The moment you hand someone a termination letter, a countdown starts. Not metaphorically — literally. Their credentials still work. Their email still receives. Their VPN tunnel is still open. And if they're angry enough, or opportunistic enough, the window between termination and access revocation is all they need.
In one of the most-discussed incidents in recent cybersecurity circles, two fired federal workers allegedly wiped 96 government databases within minutes of their termination — because their credentials hadn't been deactivated in time. Minutes. Not hours. The damage was done before anyone realized the accounts were still live.
That's the extreme version. But the underlying risk? Every small business with a terminated employee and an unclosed account is carrying the same exposure.
Why This Is Worse Than You Think
Most small business owners picture an insider threat as someone dramatically sabotaging systems. The reality is far quieter — and harder to catch.
According to The Hacker News, the most dangerous activity inside organizations no longer looks like an attack — it looks like administration. Trusted credentials executing familiar tasks. File exports that mirror normal behavior. Login events that match historical patterns. A live ex-employee credential is, from your monitoring system's perspective, indistinguishable from a current employee doing their job. You won't see the red flag until the damage is already done.
The Foxconn ransomware attack reinforced this same lesson at scale: organizations that don't control access tightly during personnel transitions face existential disruption, not just data loss. Nitrogen ransomware doesn't care whether the credential it's riding belongs to a current employee or someone who was let go last Tuesday.
And if you think a written offboarding policy covers you — it doesn't. As security researchers have argued recently, checkbox assessments aren't fit to measure real risk. A paper offboarding policy that isn't enforced in real time is compliance theater. The twin brothers incident proved that in under ten minutes.
The Real Attack Surface: Your Offboarding Gap
Here's what live post-termination credentials actually expose at a typical 50-person company:
- Email access — customer data, contracts, internal communications, password reset links
- Cloud storage — Google Drive, Dropbox, SharePoint folders with years of sensitive files
- SaaS applications — CRM, accounting software, HR platforms, project management tools
- VPN or remote access — a direct tunnel into your internal network
- Admin accounts — if they had elevated privileges, the blast radius is catastrophic
- Shared credentials — passwords they knew that haven't been rotated
This connects directly to a broader problem we've covered before: accidental credential exposure through third-party integrations is already a significant risk — and that's before you factor in a motivated ex-employee who knows exactly where your sensitive data lives.
The Offboarding Security Checklist
This isn't a policy document. This is a same-day execution checklist. Run it the moment termination is confirmed — ideally before the conversation happens.
Before the Termination Meeting
- [ ] Identify all systems the employee has access to (pull from your IAM tool or manually audit)
- [ ] Prepare account suspension actions in advance so they can be executed in one step
- [ ] Alert IT/sysadmin to be on standby
- [ ] If the termination is involuntary, do NOT wait until after the meeting
During or Immediately After Termination
- [ ] Disable the primary SSO/Active Directory/Azure AD account first — this cascades to connected apps
- [ ] Revoke Microsoft 365 or Google Workspace sessions and sign out all active sessions
- [ ] Disable VPN credentials and remote access certificates
- [ ] Change any shared passwords the employee had access to
- [ ] Suspend, don't just disable — you may need audit logs before deletion
Within the First Hour
- [ ] Audit active sessions across SaaS platforms (Salesforce, HubSpot, QuickBooks, etc.)
- [ ] Revoke API keys or tokens associated with their account
- [ ] Remove from all distribution lists and shared mailboxes
- [ ] Transfer ownership of files, projects, and documents to a manager
- [ ] Disable MFA devices tied to their account (authenticator apps, hardware keys)
Within 24 Hours
- [ ] Review their access logs for the 48 hours prior to termination (baseline for anomaly detection)
- [ ] Notify relevant vendors or clients if the employee had external-facing relationships
- [ ] Rotate credentials for any privileged accounts they shared
- [ ] Document everything — timestamp each action taken
Within the First Week
- [ ] Conduct a full privilege audit — did their access reflect their actual role? (See our guide on preventing employee privilege escalation)
- [ ] Check for any forwarding rules set up in their email
- [ ] Verify no new accounts were created under their identity before termination
- [ ] Archive their email per your retention policy
The CMMC and Compliance Angle
If you're a government contractor pursuing CMMC Level 1, access control isn't optional — it's a scored practice. AC.1.001 and AC.1.002 explicitly require limiting system access to authorized users and controlling the flow of CUI. A terminated employee with live credentials is a direct compliance failure. Our CMMC Level 1 compliance guide breaks down what auditors actually look for — and improper offboarding is near the top of the list.
The Systemic Fix: Don't Rely on Memory
Checklists help. But the real answer is making offboarding impossible to skip or delay. That means:
Centralized identity management. If every app authenticates through a single SSO provider, one account disable cascades everywhere. If your apps each have independent logins, you're playing whack-a-mole under pressure.
Documented access inventory. You can't revoke access to systems you don't know exist. Maintain a living list of every application, every privileged account, and every shared credential tied to each employee.
Automated triggers. Some HR platforms can trigger IT workflows on status change. Build the automation before you need it — not during a tense termination.
Regular access audits. Don't wait for offboarding to discover that someone had admin rights they shouldn't have had for two years.
The window between termination and access revocation is the most preventable attack surface in your organization. Close it before it becomes a crisis.
Take Action
Access control gaps don't announce themselves — they sit quietly until someone with a grievance and live credentials decides to act. Proactive scanning catches misconfigurations, exposed credentials, and privilege issues before a terminated employee — or anyone else — can exploit them.
Oscar Six Security's Radar gives small businesses and MSPs a $99 vulnerability scan that surfaces exactly the kind of credential and access exposure that makes offboarding failures so dangerous. It's not a compliance checkbox — it's a real-time look at what an attacker (or an ex-employee) could actually reach.
Focus Forward. We've Got Your Six.