IT Offboarding Checklist: A Small Business Guide
IT offboarding checklist for small businesses where HR handles IT. Covers access revocation, hardware, shared passwords, BYOD, and compliance.
IT Offboarding Checklist for Small Businesses
When you don't have an IT department, this guide walks you through every step
When an employee leaves, most small business owners think about the same things: final paycheck, returning keys, maybe an exit conversation. IT access is an afterthought - something you remember two weeks later when you notice the former employee is still in your Slack or still showing up in your Google Drive shared files. Your employee offboarding checklist should include IT steps, but most small businesses treat them separately or skip them entirely.
That is a security problem waiting to become an expensive incident. At companies without a dedicated IT department, nobody owns the IT offboarding process by default. HR handles it, the office manager handles it, or nobody handles it until something goes wrong.
This guide is written for that person at a 5 to 50 person company who is not an IT professional but needs to handle IT offboarding correctly. Plain language, specific steps, and guidance for the tools you actually use. At FirstHR, we have helped hundreds of small businesses build offboarding processes that protect them without requiring a technical background.
Why IT Offboarding Matters
The statistics on employee data access after departure are alarming, and they apply to small businesses just as much as enterprise companies.
For a small business, the math is more personal. A former employee with active access to your QuickBooks account can see your financial data. Access to your CRM means access to every customer relationship you have built. Access to your email means access to ongoing client conversations, contracts, and internal communications.
The cost of a data breach is not just financial. According to IBM's 2024 Cost of a Data Breach Report, the average U.S. data breach costs $10.22 million. It also includes the time to investigate and remediate, potential regulatory penalties, damage to customer trust, and legal exposure if a former employee misuses access you failed to revoke. Proper IT offboarding is the cheapest insurance you can buy.
Who Handles IT Offboarding at Small Businesses
At enterprise companies, IT offboarding is handled by an IT department with tools like Okta or Microsoft Azure Active Directory that let them disable access to dozens of applications simultaneously with a single click. At a 15-person company, none of that infrastructure exists.
The reality is that at most small businesses, HR or the office manager handles IT offboarding alongside all other exit tasks. This is completely workable. The difference between doing it well and doing it poorly is not technical expertise - it is having a system.
| Task | Who Handles It | When |
|---|---|---|
| Notify payroll to stop direct deposit | HR / Owner | Before final paycheck |
| Disable email account | HR (via Google/M365 Admin) | Day of departure |
| Set email forwarding | HR (via Google/M365 Admin) | Day of departure |
| Revoke individual SaaS access | HR working from access list | Day of departure |
| Change shared passwords | HR / Office manager | Day of departure |
| Collect hardware | HR / Office manager | Day of or before departure |
| Transfer file ownership | HR (via Admin Console) | Day of departure |
| Remove building/office access | HR / Office manager | Day of departure |
| Final security review | HR (checklist verification) | Within 1 week |
| Archive offboarding record | HR | Within 1 week |
If you track access during onboarding, offboarding becomes a checklist exercise. If you do not, offboarding becomes an audit - which takes much longer and misses things. Consider using an onboarding checklist that includes a column for tools and access levels granted to each new hire.
Still Using Spreadsheets for Onboarding?
Automate documents, training assignments, task management, and track onboarding progress in real time.
See How It WorksIT Offboarding Timeline
IT offboarding has a clear priority order. Not everything needs to happen immediately, but the highest-risk items - access to live systems - must happen on the day of departure. Here is the timeline structured around actual risk level.
Step-by-Step IT Offboarding Checklist
This checklist is organized by priority. Work through it in order - the most critical security steps come first.
Step 1: Notify your team and prepare
Before the employee's last day, confirm the departure date internally and identify who will take over their responsibilities. Build or pull up your access log. The goal is to start the last day with a complete picture of what needs to be done, not to figure it out on the fly.
If you are running a structured offboarding process, this preparation should begin as soon as the departure is confirmed - whether that is two weeks out for a resignation or the morning of for a termination. Use this time to schedule a exit interview and document knowledge transfer before access is revoked.
Step 2: Disable email and set up forwarding
Email is typically the master key to other accounts - password reset emails go there, client communications come in there, and it contains a record of most business activity. Handle it first.
Set up email forwarding before you suspend the account. In Google Workspace, go to Admin Console, select the user, and set a forwarding address before suspending. In Microsoft 365, create a shared mailbox or forwarding rule first, then disable the sign-in. Do not give the departing employee's password to a colleague - use the admin console.
Step 3: Revoke SSO or identity provider access
If your company uses Google Workspace or Microsoft 365 as your primary identity, suspending the user account in the admin console automatically blocks access to Google or Microsoft services. It does not automatically block access to SaaS tools that have their own login - those need to be revoked individually in step 4.
If you use a dedicated SSO tool like JumpCloud (which has a free tier for small businesses), disabling the account there can revoke access to all connected apps simultaneously. This is the fastest path if you have it set up.
