Why Bad Employee Onboarding Creates Cybersecurity and IT Problems Later

Employee onboarding is usually viewed as an HR task. 

A new employee gets paperwork, a desk, an email address, a few software logins, and maybe a laptop. If they can start working on day one, the onboarding process feels successful. 

But from an IT and cybersecurity perspective, onboarding is much more than getting someone set up quickly. 

Good onboarding defines who has access to what, which devices are assigned, which software accounts are created, how passwords are managed, whether Multi-Factor Authentication is enabled, how Microsoft 365 is configured, and what needs to be removed when that employee eventually leaves. 

Poor onboarding creates problems that often stay hidden for months or years. 

Then one day, during employee offboarding, a cyber insurance renewal, a security incident, or a routine IT review, the business discovers old accounts, shared passwords, unmanaged devices, former employees with access, or software subscriptions nobody remembers approving. 

In many cases, messy offboarding does not begin when an employee leaves. 

It begins on the employee’s first day. 

For small and mid-sized businesses in South Florida and Middle Tennessee, better onboarding and offboarding processes can reduce cybersecurity risk, improve productivity, simplify IT support, and protect business data.

Click to learn more about our Managed IT Services

Offboarding Problems Usually Start on Day One

When an employee leaves a company, the business usually wants a simple outcome: 

Remove their access, collect their devices, protect company data, and move on. 

That sounds straightforward. 

But offboarding becomes difficult when the business does not know exactly what access the employee had in the first place. 

For example: 

    • Which Microsoft 365 account did they use? 
    • Did they have access to shared mailboxes? 
    • Were they added to Teams, SharePoint, or OneDrive folders? 
    • Did they use a company laptop or personal device? 
    • Did they have VPN or remote access? 
    • Were they given admin rights? 
    • Did they use shared passwords? 
    • Did they create accounts for software tools without IT knowing? 
    • Did they have access to vendor portals, accounting platforms, CRMs, or project management systems? 

If those details were never documented during onboarding, offboarding becomes a guessing game. 

That is where security gaps happen. 

A former employee account may stay active. A shared password may remain unchanged. A Microsoft 365 license may keep renewing. Remote access may still work. A personal device may still contain business data. 

The best offboarding process starts with clean onboarding.

Table of Contents

Why Employee IT Onboarding Matters More Than Most Businesses Realize

Employee onboarding affects far more than first-day productivity. 

It shapes the security of your entire IT environment. 

When onboarding is structured, every new employee receives the right tools, the right access, the right device setup, and the right security expectations from the beginning. 

When onboarding is rushed, inconsistent, or informal, small mistakes pile up. 

Those mistakes may include: 

    • Giving too much access too soon 
    • Reusing old accounts 
    • Sharing passwords 
    • Skipping Multi-Factor Authentication setup 
    • Using personal devices without controls 
    • Forgetting security awareness training 
    • Failing to document software access 
    • Allowing employees to create their own tools and subscriptions 
    • Not defining who approves access requests 

These issues may not create an immediate problem, but they weaken your security posture over time. 

A business may not realize there is a problem until an employee leaves, a phishing attack succeeds, a cyber insurance application asks detailed questions, or a cybersecurity assessment reveals gaps.

Click to learn more about our Cybersecurity Services

Common IT Onboarding Mistakes That Create Risk

Bad onboarding is rarely intentional. 

Most businesses are simply trying to move quickly. A new employee needs to start working, the manager is busy, HR is handling paperwork, and IT may receive incomplete information. 

The result is often a rushed setup that works in the short term but creates long-term risk.

Shared Logins 

Shared logins are one of the most common onboarding shortcuts. 

Instead of creating a unique account for each employee, a business may use one shared login for a software tool, vendor portal, email account, or system. 

This may feel convenient, but it creates major security and accountability problems. 

With shared logins, it becomes difficult to know: 

    • Who accessed the account 
    • Who made changes 
    • Who downloaded data 
    • Who approved a transaction 
    • Who still knows the password 
    • Whether a former employee can still log in 
    • Shared logins also make offboarding harder. If five employees share the same password and one leaves, the password needs to be changed and redistributed securely. In many businesses, that step gets missed. 

A better approach is to create individual user accounts whenever possible and limit access based on role.

Unmanaged Microsoft 365 Accounts 

Microsoft 365 is central to how many businesses operate. 

