A staff member hands in their notice. HR processes the paperwork, IT is notified to return the laptop, and someone organises a farewell card. A week later, that person’s email account is still active, their access to the client database has not been revoked, and the shared password they used for the accounting platform has not been changed. Nobody meant for this to happen. It simply fell through the gaps.
Employee offboarding cyber risk is one of the most consistent and underaddressed vulnerabilities we see in Australian organisations. Unlike a phishing attack or a technical breach, it does not announce itself. It accumulates quietly, one departed staff member at a time, until an organisation has a shadow population of former employees who can still access systems, data and accounts they have no business touching.
For directors, owners and senior leaders, this is a governance issue as much as a technical one. The question is not simply whether IT revokes access. It is whether the organisation has a structured, consistent process that ensures nothing is missed when someone leaves, whether on good terms or not.
Why employee offboarding cyber risk deserves leadership attention
Staff turnover is a normal part of organisational life. What is not normal, but surprisingly common, is the cyber exposure that turnover leaves behind. When a staff member departs and their access is not properly managed, the organisation faces several distinct risks that compound over time.
First, there is the risk of deliberate data exfiltration. A departing employee, particularly one who is leaving under difficult circumstances, may download client lists, financial records, strategic plans or other sensitive information before they go. In many cases this happens in the final days of employment, when the person still has full system access and their activity is not being monitored any more closely than usual.
Second, there is the risk of lingering access being exploited by a third party. A former employee whose credentials remain active is a ready made entry point for anyone who obtains those credentials, whether through a phishing attack, a credential breach at another service, or simply because the former employee shared them carelessly after leaving.
Third, and perhaps most commonly, there is the risk of shared credentials that are never updated. When a team uses a single login for a platform and a member of that team leaves, the credential does not expire with their employment. Unless the password is changed promptly, anyone who has it retains access indefinitely.
Each of these risks is manageable. However, managing them consistently requires deliberate process, clear accountability and, ideally, a way to verify that the process has been followed. That is where most organisations fall short.
What we see when offboarding and cyber risk collide
The patterns that emerge in this area are consistent regardless of organisation size or sector. They are worth naming plainly because they are easy to miss until something goes wrong.
Access revocation is slow or incomplete
In many organisations, access revocation depends on HR notifying IT, IT actioning the request, and individual system administrators removing access from specific platforms. Each handoff in that chain is a point of failure. Furthermore, when someone leaves unexpectedly or the notice period is short, the process is often rushed or skipped entirely. The result is accounts that remain active for days, weeks or even months after departure.
Nobody knows what access the person actually had
One of the most common gaps we see is that no single record exists of what systems and platforms a departing staff member could access. Without a clear access register, offboarding becomes a guessing exercise. A cyber security assessment often reveals that organisations have far more active credentials for former staff than anyone in leadership realised.
Shared credentials are not treated as an offboarding item
Many organisations use shared logins for platforms where individual accounts are impractical or expensive. When a staff member who knew those credentials leaves, the credential does not automatically become invalid. In most cases, nobody thinks to update it. Consequently, that access remains available to anyone who has the password, including people who are no longer employed by the organisation.
The risk is higher when departures are not amicable
When a staff member is made redundant, dismissed, or leaves under difficult circumstances, the risk profile of their departure is meaningfully different from a voluntary resignation on good terms. However, in most organisations, the offboarding process is identical regardless of the circumstances. There is no mechanism to escalate access revocation or data monitoring when the situation warrants it.
Contractors and third parties are frequently overlooked
Permanent employees are at least usually in the HR system. Contractors, consultants and third party users often are not. When their engagement ends, there is frequently no formal offboarding process at all, meaning their access may persist indefinitely simply because nobody thought to remove it.
What a well governed offboarding process looks like
Addressing employee offboarding cyber risk does not require sophisticated technology. It requires a consistent, documented process with clear ownership and a way to verify that it has been completed. In practice, a well governed organisation does the following.
- Maintains a current access register for all staff and contractors, so that when someone leaves there is a clear record of what needs to be revoked, not a guessing exercise.
- Completes access revocation on the last day of employment as a matter of process, not as an afterthought, and tracks this through a cyber security dashboard so that leadership has visibility and a documented record.
- Treats shared credential updates as a standard offboarding step, with a clear owner responsible for ensuring they are changed whenever a team member who knew them departs.
- Has a documented escalation process for higher risk departures, such as dismissals or redundancies, that includes immediate access suspension and a review of recent data activity.
- Extends its offboarding process to contractors and third party users, not just permanent employees, and reviews access for this group at least quarterly.
The common thread is documentation and visibility. A process that exists only in someone’s head, or that depends on informal communication between HR and IT, will fail consistently. A process that is documented, assigned to a named owner and verified on completion is far more likely to hold up under pressure.
A practical starting point for leaders
If you are not sure how your organisation currently manages employee offboarding cyber risk, start with a few direct questions. When someone left your organisation in the last six months, how long did it take for their access to be fully revoked? Is there a single person accountable for ensuring that happens? And could you produce a record of what was done within a day if an insurer or regulator asked?
If those questions are difficult to answer, that is your starting point. A cyber security assessment can help surface the full picture of where offboarding gaps sit alongside the other human and technical risks that leadership needs visibility over.
It is also worth connecting your offboarding review to the work you are doing on staff awareness more broadly. The same governance thinking that applies to onboarding applies in reverse when someone leaves, and both deserve a consistent, documented approach.
Get started with 4walls
At 4walls, we work with boards, owners, principals and CEOs who want a clear, practical picture of where their human cyber risk actually sits. Employee offboarding cyber risk is one of the most consistent gaps we see across Australian organisations of all sizes, and it is almost always fixable once it is visible.
If you would like to understand how your organisation manages staff access and offboarding, our cyber governance principles training and Board cyber check in are designed to help leadership teams build the visibility and structure that makes these questions straightforward to answer.
Our structured cyber dashboard and reporting framework is fully set up and live within 30 days, giving leadership a clear view of overall cyber posture, technical compliance, prioritised actions and user awareness engagement. Within that first 30 days, cyber becomes trackable and reportable, ready for leadership, board or insurer discussions. If you are not sure how your organisation would stand up to that level of scrutiny, our 3 minute cyber starting point check gives you an immediate view of where the gaps are.
Employee offboarding cyber risk does not have to be a blind spot. It just needs a bit of deliberate attention at the right moment.