Small Business Employee Offboarding: Why Disabling Their Account Isn't the Finish Line in 2026

Imagine your bookkeeper left two months ago. Friendly resignation. You took her laptop back, paid out her leave, sent her off with a card. Last week you opened Dropbox to find a file and noticed her name still sitting in the user list. You're not sure if she's logged in since. You're not sure how to check. You're not sure how many other apps she's still inside.

That moment — the small jolt of "oh no, what else?" — is what proper offboarding is supposed to prevent. And for businesses with one to ten staff, it almost never does. Recent research from Beyond Identity found that 89% of former employees still retain access to private business apps and data after leaving, and a OneLogin study of 500 IT decision-makers reported that 32% of organisations take more than seven days to fully de-provision a former employee. Twenty percent of accounts stay active for up to a month.

Those numbers come from surveys that lean toward larger businesses. For a five-person company without a dedicated IT person, the gap is wider. This article is for the owner who handles offboarding between meetings — what's actually changed in 2026, what most small businesses miss, and a checklist you can run in under an hour the next time someone walks out the door.

What "offboarded" usually means at a small business

For most businesses under ten staff, offboarding looks like this. The person resigns. You change their email password. You collect their laptop. You tell the team. You move on.

That's the official process at a lot of businesses I've seen, and it leaves enormous gaps. The laptop sitting on your shelf isn't where the risk lives. The risk lives in the dozens of cloud apps that employee logged into over the years — many of which you never set up, never paid for, and don't have an admin login to.

Think about what a typical staff member touches in a year at a small business: email and calendar, the shared drive, the accounting system, payroll, the project management tool, a customer database, the bookkeeping app, Canva, ChatGPT, the password manager, maybe a marketing tool or two, a file-sharing link they created for a client three months ago. Each of those is a separate login. Each one needs to be revoked individually. None of them turns off automatically when you change their email password.

The 89% stat from Beyond Identity isn't measuring negligence. It's measuring the natural state of a digital business: things stay turned on until someone deliberately turns them off, and small businesses rarely have a deliberate process for it.

Why the directory account isn't the finish line

Here's the part most owners don't realise. When you disable a former employee's account in your main identity system — usually Microsoft 365 or Google Workspace — you have not actually locked them out of most other apps.

You've locked them out of email. That's it.

For every app where the employee used "Sign in with Microsoft" or "Sign in with Google," disabling the directory account does eventually cut access — but not immediately. Active browser sessions can stay logged in for days. Refresh tokens issued to mobile apps can remain valid until they expire. And any app where the employee created a username and password instead of using single sign-on continues to work indefinitely. They're not even aware their main account is gone.

A 2026 Cloud Security Alliance report on offboarding during layoffs put this bluntly: disabling an identity provider account does not revoke access to most SaaS applications. The session lives in the browser, the app, and the API token — not in your directory.

This is why former employees can still read Slack messages, browse Notion, and pull customer lists out of HubSpot weeks after their account "officially" no longer exists. They're not hacking anything. They're just using the same login they always have.

The cost of getting it wrong for a small business

A small business doesn't have a security team to catch this, and most don't have cyber insurance that covers misuse by former staff. So the consequences are direct.

Most data theft from former employees happens in the first 90 days after resignation. Beyond Identity's research found that 56% of former employees admitted to using their continued access to actively harm a previous employer. Another study showed that 41% had shared their workplace logins with someone else after leaving. These aren't ransomware crews. These are people who used to work for you.

Even when no one acts maliciously, orphaned accounts are an attack surface. Every unused login is a credential floating around in someone's password manager, an old email, a sticky note. If it gets dumped in a breach somewhere, attackers will try it against your systems. They love former-employee accounts because nobody's watching them. Login attempts don't trigger anyone's attention. Multi-factor authentication might not be enforced because nobody's reviewed the setup since the person left.

For a 5- to 10-person business, the financial blast radius of a single account compromise — a stolen invoice template, a fake supplier change-of-details email, a payroll file pulled from your accounting system — can easily run into tens of thousands of dollars. And it almost always starts somewhere quiet, like a forgotten Xero login from a contractor who left in 2023.

The small business offboarding checklist that actually works

You don't need an enterprise tool to do this properly. You need a list, a discipline, and about 45 minutes. Here's the version I'd recommend for a business of one to ten people, in the order I'd do it.

In the same hour the person leaves

The first hour matters more than the next seven days combined. Whether the departure was friendly or not, the priority is the same: cut the active sessions before anyone has time to think about what they could grab.

Change the password on their main email account — don't disable it yet, you may need to read incoming mail. Sign them out of every active session in the admin console (Microsoft 365 calls this "Sign out of all sessions"; Google Workspace calls it "Reset sign-in cookies"). This invalidates their browser logins everywhere they were already signed in, including third-party apps. Revoke any "Sign in with Microsoft" or "Sign in with Google" tokens by reviewing the connected apps list. If they had admin rights anywhere, remove them.

If they had a company phone or a personal device with a work profile, lock or wipe it from the device management console. Forward their email to whoever is taking over their work. Set an out-of-office message.

That covers the immediate exposure.

Within 24 hours

This is the long tail of apps. Open your subscription list — your billing records, your last credit card statement, your password manager's shared vault — and write down every cloud service the business pays for. For each one, find your admin login and either remove the user, transfer their data to another account, or downgrade their role to read-only if you need to keep their history visible.

