← All articles

Employee departures: the keys nobody remembers to collect

The laptop has been returned, the access card too. But the email account still works, the VPN still connects, and files keep syncing to a personal device. Here's why every employee departure is a critical moment for your security — and how to close the door for good.

Employee departures: the keys nobody remembers to collect

A Friday afternoon, the team gathers to send off a colleague: cake, handshakes, the laptop and access card are handed in. The following Monday, their email account still works. Elsewhere, an assistant who left eight months ago still shows up in the payroll portal. And a former manager still receives his old team's emails on his personal phone — not out of malice, but because nobody ever cut off the sync.

None of these situations looks like a cyberattack. None of them triggers an alarm. That's exactly what makes them dangerous: in many businesses, an employee's departure is treated as an HR event, when it's also — above all — a security event.

Returning the laptop is no longer enough

When an employee leaves, the visible part of the departure is usually handled well: the equipment is collected, the access card, sometimes the office keys. The invisible part slips under the radar: the Microsoft 365 account, the VPN access, the CRM, the accounting software, the project management platform, shared folders, team passwords — not to mention the sessions still open on a personal phone or computer.

It's like taking back the front door key while forgetting the person holds copies for the office, the warehouse and the safe. And some of those copies open doors you don't even know exist: with the multiplication of cloud tools — including the ones teams adopt without going through IT, as we discussed in our article on Shadow AI — nobody can spontaneously produce the full list of what an employee has access to anymore. And you can't revoke access you don't know exists.

A risk that starts before the last day

The instinct is to think about the account "left behind" after the departure. But the risk often shows up earlier. DTEX's 2024 i3 Insider Risk Investigations Report, based on more than 1,300 internal investigations, confirms it: most employees take data with them when they leave — 76% of leavers walk away with non-proprietary data, and 15% with sensitive intellectual property. Concretely: client files copied to a personal account, price lists downloaded in bulk, intellectual property following the person to their next employer.

We've seen it up close: during a recent investigation for a client, we traced the download of tens of gigabytes of files to an unmanaged personal device, in the weeks leading up to a departure. Without audit logs and monitoring, that kind of movement goes completely unnoticed.

A risk that's quantified — and regulated

The studies all point the same way. According to Wing Security's analyses, nearly one in three former employees still has access to at least one of their former employer's cloud applications. And IBM's Cost of a Data Breach 2025 report — the same one we cited in our Shadow AI article — ranks malicious insiders as the costliest attack vector, at an average of US$4.92 million per breach. Breaches that start with stolen or compromised credentials take an average of 246 days to identify and contain. Eight months. Access that looks legitimate doesn't set off any alarms.

The extreme case exists too: in 2024, a Singapore court sentenced a former IT employee who, after being let go, used access that was never revoked to delete 180 of his former employer's virtual servers. The bill: over US$600,000. Your business doesn't have 180 servers? The SMB equivalent is an accounting system that won't open on a Monday morning, or a former employee reading the quotes you send your clients.

In Quebec, Law 25 adds its own layer: you're required to protect the personal information you hold with reasonable security measures. A former employee who still has access to employee or client files is hard to describe as "reasonable" — and if that access gets used, you're looking at a confidentiality incident, complete with mandatory reporting to the Commission d'accès à l'information. Insurers follow the same logic: cyber insurance questionnaires increasingly ask whether you have a documented access revocation process. Answering "we handle that from memory" can cost you dearly when it's time to file a claim.

Why access lingers

Nobody leaves access lying around on purpose. The problem is structural. HR and IT work in silos: the departure gets announced on one side, the revocation waits on the other — when IT doesn't learn about the departure two weeks later, in passing conversation. There's no central inventory of access: every tool keeps its own user list, and accounts created outside IT don't show up anywhere.

And there's a technical subtlety few executives know about: disabling an account or changing a password doesn't automatically disconnect sessions that are already open. The phone that was syncing email can keep receiving it for hours, sometimes days, if active sessions and access tokens aren't explicitly revoked. The door is locked, but the window was left open.

The solution: a procedure, not an improvisation

The answer comes in three parts. First, an access inventory kept up to date continuously — not rebuilt in a panic on departure day. A team password manager and a list of applications by role already make a huge difference; we covered this in our article on password managers . Second, a systematic trigger between HR and IT: every departure, voluntary or not, generates a revocation request the same day — and in sensitive cases, before the announcement is even made. Third, a complete revocation: disable the account and revoke active sessions, redirect the mailbox, transfer file ownership, remove the person from shares and groups, change the shared passwords they knew, recover or remotely wipe devices.

Centralizing identities changes everything: when your applications run through a central identity provider like Microsoft Entra ID, disabling the person in one place cuts access everywhere at once. One switch instead of twenty. It's also one of the foundations of the Zero Trust approach we discussed recently.

Where to start?

Step one: the retroactive audit. Pull the list of everyone who left in the past 24 months and compare it to the active accounts in your systems — the exercise almost always turns up surprises. Step two: the one-page checklist, adapted to your tools, with a designated owner for every departure. Step three: the organizational reflex — every departure automatically triggers the procedure, no exceptions, even when the parting is on good terms.

No need for a massive project: an audit, a one-page procedure and centralized identity already address most of the risk.

The bottom line

Departures are part of business life. What shouldn't be part of it is uncertainty about what someone who left can still see, open or download. The question for an executive isn't "are my former employees trustworthy?" — most are. It's "if one of them weren't, or if their credentials fell into the wrong hands, would I know?"

At MMO Techno, we build departure management into our managed IT services: access inventory, centralized identity, a documented revocation procedure and periodic audits — so every departure closes cleanly, with no exceptions and nothing forgotten.

Could you say, today, what your last departed employee still has access to? If the answer takes more than five minutes, let's talk.

An IT project or a question?

Talk to an MMO Techno expert — clear answers, no jargon.

Contact us