Employees use it for email, Teams, OneDrive, SharePoint, calendars, documents, and collaboration. That makes Microsoft 365 onboarding especially important. 

Common Microsoft 365 onboarding problems include: 

    • MFA not enabled 
    • Users added to the wrong groups 
    • Too much access to SharePoint or OneDrive folders 
    • Old licenses reused without review 
    • Shared mailboxes added without documentation 
    • Former employee mailboxes left active 
    • No clear process for email forwarding or delegation 

A Microsoft 365 account is not just an email address. It is often a gateway to company files, conversations, calendars, contacts, and cloud data. 

That access should be created carefully and removed promptly when no longer needed.

Personal Devices Without Clear Rules 

Many small businesses allow employees to use personal laptops, phones, or tablets for work. 

This is not automatically wrong, but it needs clear rules. 

Without a device policy, businesses may not know: 

    • Which personal devices access company email 
    • Whether those devices are encrypted 
    • Whether they require passwords or biometrics 
    • Whether business data is stored locally 
    • Whether the device can be wiped if lost 
    • Whether former employees still have company data after leaving 

Personal devices can create serious risk when employees access Microsoft 365, cloud storage, or business applications without security controls. 

A good onboarding process should define whether employees use company-owned devices, personal devices, or a controlled bring-your-own-device approach. 

Too Much Access Too Soon 

New employees often receive access based on convenience rather than necessity. 

A manager may say, “Give them access to everything the last person had.” 

That may seem efficient, but it can create risk. 

The previous employee may have accumulated access over several years. They may have belonged to groups, folders, applications, or systems the new employee does not need. 

This creates unnecessary exposure. 

Access should be based on job responsibilities, not copied blindly from another user. 

A better onboarding process asks: 

    • What systems does this employee need? 
    • What data should they access? 
    • What data should they not access? 
    • Who approves access? 
    • Should access be temporary or permanent? 
    • Should access be reviewed later? 

The principle is simple: give employees the access they need to do their job, not everything they might possibly use someday. 

No Documentation of Apps and Permissions 

One of the biggest onboarding mistakes is failing to document what was created. 

An employee may be given access to Microsoft 365, accounting software, CRM, payroll, vendor portals, file shares, project tools, password managers, remote access, and industry-specific applications. 

If that list is not documented, offboarding becomes incomplete. 

This is especially risky when departments manage their own software without IT involvement. The business may not have a complete inventory of who has access to what. 

Over time, this creates “shadow IT” — tools, subscriptions, and accounts being used without centralized visibility. 

Shadow IT makes security harder, increases costs, and complicates offboarding. 

Missing Security Training 

New employees should not receive access to business systems without understanding basic security expectations. 

Security awareness training should happen early, not months later. 

At minimum, new employees should understand: 

    • How to recognize phishing emails 
    • How to report suspicious messages 
    • Why Multi-Factor Authentication matters 
    • How to handle password safety 
    • Why shared passwords are risky 
    • How to verify payment or banking changes 
    • What to do if a device is lost or stolen 
    • What company data can and cannot be stored locally 

Cybersecurity is not only an IT responsibility. Every employee plays a role. 

Click to learn more about our Security Assessment & Training

Why Messy Offboarding Creates Cybersecurity Gaps

Offboarding should be fast, complete, and consistent. 

When an employee leaves, especially under difficult circumstances, access should be removed quickly and company data should be protected. 

But if onboarding was poorly documented, offboarding becomes risky. 

Former Employees With Active Accounts 

Former employee accounts are one of the most common security gaps. 

An account may remain active because: 

    • Nobody told IT the employee left 
    • The account was needed temporarily for email access 
    • The manager wanted files recovered first 
    • The account was overlooked 
    • The employee had multiple accounts 
    • The account was tied to a shared service 

Active former employee accounts create unnecessary risk. If the password is reused, stolen, or guessed, attackers may gain access to company systems through an account nobody is watching. 

A good offboarding process should disable accounts promptly and preserve needed data in a controlled way. 

Old Devices That Were Never Returned 

Company laptops, desktops, phones, tablets, access cards, and external drives should be tracked. 

If devices are not assigned properly during onboarding, the business may not know what needs to be returned during offboarding. 

This creates several risks: 

    • Company data may remain on old devices 
    • Devices may still have saved passwords 
    • Remote access tools may remain installed 
    • Email or cloud storage may still be accessible 
    • Hardware assets may be lost 

Device tracking does not need to be complicated, but it does need to exist. 