Step 4: Revoke access to every SaaS tool
This is the most time-consuming step because it must be done tool by tool at most small businesses. Work through your access log methodically. The next section of this guide covers specific instructions for the most common SMB tools.
Do not assume that removing someone from Google Workspace removes them from Slack, Asana, HubSpot, or any other tool that has its own user management. Each requires its own revocation.
Companies Using FirstHR Onboard 3x Faster
Join hundreds of small businesses who transformed their new hire experience.
See It in ActionStep 5: Change all shared passwords
This step is more dangerous to skip at a small business than at an enterprise company, because small businesses have more shared credentials. See the dedicated section on shared passwords below for a complete process.
Step 6: Transfer files and data ownership
Before suspending the email account or removing the user from cloud storage, transfer ownership of their files. In Google Drive, use the Admin Console to transfer all of a user's Drive files to their manager in one action. In Dropbox Business, you can move files to another team member before removing the user.
If you skip this step and delete the account first, you may permanently lose files the employee created - especially in tools where deleting a user also deletes their content.
Step 7: Collect hardware
Laptops, phones, monitors, peripherals, keys, and access badges all need to come back. For in-person employees, collect on the last day. For remote employees, send a prepaid shipping label in advance and confirm receipt before processing the final paycheck.
Document the condition of returned hardware. Take photos if there is any damage. This protects both parties.
Step 8: Handle BYOD (personal devices)
If the employee used personal devices for work, you cannot wipe them without MDM tools. See the BYOD section below for what you can and cannot do without technical infrastructure.
Step 9: Reclaim licenses and subscriptions
SaaS licenses cost money. After access is revoked, check each tool to confirm the seat has been freed. Some tools automatically free the seat when a user is deactivated; others require you to manually downgrade your subscription. Also cancel any tool subscriptions or credit cards tied specifically to the departing employee. For a full list of financial and administrative steps, see our employee offboarding checklist.
Step 10: Run a security review and document everything
After completing the checklist, do a final pass. Review recent account activity for anything unusual in the days leading up to departure. Confirm every item on your access log has been addressed. Document the date and time each step was completed - this is your compliance record if questions arise later. Store this alongside your other HR documentation for the employee.
SMB Tools: Access Revocation Guide
The following table covers the tools most commonly used by small businesses with 5 to 50 employees and where to revoke access for each. All paths assume you are an admin on the account.
| Tool Category | Common SMB Tools | Where to Revoke Access | Time Required |
|---|---|---|---|
| Google Workspace, Microsoft 365 | Admin Console > Users > Suspend | 2 min | |
| Messaging | Slack, Teams, Discord | Workspace Settings > Members > Deactivate | 1 min |
| File Storage | Google Drive, Dropbox, Box | Admin Console > Transfer ownership first | 5-10 min |
| Project Mgmt | Asana, Notion, Trello, Monday | Workspace Settings > Members > Remove | 1-2 min each |
| Accounting | QuickBooks, Xero, FreshBooks | Settings > Users > Remove or downgrade | 2-3 min |
| CRM | HubSpot, Salesforce, Pipedrive | Settings > Users > Deactivate | 2 min |
| Design | Figma, Canva, Adobe | Admin > Members > Remove | 1-2 min each |
| Password Mgr | 1Password, LastPass, Bitwarden | Admin > People > Suspend + rotate shared vaults | 5-10 min |
| Video Conf | Zoom, Loom, Riverside | Account Management > Users > Deactivate | 2 min |
| Payroll/HR | Your payroll provider | Terminate in system, cancel direct deposit | 5 min |
Shared Passwords and Credentials
Shared passwords are the most underestimated IT offboarding risk at small businesses. Enterprise companies solve this with SSO - one identity system that controls access to everything. Small businesses typically have dozens of shared logins that were passed around by email, Slack DM, or sticky note.
When an employee leaves, every shared credential they knew becomes a security risk. This includes team email inboxes, social media accounts, billing and subscription accounts, shipping accounts, vendor portals, and any other shared login that was not managed through a password manager with individual access controls.
BYOD: What To Do About Personal Devices
BYOD (Bring Your Own Device) is common at small businesses because it saves money on hardware. The tradeoff is that you have less control over company data on personal devices, especially at offboarding. Here is what you can and cannot do without dedicated MDM tools.
| Risk Scenario | What To Do |
|---|---|
| Company email cached on personal phone | Remote wipe company account via Google Workspace or Microsoft 365 MDM |
| Company files in personal Dropbox or Google Drive | Transfer ownership before access is revoked; cannot retrieve after |
| Company Slack on personal device | Deactivating account removes access; no further action needed |
| Company apps with offline data | Request employee deletes apps; no enforcement without MDM tool |
| Password manager on personal device | Remove from shared vaults; personal vault remains theirs |
For remote employees on BYOD, send written instructions for what needs to be removed and request written confirmation before processing the final paycheck. This creates a record even if you cannot verify enforcement.
Companies Using FirstHR Onboard 3x Faster
Join hundreds of small businesses who transformed their new hire experience.
See It in ActionCompliance Requirements
Depending on your industry and the type of data you handle, IT offboarding may have specific legal requirements. You do not need to be a compliance expert, but you should know which frameworks apply to your business and what they require at minimum. The NIST Cybersecurity Framework provides a practical baseline for small businesses building security processes.
Even if none of these specific frameworks apply to your business, maintaining a documented record of your offboarding process protects you legally. The U.S. Small Business Administration recommends that small businesses maintain security documentation as part of basic risk management. If a former employee later claims they never had access to something, or if a breach occurs, your timestamped offboarding checklist is evidence of due diligence.
For businesses subject to HIPAA or SOC 2, consider involving your legal or compliance advisor to confirm that your offboarding process meets the specific documentation and timing requirements. The cost of a 30-minute consultation is far less than the cost of a compliance violation.
- 89% of employees still have access to company applications after departure. IT offboarding must happen on departure day, not afterward.
- At small businesses, HR handles IT offboarding. Build an access log during onboarding so offboarding is a checklist exercise, not an audit.
- Shared passwords are the biggest SMB offboarding risk. Change all shared credentials on the day of departure, and consider a team password manager to make future offboarding faster.
- Email is the master key. Set up forwarding before suspending the account - not after. Deleting the account first risks permanently losing important messages and files.
- Document every step with timestamps. This protects you legally, satisfies compliance requirements, and gives you a record if questions arise about a departed employee's access.
Frequently Asked Questions
What is IT offboarding?
IT offboarding is the process of revoking a departing employee's access to company systems, tools, and data. It includes disabling email accounts, removing access to SaaS applications, collecting company hardware, rotating shared passwords, and wiping company data from personal devices. IT offboarding is distinct from HR offboarding, which covers final pay, benefits termination, and exit interviews. Both must happen when an employee leaves, but IT offboarding focuses specifically on data security and system access.
Who is responsible for IT offboarding - HR or IT?
At most small businesses with 5 to 50 employees, there is no dedicated IT department. That means HR, the office manager, or the business owner handles IT offboarding tasks. This is normal and manageable as long as you have a checklist and work systematically through each system the employee had access to. The key is to build and maintain an access log during onboarding, so offboarding is a matter of working through a known list rather than trying to remember every tool.
How long should IT offboarding take?
The most critical steps - disabling email, revoking SSO access, and changing shared passwords - should happen on the day of departure, ideally within the first hour. Secondary steps like transferring file ownership and removing from individual SaaS tools should be completed within 24 hours. Hardware collection, BYOD cleanup, license reclamation, and documentation can be completed within one week. The total time investment for a 10 to 20 person company is typically 2 to 4 hours, depending on how many tools the employee had access to.
What is the biggest IT offboarding risk for small businesses?
The biggest risk for small businesses is shared passwords. Enterprise companies use SSO tools like Okta that let you disable access to dozens of apps simultaneously. Small businesses typically have dozens of shared logins - team email inboxes, social media accounts, billing accounts, vendor portals - that must be changed manually. If you miss even one, a departing employee retains access indefinitely. Building a shared credential inventory and using a password manager with team access features significantly reduces this risk.
What should I do with a departing employee's email?
First, set up email forwarding to a manager or the employee's replacement before suspending the account - this ensures no incoming messages are lost. Then suspend the account rather than deleting it immediately. Most platforms retain suspended account data for 30 days, giving you time to back up important emails and contacts. After 30 days, you can delete the account or archive it depending on your business needs. Do not give the departing employee's email password to a colleague - use the admin console to access or forward the account directly.
How do I handle offboarding for a remote employee?
Remote employee IT offboarding follows the same steps but has additional considerations. You cannot physically collect hardware on the last day, so arrange shipping in advance with a prepaid label. For access revocation, everything is handled digitally - disable accounts remotely through admin consoles the same day. For BYOD situations, request the employee wipe company apps and data before their last day, and verify via your admin console where possible. Document everything in writing and get written confirmation from the employee that hardware has been shipped.
What is a zombie account and why is it dangerous?
A zombie account is an active user account that belongs to someone who no longer works at your company. It typically exists because IT offboarding was incomplete or not performed at all. Zombie accounts are a serious security risk because former employees can use them to access company data, customer information, or financial systems long after their employment ended. Research shows that 89% of employees can still access corporate applications after departure. For small businesses, a zombie account in your accounting software or CRM represents direct access to sensitive business and customer data.
Do I need to track IT offboarding for compliance?
Yes, for most businesses. If you handle health information, you need to document access revocation for HIPAA compliance. If you process credit card payments, PCI DSS requires you to remove access immediately and rotate shared credentials. If you handle personal data of EU or California residents, GDPR and CCPA require that former employees cannot access that data. Even if no specific regulation applies to your business, maintaining a documented record of offboarding steps protects you legally if a departed employee later claims wrongful data access or if a breach occurs.