Don't trust your memory. Most small businesses have between 30 and 80 SaaS subscriptions, and the average owner can name about 15 of them off the top of their head. The rest hide in your billing.

Special attention to: the accounting system, payroll, the password manager (this one is critical — revoke their shared vault access), the CRM, the file-sharing services (Dropbox, OneDrive, Google Drive, WeTransfer), the project management tool, anything with customer data, and any app that talks to your bank. Rotate any shared passwords they had access to. Yes, all of them. It's a pain, but a shared password is the same as them keeping a copy of the original.

Within 7 days

Now look at the things that are easy to forget. Shared inboxes (sales@, info@) — remove their login and rotate the password. Customer-facing accounts you've shared with them — your domain registrar, your website hosting, your Mailchimp, your Stripe. Any external services your business uses where they were the one who set it up: the IT vendor, the freelance designer's portal, the insurance broker's client area.

Check your mobile device management or the equipment list to confirm every device is back and wiped. If they used a personal phone for work email or two-factor codes, make sure the apps are removed and the codes rotated to the new owner. Check your physical access — keys, building access fobs, alarm codes — but you probably already had this one.

If they had API keys or developer tokens issued to them personally, revoke and rotate. This catches almost no small businesses, but the ones who use Zapier, Make, or similar automation tools often have personal API keys flowing through them. Those keys outlive the person.

Within 30 days

A month after they leave, do a quiet audit. Pull the login history of every app you have admin access to and check if the former employee's account shows any sign-ins after their last day. If it does, that account isn't fully closed and you have a real problem. Don't ignore it.

This is also when you should remove their backup contact details from any account where they're listed as a recovery email or phone number. People forget this, and recovery contacts are a quiet way for former staff to still hold the keys.

The accounts you will forget

Here's a list of the orphaned accounts I see most often at small businesses, in roughly the order they're missed.

Personal-pay subscriptions where the employee used their work card. Tools they set up for a one-off project two years ago. Free-tier accounts where there's no recurring charge to remind you. Anything they signed up for using their personal email address but tied to work data — this is shadow IT, and it's the hardest to find because it never touched your billing. Old vendor portals where the employee was the named contact. Anything ending in .com/share/ that lets the world read a customer list because the share link was never expired.

Torii's 2026 SaaS Benchmark Report noted that AI tools now account for the majority of newly unmanaged apps in small businesses. That's a real shift. A year ago, the leaked subscriptions were Canva and ChatGPT. Today they're Claude, Midjourney, Grammarly Pro, ten different transcription tools, and whatever the marketing person tried last month. Most of these were signed up for with a personal email and a company credit card, which means they don't show up in your identity provider at all.

Why a list isn't enough — and what to do instead

A checklist gets you through the first month after someone leaves. It doesn't solve the underlying problem, which is that you don't have a current, complete picture of what apps your business uses, what each person has access to, or what's still subscribed under someone's name. Until you have that picture, every offboarding will leave a few doors quietly open.

What you actually need is visibility. A single place that shows you every active app, every active licence, every active user, and how those things connect to each other. So when someone leaves you can see at a glance: these are the eleven things they had access to, and here's the status of each. Not a guess. Not a list you maintain in a spreadsheet that's six months out of date.

For larger businesses this is what an IT department or an MSP provides. For a business with five staff, that's overkill and out of budget. But the underlying need is real, and it's the gap small business tools have ignored for years.

Where Vera fits

We built Vera for exactly this kind of moment. Vera is a small business IT dashboard that gives you a single view of your hardware, your software licences, your team, your tasks, and the security state of your business. When someone leaves, you can open the team page, see every licence and asset tied to their name, and tick through them one by one without hunting through eleven different billing portals to remember what they had.

It also has the checklist built right in. Everything you just read above — the same-hour session sign-out, the 24-hour app sweep, the 7-day long tail, the 30-day audit — Vera ships with an offboarding checklist that runs through those steps for you, and you can customise it to match how your business actually works. Add the apps specific to you. Reorder the steps. Drop the ones that don't apply. The next time someone resigns, you're not rebuilding the process from memory or copying a checklist off a blog post. You open the person's profile, start the checklist, and work down a list that already knows what your business uses.

That's the difference between a checklist you have to remember and one that's waiting for you. The first one leaks. The second one closes the gaps because the gaps are already on it.

That's the kind of visibility offboarding has needed for years and small businesses have never had. Not because it's complicated to build, but because nobody built it for businesses your size. Vera is for the bookkeeper, the studio owner, the agency director — the people who don't have an IT team but still need to know what's actually going on.

If "what does my former employee still have access to?" is a question you've asked recently and not been able to answer, take a look at Vera. The setup wizard walks you through linking your accounts, and within an hour you'll have a clearer view of your business's IT footprint than you've had in years.

The takeaway

Disabling an email account isn't offboarding. It's the start of offboarding. The real work is in the 30 to 80 other apps your business uses that don't talk to your main identity system — and in catching the orphaned access months and years before someone with bad intentions finds it first.

The next time someone resigns, run the checklist above the same week. And in the longer term, give yourself the visibility you'd want to have on the day you find out a former employee has been logging into Dropbox for two months. That's a moment worth preventing.