Handling Leavers and Joiners: Closing Access Quickly When People Change Roles or Leave.

When a Sligo hospitality business conducted a security review, they discovered that a Microsoft 365 account belonging to a former financial controller — who had left the business eighteen months earlier — was still active, still licensed, and had not had its password changed since the day they left. The account had full access to the company's financial records, supplier contracts, and client data. It had been used to log in twice in the preceding six months from an IP address in Eastern Europe.

The former financial controller had not been involved. Someone had acquired their credentials — almost certainly through a breach database where the password had appeared — and had been quietly accessing the account. The business discovered it during a routine review, not because of any visible incident.

Orphaned accounts — active accounts belonging to people who have left or changed roles — are one of the most consistent and most avoidable security gaps in Irish SMEs.

What Is the Joiners-Movers-Leavers Problem?

The joiners-movers-leavers cycle refers to the ongoing process of managing system access as staff join an organisation, change roles within it, and leave it. Each transition creates access that needs to be created, modified, or revoked. Without a deliberate process, access accumulates — joiners get accounts, movers accumulate access from previous roles alongside new access for new roles, and leavers retain accounts indefinitely after departure.

The cumulative effect, over several years of normal staff turnover, is a directory full of accounts that should not exist, assigned to roles they do not need, some of which have not been used legitimately in months.

The Leaver Risk

The specific risk of an active account belonging to a departed employee is threefold.

The former employee themselves may retain access intentionally or inadvertently. Most departures are amicable, but some are not. An employee who leaves on poor terms and retains active credentials to your systems is a material insider threat risk that is entirely preventable.

The account is an orphaned target in breach databases. Former employees' work email addresses and passwords appear in breach databases when those individuals use the same password on a personal account that was subsequently breached. The work account remains active. An attacker testing breach credentials will find it.

The account continues to consume licence costs. A Microsoft 365 account that is not deactivated continues to cost its monthly licence fee. For a business with significant staff turnover, the cumulative licence cost of orphaned accounts can be material.

When did you last audit your Microsoft 365 or Google Workspace accounts against your current HR records? For most Irish SMEs, the last audit surfaces between two and ten accounts that should have been closed. Book a free 20-minute strategy call — leaver and joiner process design is a standard part of our SME security engagements.

Building a Workable Leaver Process

The leaver process has a defined trigger — the confirmed departure of a staff member — and a defined sequence of actions that must be completed within a specific timeframe.

Day zero — confirmed departure: Disable the Microsoft 365 account (do not delete — the mailbox data may be needed for legal or operational reasons). Reset the password. Block sign-in. Forward email to the line manager if needed for continuity.

Day zero — account audit: Identify every system the leaver had access to. This requires an inventory of systems and their user lists. For each system — CRM, accounting software, project management, banking portal, payroll — verify the account is deactivated or the credentials are changed.

Day zero — hardware return: Ensure company devices are returned or remotely wiped. Ensure any tokens, smart cards, or physical access credentials are recovered.

Within 24 hours — cloud service audit: Review OAuth connections in Microsoft 365 or Google Workspace for any connections established by the leaver's account. Revoke as appropriate.

Within one week — access review for shared accounts: Where the leaver had access to shared credentials — social media accounts, shared mailboxes, cloud platforms used by the team — change those credentials.

Building a Workable Joiner Process

The joiner process is equally important. A poorly designed joiner process results in new staff being given excessive access — often the same access as the person they replaced, regardless of whether that person's access was appropriate — or in access being provisioned inconsistently, with some systems active and others missed.

A consistent joiner checklist includes: account creation with the minimum access required for the specific role, manager confirmation that access matches the role description, MFA enrollment before the account is active, security awareness briefing in the first week, and confirmation that no shared credentials from the previous occupant of the role are still in use.

Why This Matters Right Now

The Data Protection Commission expects organisations holding personal data to apply appropriate access controls, including the removal of access when it is no longer required [^1]. This is not an aspirational standard — the DPC has cited inadequate access management in enforcement investigations. NIS2 Article 21 includes access management as a required risk management measure.

The leaver and joiner process is one of the lowest-cost, highest-impact security improvements available to most Irish SMEs. It requires no technology investment beyond what businesses already have — it requires a defined process, a responsible owner, and consistency of execution.

What Next

1. Audit your Microsoft 365 accounts this week. Export the user list. Compare it against your current HR records. Identify any accounts that should have been closed. Close them.

2. Document a leaver checklist. Even a one-page document that names the systems to be checked and confirms the sequence of actions creates accountability and consistency.

3. Assign a named owner for leaver and joiner process execution. In many Irish SMEs, this responsibility falls between HR, the IT provider, and the line manager, with no one owning it specifically. Name someone. Hold them accountable.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Access Control and Least Privilege: Who Really Needs Admin Rights?
• Shadow IT and SaaS Sprawl: When Staff Sign Up to Tools Without Telling IT
• Using Automation to Enforce Security: Auto-Provisioning, Auto-Offboarding and Auto-Patching

[^1]: Data Protection Commission Ireland — Access Control Guidance [^2]: NCSC Ireland — Identity and Access Management [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.