← All articles

The hidden security risks of poor leaver management (and how to fix them)

When someone leaves your business, most of the attention goes to the exit interview, the handover and the leaving card. The IT side is often an afterthought, quietly bolted on at the end of the day the person walks out the door.

That's where the risk lives.

Poor leaver management is one of the most common — and most preventable — security weaknesses in small businesses. Here's what actually goes wrong, and how to fix it.

The risks nobody talks about

1. Orphaned accounts

An account that still exists but no longer belongs to anyone active is a gift to attackers. It doesn't get monitored. Nobody notices unusual sign-ins. And because the person has left, no one is going to flag a suspicious MFA prompt.

Orphaned Microsoft 365 accounts are one of the most common footholds in small business breaches.

2. Lingering access to shared systems

Even when the main account is disabled, the leaver may still have:

  • Access to shared mailboxes
  • Membership of Teams and SharePoint sites
  • Logins to third-party SaaS tools (CRM, finance, marketing, design)
  • A personal device still signed in to company data
  • Saved credentials in a browser profile

Each one of those is a route back in.

3. Wasted licences

Every inactive Microsoft 365 or SaaS licence you keep paying for is money leaving the business every month for nothing. Small businesses routinely find they're paying for 10-20% more licences than they actually need, purely because leavers were never cleaned up.

4. Data walking out the door

Without a proper offboarding process, it's very easy for a leaver to take:

  • Client lists
  • Pricing documents
  • Templates and proposals
  • Files synced to a personal OneDrive or Google Drive

The legal position is often clear. The practical position — proving what left, and stopping it — is much harder without controls in place.

5. Loss of business knowledge

When a leaver's mailbox and OneDrive are deleted too quickly, so is a lot of institutional knowledge: client threads, quotes, contracts, project history. Delete too slowly and you're paying for storage on data nobody owns.

How to fix it

1. Disable, don't delete

On the leaver's last day (or during their exit meeting, if it's a sensitive departure):

  • Block sign-in on the Microsoft 365 account immediately
  • Revoke all active sessions and tokens
  • Reset the password to something nobody knows
  • Remove them from every security and distribution group

Deletion comes later, once you're confident nothing is needed.

2. Convert the mailbox

Convert the leaver's mailbox to a shared mailbox. This preserves email history without needing a paid licence, and lets a manager access anything client-facing.

3. Reassign the OneDrive

Give the manager access to the leaver's OneDrive for a defined window (30-90 days is typical), then archive or delete in line with your data retention policy.

4. Reclaim the licence

Remove the Microsoft 365 licence as soon as the mailbox is converted. The saving is small per user but adds up quickly across a year.

5. Audit third-party access

Keep a simple list of every SaaS tool your business uses and who has access to each. On offboarding, work through the list. This is the step most small businesses skip — and the one attackers rely on.

6. Collect and wipe the device

For company-owned devices, wipe and re-enrol before reissuing. For personal devices used under a BYOD policy, remotely remove the company data via device management.

7. Document the offboarding

A one-page record of what was disabled, when, and by whom protects you if a question comes up later — whether from a client, a regulator or the leaver themselves.

The short version

Good leaver management is boring, repeatable, and quiet. That's exactly what makes it work. If someone leaves and nothing bad happens, that's the sign you got it right.

If you'd rather not build this process yourself, starter and leaver management is included as standard with Dynamiti One — accounts disabled, licences reclaimed and access removed within minutes of being told.

The insurance angle

Cyber insurance renewals increasingly ask direct questions about how you manage leavers. If you cannot answer them honestly, you risk either a higher premium or a rejected claim after an incident. Getting your leaver process in order is one of the quickest ways to improve both your security posture and your paperwork.

Do not forget shared accounts

Many small businesses still rely on a handful of shared logins for tools that do not support proper user accounts. When someone leaves, those passwords should be changed immediately. Keep a short list of shared credentials so you know exactly what to rotate on a leaver's last day.

A simple monthly audit

Once a month, run a quick check of active accounts, active licences, and active devices against your current staff list. Anything that does not match gets investigated. This ten minute habit catches almost every leaver related issue before it turns into a problem.

Frequently asked questions