your domain or hosting is registered under their name:

Transfer ownership immediately
This can be complex and time-sensitive
Don't wait until they're hostile to start this process

This often becomes a critical issue during MSP transitions or when taking control from contractors who won't cooperate.

Things Only They Know

Passwords they never shared
Configuration details only in their head
Vendor contacts only they know
Processes only they documented (or didn't)

This is why documentation and knowledge sharing matter.

Services on Their Credit Card

If business services are billed to their personal credit card:

Transfer billing to a company account immediately
Don't assume they'll keep paying for your services out of goodwill

The Password Problem

If a departing employee knew admin passwords:

Those passwords should be changed
Even if you trust them completely
Even if they left on excellent terms

Passwords they may have known:

Email admin password
Website admin password
Domain registrar password
Hosting account password
Database passwords
Social media account passwords
Any shared account passwords

Change them all. Use a password manager going forward so individuals don't need to know passwords.

The Knowledge Transfer

Before they leave (ideally with adequate notice):

Document what they know:

What systems did they manage?
What are the logins/passwords?
Where is everything hosted?
What are the processes?
Who are the vendor contacts?
What issues should we watch for?

Transfer ownership:

Move domains from their account to company account
Transfer ownership of files and documents
Reassign admin roles to remaining staff
Update contact information for all services

Brief their replacement:

What will need attention after they leave?
What are the quirks of your systems?
What should the new person know?

This is infinitely easier if the employee is cooperative and has adequate notice. But it should happen even if they're not and don't.

The Immediate Termination Scenario

If someone is terminated immediately (fired, not given notice):

Minute 1:
Disable their primary accounts (email, computer login, VPN).

Hour 1:
Revoke access to all business systems you can identify.

Day 1:
Audit all systems for any remaining access. Change any passwords they knew.

Week 1:
Complete the full access revocation checklist. Look for anything you might have missed.

This is harder than a planned departure, but it's necessary. Security can't wait for convenient timing.

The Contractor or Vendor Scenario

When a contractor or vendor relationship ends, the same principles apply:

What access did they have?
Often more than you realize. They may have:

Admin access you gave them temporarily
Accounts they created for their work
API keys or credentials you don't know about

Revoke it:

Disable their specific accounts
Remove them from shared accounts
Deactivate any credentials they generated
Audit what they had access to

Recover what they controlled:

If they registered things under their account, transfer them
If they hosted things for you, migrate them to your control
If only they know how something works, document it before they're gone

This is why contractor access should be limited and temporary from the start.

The Audit After They Leave

One week after someone leaves, audit:

What access remains?
Check every system. Did anything get missed?

What did we learn?
What access did they have that we didn't realize? What should we do differently next time?

What's documented?
Is everything they managed now documented for the next person?

What's transferred?
Is ownership fully transferred from them to appropriate people?

This audit catches the things you forgot in the initial rush.

Prevention: Doing This Right From the Start

The best time to plan for someone leaving is when they start:

Use role accounts, not personal accounts
Don't register business services under personal emails. Use role-based accounts.

Document everything
Don't let one person be the only one who knows how something works.

Use a password manager
Individuals shouldn't know passwords. They should have access through proper authentication.

Limit access appropriately
Only give access that's necessary for the job. Easier to revoke later.

Regular access audits
Quarterly, review who has access to what. Remove unnecessary access proactively.

Plan the transition
Before someone gives notice, you should already know what access they have and how you'd revoke it.

The Checklist to Print

When someone leaves, check off:

☐ Email access disabled, forwarding configured if needed
☐ Website/CMS access removed
☐ Domain registrar access removed
☐ Hosting access removed
☐ Cloud service accounts disabled (Google/Microsoft/Dropbox/etc.)
☐ Financial system access removed
☐ Social media account access removed
☐ Marketing tool access removed
☐ Developer/technical access revoked
☐ VPN/network access disabled
☐ 2FA contact information updated
☐ Admin passwords they knew have been changed
☐ Company devices returned or wiped
☐ Accounts registered under their email have been transferred
☐ Billing on their credit card has been moved
☐ Knowledge transfer completed and documented
☐ One-week audit completed

The Uncomfortable Conversation

If you discover a former employee still has access weeks or months after leaving:

Don't panic, but do act quickly:

Revoke access immediately
Change passwords immediately
Audit recent activity in those accounts
Reach out to them professionally to inform them access has been removed

Learn from it:

How did this get missed?
What process prevented this from being caught?
How do you ensure it doesn't happen again?

This happens more often than businesses want to admit. The key is fixing it quickly and preventing it going forward.

The Bottom Line

When someone leaves your company:

Revoke their access systematically and quickly
Transfer what they controlled to appropriate people
Change passwords they knew
Document the transition
Audit to ensure nothing was missed
Learn from the process to improve it next time

This applies to all departures - good terms, bad terms, employees, contractors, everyone. It's not personal. It's professional security practice.

And the time to plan for this is before someone gives notice, not after.

Many owners only realize these gaps after something changes — a vendor leaves, a certificate expires, or an insurance renewal asks unexpected questions.

Explain My IT exists to create a dated, owner-readable record of what's visible from the outside — so you don't have to reconstruct this later.

Ready to see your IT setup?

🎯 Run your free snapshot → — See your current configuration in 60 seconds

📅 Want this monthly with full history? See Basic subscription → ($15/month)

Related reading: