What to Do With Someone's IT Access When They Leave Your Business

Someone hands in their notice on a Friday. By Monday they have gone, and you are focused on covering their workload, updating clients, and finding a replacement. Two months later, you discover their email account is still active, their login to your practice management system still works, and nobody thought to remove them from your shared cloud storage. It happens more often than most business owners realise.

When an employee leaves, they take their knowledge with them - but they also leave behind a digital trail that can create real problems if it is not dealt with properly. Former staff retaining access to client records, financial systems, or business email is not just an inconvenience. Under the NZ Privacy Act 2020, your business is responsible for how client information is handled, regardless of whether the person who accessed it still works for you. A disgruntled ex-employee sending emails from a company address, or accessing client files months after leaving, is a breach that lands on you.

The good news is that a clean offboarding process is straightforward when it is built into how you operate - not treated as an afterthought. When IT access is managed properly, a staff departure becomes a routine administrative event rather than a security risk. The departing person's email gets redirected, their logins are revoked across all systems, company devices are returned and wiped, and any data sitting on personal devices is recovered before they walk out the door. Cloud accounts are closed or transferred, not left sitting idle where no one is watching them. Social media admin rights are updated. Building access codes are changed. None of this takes long when there is a clear process in place.

Knowledge transfer matters too. Before someone leaves, document the workflows and system logins they managed - which apps the business uses, how things are set up, what processes only existed in their head. This is worth doing for every staff member, not just those who are leaving. It protects the business if someone is suddenly unavailable, and it makes offboarding far less disruptive. It is also worth reviewing shared passwords and account credentials at this point, since departed staff who knew login details can still pose a risk if those details are never changed.

For most professional services businesses, the challenge is not knowing what needs to happen - it is having the time and the systems to make sure it actually does. A managed IT support arrangement means there is someone accountable for running through that checklist every time a staff member leaves. Access is revoked the same day, not two months later when someone notices. Devices are tracked and recovered. Nothing gets overlooked because the person who knew about it has already left. Understanding how attackers exploit dormant accounts makes clear why acting quickly matters.

If you are not confident your current process would catch everything, ITstuffed offers a free 15-minute IT Fit Check to talk through where the gaps might be.