Pumpkin
    How to Onboard and Offboard Employees the Secure Way
    Technology

    How to Onboard and Offboard Employees the Secure Way

    May 6, 20256 min read

    How to Onboard and Offboard Employees the Secure Way

    When a new employee joins your firm, they need access to systems, client files, email, and tools. When they leave, all of that access needs to be revoked. Completely. Immediately.

    This sounds straightforward, but most professional services firms handle it poorly. Onboarding is a scramble to get the new person up and running, and offboarding is often an afterthought that happens days or weeks after someone leaves, if it happens at all.

    In a firm that handles sensitive client data (financial records, legal documents, health information), this is not just an inconvenience. It is a security risk with real consequences.

    Why This Matters More Than You Think

    Consider what a departing employee typically has access to:

    • Client financial records or legal case files
    • Email conversations containing confidential information
    • Cloud storage with years of firm documents
    • Practice management systems with billing data
    • Communication platforms with internal discussions

    If that access is not revoked promptly, you are exposed. A disgruntled former employee could access client data. A compromised former account could be used as an entry point for attackers. Even without malicious intent, lingering access violates compliance requirements that many professional firms are subject to.

    According to industry research, the average organization takes over a week to fully deprovision a departing employee. For firms handling sensitive client data, that week is an eternity. For more on protecting client data, see our guide to cybersecurity for professional services.

    The Secure Onboarding Checklist

    Good onboarding does two things simultaneously: it gets the new employee productive quickly, and it establishes proper security practices from day one.

    Before Their First Day

    • **Provision accounts.** Create their email, practice management login, and access to relevant systems before they arrive. Do not share existing credentials as a temporary measure.
    • **Set permissions.** Grant access only to the systems and data they need for their role. Not everything. Just what is necessary. This is the principle of least privilege, and it is foundational to good security.
    • **Prepare hardware.** Their computer should be configured with endpoint protection, disk encryption, and your firm's security policies before it reaches their desk.
    • **Assign a buddy.** Pair them with someone who can answer process questions and model good security habits.

    First Week

    • **Security training.** Before they touch client data, walk them through your firm's security policies. Cover password management, phishing awareness, data handling procedures, and what to do if something looks suspicious.
    • **MFA setup.** Help them configure multi-factor authentication on every system that supports it. Do not make this optional.
    • **Tool training.** Show them how to use your firm's systems properly. The faster they learn the right way to do things, the less likely they are to create workarounds that introduce risk.
    • **Policy acknowledgment.** Have them sign your acceptable use policy, data handling policy, and any industry-specific compliance acknowledgments.

    The Secure Offboarding Checklist

    Offboarding should be treated as seriously as onboarding, perhaps more so because the risks of getting it wrong are immediate.

    Immediately Upon Departure

    • **Disable all accounts.** Email, practice management, cloud storage, communication tools, everything. Do not delete yet (you may need the data), but disable access within the hour of their last moment at the firm.
    • **Change shared passwords.** If the departing employee had access to any shared credentials (which ideally they should not, but reality is messy), change them immediately.
    • **Revoke MFA tokens.** Remove their devices from any MFA systems.
    • **Collect hardware.** Retrieve laptops, phones, and any other firm-owned devices. Wipe them according to your data handling policy.
    • **Revoke VPN and remote access.** If they could access firm systems remotely, shut that down first.

    Within 48 Hours

    • **Review file access logs.** Check whether any unusual downloads or data transfers occurred in the days leading up to departure.
    • **Forward email.** Set up email forwarding to an appropriate team member so client communications are not missed.
    • **Update client contact information.** Notify affected clients that their point of contact has changed.
    • **Document the transition.** Record what projects the departing employee was handling and who is taking over.

    Within 30 Days

    • **Archive their email and files.** Move their data to a secure archive according to your retention policy.
    • **Audit remaining access.** Verify that no lingering permissions exist in any system.
    • **Update your employee access matrix.** Remove them from your master list of who has access to what.

    Common Mistakes Firms Make

    **Using shared logins.** When multiple people share a login, you cannot revoke access for one person without disrupting everyone. Every employee should have individual credentials for every system.

    **Forgetting about third-party tools.** Your checklist covers your core systems, but what about the employee's Canva account, their Zoom login, their access to a client's portal? Shadow IT makes offboarding harder, which is another reason to manage your vendor relationships carefully.

    **No documentation.** If your onboarding and offboarding processes exist only in someone's head, they will be executed inconsistently. Write them down, assign responsibility, and review them regularly.

    **Treating voluntary departures differently from involuntary ones.** The security checklist should be identical regardless of the circumstances. People who leave on good terms still represent a security risk if their access remains active.

    Automate What You Can

    Manual offboarding is error-prone. Consider investing in identity management tools that can disable access across multiple systems with a single action. For smaller firms, even a well-maintained spreadsheet with a checklist beats relying on memory.

    If your firm uses single sign-on (SSO), offboarding becomes significantly easier because disabling the SSO account cascades across connected systems. This is one more reason to invest in reducing employee tech friction through better identity management.

    Make It Part of Your Culture

    For a broader view of operational efficiency and secure practices, explore our guide to streamlining operations for professional firms.

    Security-conscious onboarding and offboarding should not feel like a burden. It should be as natural as giving someone a key when they join and collecting it when they leave. The firms that build these processes into their culture protect their clients, their reputation, and their peace of mind.

    Related Articles

    IT Support for Accounting Firms: What Actually Matters
    Technology

    IT Support for Accounting Firms: What Actually Matters

    Not all IT support is created equal. Here is what accounting firms should actually prioritize when choosing an IT partner or building internal capabilities.

    IT Support for Law Firms: What a Modern Firm Should Expect
    Technology

    IT Support for Law Firms: What a Modern Firm Should Expect

    Law firms have unique IT requirements driven by client confidentiality, compliance, and document-heavy workflows. Here is what modern IT support should look like.

    How to Build a Technology Stack for a Small Professional Services Firm
    Technology

    How to Build a Technology Stack for a Small Professional Services Firm

    Building the right technology stack does not require a massive budget. Here is a practical approach to choosing and integrating the tools your firm actually needs.