Your IT Person Just Put In Their Two Weeks. Here’s What That Actually Means for Your Business.
There’s a moment that happens in small offices all the time β maybe it happened to you β where the person who “handles the computers” sends a resignation email, gives their two weeks, maybe trains someone briefly on a few things, and then walks out the door.
In most cases, the transition feels fine. Their laptop gets collected. Their email gets forwarded. Someone else takes over the helpdesk tickets. Life goes on.
What doesn’t get handled β almost every single time β is everything they knew that nobody thought to document, and everything they could still access that nobody thought to turn off.
The Problem Isn’t What They Took. It’s What They Left Behind.
When a key IT employee or contractor leaves, the immediate concern most managers have is: did they take anything? That’s a reasonable instinct. A 2019 study by OneLogin found that 50% of former employees still had access to company systems after leaving, and of the businesses surveyed, 20% had already experienced a data breach caused by a former employee. Separate research from the Ponemon Institute put the number of employees who took company data with them when they left at 59%.
But the quieter, more persistent risk is the opposite problem: the access that stayed open without anyone realizing it.
Over months or years, a dedicated IT person accumulates access points that nobody else knows exist. They created the admin account on the firewall. They set up the cloud backup service under their own email. They’re the one who knows the root password to the server in the back room. They configured the VPN credentials for the remote access tool. They registered the domain through their personal GoDaddy account because it was faster at the time. They have the login to the security camera system saved in their browser.
None of this was malicious. It was just how things got done in a small office. But when they leave, every one of those access points remains active. And depending on who that person was and how they left, those open doors represent risk ranging from inconvenient to serious.
Three Scenarios, None of Them Theoretical
The friendly departure that still goes wrong. Your IT person left on good terms for a better opportunity. No hard feelings. But six months later, their personal laptop β which still has their credentials saved β gets compromised in a breach of an unrelated website where they reused their password. Attackers now have the username and password combination that still works on your remote access tool, because nobody audited which credentials needed to be rotated when they left. The breach originates from an account that shouldn’t have existed for months.
The undocumented system that becomes a crisis. Your IT person managed a backup system that ran quietly in the background. When they left, they explained the basics, but nobody asked for the recovery documentation. Fourteen months later, ransomware hits your file server. IT support is called in. The backup system hasn’t been running correctly since a configuration change that happened eight months ago β a change that was never communicated because the person who would have noticed it was already gone. The backups are there. The data isn’t.
The vendor access that nobody reviewed. Before leaving, your IT person had set up remote access for a third-party software vendor β a service account with its own credentials, used for remote maintenance. That vendor relationship ended a year ago, but the service account is still active in your system. Neither you nor your current IT support knew it existed. It doesn’t show up on your standard user list because it was created as a local account on one specific server. Attackers who compromised that vendor in a separate incident used those credentials to access your environment months after everyone had moved on.
What a Good Offboarding Actually Covers
Most office managers think of IT offboarding as: collect the laptop, disable the email, done. That covers maybe 20% of the actual surface area.
A proper IT offboarding includes a systematic review of every account the departing employee had access to β not just their personal login, but every shared account, admin credential, vendor portal, cloud service, and hardware management console they touched. This list is longer than you’d expect even in a small office.
It includes rotating shared credentials for anything they had access to, because changing a password for one account does nothing for the six shared accounts that used the same credentials. A 2024 Cloud Security Alliance survey found that 52% of organizations had experienced a security incident tied specifically to access mismanagement β credentials that were never properly revoked or rotated after personnel changes.
It includes reviewing which systems were set up under their personal accounts or personal email addresses β domain registrars, SSL certificate authorities, cloud hosting accounts, backup platforms. These are the ones that silently stop working at renewal time when nobody has access to the email address that receives the notices.
It includes documenting what they knew. Not as a farewell favor to the employee, but because a managed IT environment where critical systems are only understood by one person is not a managed environment β it’s a single point of failure wearing an IT department’s name.
One Thing You Can Check Right Now
If you use Microsoft 365, there’s one quick audit you can do from the admin portal without any technical background. Go to the Microsoft 365 Admin Center, navigate to Users, and filter by “Recently deleted” and separately review Active users. Look for any accounts that belong to people who are no longer with the organization.
When an account is deleted in Microsoft 365, it sits in a soft-delete state for 30 days before being permanently removed. But more importantly, active accounts for departed employees can exist indefinitely if nobody specifically disabled them β and a surprising number of small offices have active email accounts, and therefore active login credentials, for people who left a year or more ago.
That’s the visible part. The less visible part β the firewall admin credentials, the backup system access, the vendor portals, the domain registrar β requires a structured review that goes beyond what the admin portal shows you.
The Part That’s Hard to DIY
The challenge with IT offboarding isn’t that it’s technically complex β most of the individual steps are straightforward. The challenge is that you don’t know what you don’t know.
If your departing IT person was the one who built and managed the environment, they’re also the person best positioned to know what needs to be handed off. When that handoff doesn’t happen properly β which is most of the time, because departures are rushed and documentation is rarely someone’s priority when they’re focused on their next job β the gaps don’t reveal themselves right away. They reveal themselves six months later, when the backup fails, or the domain expires, or an audit finds an active account for someone who hasn’t worked there in a year.
The right answer is an environment that doesn’t depend on any one person’s memory in the first place β where accounts are centrally managed, access is documented, systems are inventoried, and offboarding is a checklist rather than an improvised scramble. That’s not a feature of having the right IT person. It’s a feature of having the right IT structure. And that structure is exactly what a managed IT partnership is designed to provide.
If your organization has been through a recent IT transition β or if you’re honestly not sure who has access to what β that uncertainty itself is worth a conversation.
