Access Risk
SCENARIO
A Former Employee Still Has Access to Company Files
THE SCENARIO
A sales manager leaves your business after several years. Their departure is handled quickly - HR processes the exit, but IT is never formally notified. Three months later, their Microsoft 365 account is still active. They can log in to the shared client database, the company Google Drive and your CRM. Whether they do or not is something your business has no way of knowing.
1
How This Typically Happens
Off-boarding processes in most small and medium businesses are informal and incomplete. There is rarely a formal checklist that connects HR decisions to IT actions. When someone leaves, their payroll stops - but their digital access often continues indefinitely. Systems accumulate over time, and there is no single place to check which accounts are active and which should have been deactivated.
2
Why Businesses Often Miss the Warning Signs
No one has a complete view of which former staff have active accounts. IT support is typically reactive rather than proactive, and without a regular access review, accounts simply persist. The risk is largely invisible because nothing appears to go wrong - until a former employee downloads a client list, joins a competitor with detailed knowledge of your accounts, or an audit reveals a control gap.
Former employee able to access and download client records, financial information or confidential documents
Competitive risk if the person joins a competitor while retaining access to your data
POPIA risk if the continued access enables unauthorised processing of personal information
Difficulty proving what data was accessed if an incident occurs later
Potential legal exposure depending on what the former employee does with the access
4
Questions Management Should Ask
?
When did management last review which current and former employees have active accounts on company systems?
?
Is there a formal off-boarding checklist that includes an IT access revocation step?
?
Does your business use any shared accounts or group logins that departing staff may still know the credentials for?
?
How would you know if a former employee logged in to a company system today?
5
Practical Steps to Improve Visibility
1
Conduct an immediate audit: ask your IT support or service provider to list all active user accounts across every business system you use
2
Compare that list against your current employee list and arrange for any unmatched accounts to be deactivated
3
Create a simple off-boarding checklist that includes a step to notify IT to deactivate all access on the employee's last working day
4
Review and change any shared passwords or group credentials that a departing employee would have known
Could This Scenario Happen In Your Business?
ComplyBar helps businesses find and understand hidden information risks before something goes wrong.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness and audit evidence.
From R750 • Delivered online • No commitment required