A blind man reading a braille book in a quiet library setting, surrounded by shelves.

What to Do When a Former Employee Still Has Access to Your Files

Someone left the firm months ago, and their name is still in your shared drive. That uneasy feeling in your gut is the right one — a person who no longer works for you can still get into your stuff.

Piles of aged brown paper envelopes stacked closely, highlighting vintage archival storage.

Maybe you just found out. Maybe you are about to let someone go and want to cut access cleanly. Either way, this is one of those quiet risks that is easy to ignore until it bites.

Here is the short version. A former employee who still has access is a real risk: they can take client data and designs, delete things, or create liability you do not want. The fix is fast and complete: disable their main account right away, sign them out of everything, reset shared passwords, hunt down the logins that survive, transfer their files and email, get the devices back, and write down every step. Then put a real offboarding process in place so it never lingers again.

This is more common than you think

You are not the only firm with this gap. Studies of departing employees suggest that around a quarter still have access to old work accounts, and some reports put it higher. Many organizations take more than a week to fully cut someone off, and a large share of people who leave keep access to at least some apps and data.

There is a sharper edge too. A big chunk of intellectual property theft happens in the weeks right around a resignation, when someone has one foot out the door and still holds the keys. This is not about assuming the worst of people. It is about not leaving the door unlocked.

The front door was locked, but two windows were wide open. The leftovers are the windows.

What a former employee can still reach

To cut access, you have to know what access exists. It is usually more than people realize. Their email may hold years of client conversations and project history. Your file share or cloud storage, where the projects live. Your design and project software, like Autodesk accounts or Procore. Remote access, like a VPN or remote desktop, which lets them in from anywhere. Any shared logins the team passed around. Outside apps you signed up for that are not tied to your main login. A company laptop or phone sitting in their car. And passwords saved in their browser.

Here is the scary part. Disabling one account does not close all of these. The shared logins, the apps that have their own separate password, and the saved credentials all survive. That is exactly how a former employee keeps getting back in.

Do this first, today

If someone with lingering access needs to be cut off now, here is the order. The first three steps matter most.

  • Disable their main account. On most firms, that is their Microsoft 365 or Google account. Disabling it blocks them from email, files, and any app that logs in through that account. Do not just change the password. Disable the account.
  • Sign them out everywhere. Disabling the account stops new logins, but a session they already have open can keep working for a while. Use the “sign out everywhere” or “revoke sessions” option so any device they are still logged in on gets kicked out.
  • Reset shared passwords. If your team shared any logins (and most do), the former employee still knows them. Change every shared password they could have known: the plotter, the bank, the Autodesk account, the social media, all of it. We cover why shared logins are a trap in our post on what small firms get wrong about passwords.

The sneaky leftovers

This is where firms think they are done and are not. A few things survive the steps above, and you have to hunt them down on purpose.

Apps with their own separate login. Any tool your firm uses that the person signed into directly, not through your main account, still has them in it. Go through your list of software and remove them from each one.

Personal devices. If they used a personal phone or home computer for work, your files, email, or saved passwords may still be on it. Company email on a personal phone is a common one. You want that access removed remotely if you can.

Saved passwords and forwarding tricks. Check whether their account had email forwarding set up to a personal address, or auto-rules that quietly copy mail out. Those can keep leaking even after you disable the account.

Remote access. VPN and remote desktop logins are a direct path back in. Make sure theirs is gone, not just their main account.

Side view of a man organizing documents in a dimly lit archive room with shelves of files.

Do not forget the files and the trail

Two more things, because cutting access is not the whole job. Get their work out before you delete anything. Their email and files may hold project history and client conversations you need. Transfer or archive their mailbox and files to someone who is staying, before you close or delete the account for good. And get the company devices back.

Then write it all down. Note what you disabled, when, and who did it. If a question ever comes up later about a data breach, a client dispute, or a compliance check, that record is your proof that you handled it. Documenting the steps with dates turns “we think we got everything” into “here is exactly what we did.”

The real fix: a real offboarding process

Putting out this fire is reactive. The proactive move is a simple, written offboarding process, so the next person who leaves gets cut off the same day, every time, with nothing missed. A good process has the parts in the same order every time: HR signals the last day, someone disables the main account and revokes sessions, shared passwords get reset, apps and remote access get removed, files and email get transferred, devices get collected, and the whole thing gets logged.

When that runs like a checklist, “wait, can they still get in?” stops being a question you ever have to ask. Big firms cut access the moment someone walks out. A small firm can do the same. It just takes a plan instead of hoping someone remembers. We dig into building that process, and protecting your data through every departure, in our post on what happens to your firm’s data when someone quits.

Frequently asked questions

As fast as possible, ideally the same day they leave, and within the hour for an involuntary exit. The longer access lingers, the bigger the risk of data being taken or an old login being abused. Disable the main account and revoke active sessions first.

No. Disable the account, not just change the password, and sign them out of active sessions. Then reset any shared passwords they knew and remove them from apps that have their own separate login. Changing one password leaves several doors open.

Yes. They can take client data and designs, delete or alter files, or expose information that creates liability for your firm. A lot of data theft happens right around a departure, which is exactly why fast, complete cutoff matters.

That is a real gap. Company email and files on a personal device can stay there after they leave. You should remove that access remotely where possible, and a clear policy on personal devices helps prevent the problem in the first place.

We will close the door completely

Cutting off a former employee sounds simple and is easy to get half-right, which is the same as getting it wrong. We help small architecture and engineering firms around Knoxville cut access cleanly and completely when someone leaves, and set up an offboarding process so it happens the same way every time.

If someone left your firm and you are not sure they are fully locked out, give us a call. We will check every door, close the ones still open, and set things up so the next departure is clean.

Key takeaways

  • A former employee with lingering access is a real and common risk. Studies suggest a large share of people who leave keep access to old accounts, and much data theft happens right around a departure.
  • Disabling one account is not enough. Shared logins, apps with their own separate password, personal devices, and remote access all survive. You have to hunt down the leftovers on purpose.
  • Move fast and in order: disable the main account, revoke active sessions, reset shared passwords, remove them from every app and remote login, transfer their files and email, collect devices, and log every step. Then prevent it with a written offboarding process.

Not sure a former employee is fully locked out?

We check every door, close the ones still open, and set up clean offboarding so the next departure is simple. No obligation, no sales pitch.


Sources: 1 in 4 Ex-Employees Still Has Access (Leading IT); Terminated Employee Offboarding (DoControl); Remove a Former Employee (Microsoft 365).

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *