Staff Offboarding Security Checklist for Irish SMEs
When an employee leaves a Donegal or Irish business — whether they resign, retire, or are let go — their access to your systems, data, and premises should end on the same day. In practice, this rarely happens. Former employees retain access to email, cloud storage, CRM systems, and even physical offices for weeks or months after departure.
This is not a hypothetical risk. A 2024 study by Beyond Identity found that 83% of employees admitted to maintaining continued access to accounts from a previous employer after leaving. For Irish SMEs, where a single shared admin password might unlock everything from the company bank account to the customer database, the risk is acute.
This guide provides a practical offboarding checklist that any Irish SME can implement — regardless of size, sector, or technical capability.
Before the Last Day: Preparation
The offboarding process should begin before the employee's final day, not after it. If you wait until they have left the building to start revoking access, you are already behind.
Compile an access inventory for the departing employee:
- Which email accounts do they have access to (personal and shared mailboxes)?
- Which cloud services do they use (Microsoft 365, Google Workspace, Dropbox, Slack)?
- Which line-of-business applications do they log into (CRM, accounting, project management)?
- Do they have admin or elevated privileges on any system?
- Do they have remote access (VPN, RDP, TeamViewer)?
- Do they have company devices (laptop, phone, tablet, USB drives)?
- Do they have physical access (office keys, alarm codes, server room access)?
- Do they have access to company social media accounts?
If you do not have a central record of who has access to what, this exercise will be difficult — and that difficulty is itself a finding. Maintaining an access register is a requirement under NIS2 and a best practice under CyFUN.
The Day They Leave: The Checklist
Complete these steps on the employee's last working day — ideally within the last hour of their final shift.
Digital Access
| Action | Priority | Notes |
|---|---|---|
| Disable their email account | Critical | Do not delete — disable. You may need to access their mailbox for business continuity or legal reasons |
| Remove from all shared mailboxes | Critical | Check for forwarding rules that may have been set up |
| Revoke Microsoft 365 / Google Workspace licence | High | Reassign the licence to save costs |
| Disable VPN and remote access | Critical | If they had remote access, revoke it immediately |
| Change shared passwords they knew | Critical | Any shared account password the employee had access to must be changed |
| Remove from Slack, Teams, and messaging platforms | High | Remove from all channels and revoke access |
| Remove from CRM, accounting, and business applications | High | Check each application individually |
| Remove from cloud storage (Dropbox, OneDrive, SharePoint) | High | Check for shared folders and transfer ownership of files |
| Revoke social media access | High | Change passwords on all company social media accounts they managed |
| Disable any API keys or tokens they created | Medium | Check developer tools, integrations, and automation platforms |
Physical Access
| Action | Priority | Notes |
|---|---|---|
| Collect office keys | Critical | If keys cannot be recovered, change the locks |
| Change alarm codes | Critical | If the employee knew the alarm code, change it |
| Collect access cards or fobs | Critical | Deactivate the card in the access control system |
| Collect company devices | Critical | Laptop, phone, tablet, USB drives, external hard drives |
| Collect any printed documents or files | High | Especially client files, contracts, and financial records |
Administrative
| Action | Priority | Notes |
|---|---|---|
| Update the access register | High | Record what was revoked and when |
| Redirect their email | Medium | Set up an auto-reply and forward to their manager for 30 days |
| Review their recent email activity | Medium | Check for unusual forwarding rules, large data exports, or sent items to personal addresses |
| Back up their files | Medium | Transfer ownership of their documents to their manager |
| Notify IT provider | High | If you use a managed service provider, inform them of the departure |
Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland and ENISA guidance. Plain English, no jargon.
The Week After: Verification
Within the first week after departure, verify that the offboarding was complete:
- Check audit logs. Review login attempts for the former employee's accounts. If you see successful logins after their departure date, you have a problem. If you have Microsoft 365 audit logging enabled, this information is readily available.
- Check for personal devices. If your business allowed BYOD (bring your own device), the former employee may still have company email and data on their personal phone or laptop. If you use Microsoft Intune or a similar mobile device management tool, you can remotely wipe company data from personal devices.
- Check for data exfiltration. Review whether the employee downloaded large volumes of data in the days before their departure. Check cloud storage download logs, email attachment sizes, and USB device connection logs.
Special Cases
When the Departure Is Not Amicable
If an employee is being dismissed, the offboarding process must be coordinated with HR and happen simultaneously with the termination conversation. Access should be revoked before or during the meeting — not after. This is not about distrust; it is about protecting the business and the individual.
When the Employee Had Admin Access
If the departing employee had administrator privileges, the risk is significantly higher. Admin accounts can create backdoors, modify security settings, and access any data in the system. In addition to the standard checklist:
- Change all admin passwords immediately
- Review recent admin activity logs for unusual changes
- Check for new accounts that may have been created
- Consider a security assessment to verify system integrity
When the Employee Managed Vendor Relationships
If the employee was the primary contact for IT vendors, cloud providers, or security services, transfer those relationships before their departure. Ensure vendor portals are updated with new contact information and that the former employee is removed from vendor communication lists.
Building the Process Into Your Business
A checklist is only useful if it is used. Here is how to make offboarding security a standard part of your HR process:
- Create a one-page offboarding checklist based on the tables above, customised for your specific systems and tools.
- Assign responsibility. Decide who owns each step — typically a combination of the line manager, IT, and HR.
- Integrate with HR. The offboarding checklist should be triggered automatically when a resignation or termination is processed.
- Review quarterly. As you add new tools and systems, update the checklist. An outdated checklist is almost as dangerous as no checklist at all.
Related Reading
- Microsoft 365 Security Settings Every Irish SME Should Enable Today
- Security Awareness Training: Why Your People Are Your Biggest Risk
- NIS2 Compliance Checklist for Irish SMEs
Need Help Building Your Offboarding Process?
If your business does not have a formal offboarding process — or if you suspect former employees still have access to your systems — a structured security review will identify the gaps and give you a practical plan to close them.
Book a free 20-minute strategy call with our vCISO team. We hold CISA, CISSP, and CISM certifications and work with Irish SMEs across multiple sectors.
No jargon. No scare tactics. Just clear, actionable advice.
Sources: NCSC Ireland, Data Protection Commission Ireland, Beyond Identity — Cybersecurity Risks of Improper Offboarding
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — National Cyber Crime Bureau: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.