Remote Access That Was Never Removed 

Remote access is essential for many businesses, but it must be tightly controlled. 

Former employees should not retain access to VPNs, remote desktop tools, cloud applications, or administrative portals. 

Remote access gaps are especially common when businesses use multiple tools or allow vendors and employees to connect from different systems. 

Offboarding should include a remote access review. 

That means checking: 

    • VPN users 
    • Remote desktop access 
    • Cloud application access 
    • Admin portals 
    • Vendor systems 
    • Remote support tools 
    • Personal devices connected to company accounts 

Email Forwarding Rules and Shared Mailboxes 

Email is often one of the trickiest parts of offboarding. 

A manager may want access to a former employee’s mailbox. A client-facing employee may need email forwarded temporarily. A shared mailbox may need to be updated. 

If this is handled informally, problems can occur. 

Common issues include: 

    • Former employee mailbox left active too long 
    • Email forwarding set up without review 
    • Shared mailboxes not updated 
    • Auto-replies missing or outdated 
    • Delegated access not removed later 
    • Mailbox rules hiding or forwarding messages externally 

Email offboarding should balance business continuity with security. 

Vendor and SaaS Accounts That IT Never Knew About 

One of the hardest offboarding problems is removing access from tools IT never knew existed. 

Employees may sign up for software using their business email address and manage it directly with a department credit card or personal card. 

Examples may include: 

    • Marketing tools 
    • Project management platforms 
    • Design software 
    • File sharing tools 
    • Scheduling apps 
    • Vendor portals 
    • AI tools 
    • Browser extensions 
    • Industry-specific applications 

If those tools are not documented, access may remain open after the employee leaves. 

This is why software inventory and access documentation are so important. 

What a Clean IT Onboarding Process Should Include

A clean onboarding process gives employees what they need while reducing unnecessary risk. 

It should be consistent, documented, and tied to the employee’s role. 

A strong IT onboarding process should include: 

    • Approved start date
    • Employee role and department
    • Manager approval
    • Required hardware
    • Required software
    • Microsoft 365 account setup
    • MFA setup
    • Email groups and shared mailbox access
    • File and folder permissions
    • Remote access requirements
    • Security awareness training
    • Password manager setup if applicable
    • Device encryption and security tools
    • Documentation of all accounts created

The goal is not to create red tape. The goal is to make sure employees are productive without creating avoidable security gaps. 

What a Clean IT Offboarding Process Should Include 

A clean offboarding process should happen quickly and consistently. 

Depending on the situation, some steps may need to happen immediately. 

A strong offboarding checklist should include: 

    • Disable Microsoft 365 account access 
    • Revoke active sessions 
    • Remove MFA devices 
    • Change shared passwords if any were used 
    • Remove VPN and remote access 
    • Remove access to business applications 
    • Remove shared mailbox access 
    • Review email forwarding 
    • Preserve needed mailbox and OneDrive data 
    • Collect company devices 
    • Disable local computer access 
    • Remove access to password managers 
    • Remove vendor and SaaS accounts 
    • Transfer ownership of files or calendars if needed 
    • Update documentation 
    • Review admin rights 
    • Confirm completion with management 

Offboarding is not just an HR task. It is a cybersecurity control.

Microsoft 365, Passwords, Devices, and Access Control

Most modern onboarding and offboarding problems center around four areas: Microsoft 365, passwords, devices, and access control. 

Microsoft 365 

Microsoft 365 should be managed carefully because it often includes email, files, Teams, SharePoint, OneDrive, calendars, and collaboration tools. 

User accounts should be created with appropriate permissions and protected with MFA. 

When employees leave, accounts should be disabled, sessions revoked, and data preserved appropriately. 

Passwords 

Passwords should not be shared informally. 

Businesses should avoid storing passwords in spreadsheets, browsers, sticky notes, or shared documents. 

Where possible, employees should use individual accounts and approved password management tools.

Devices 

Every company-owned device should be assigned, secured, monitored, and returned when the employee leaves. 

Devices should be encrypted, protected with endpoint security, and kept updated. 

Access Control 

Access should be based on job responsibility. 

Employees should not automatically receive access to everything. Access should be approved, documented, and reviewed. 

This becomes especially important for businesses with remote employees, multiple locations, or teams working across South Florida and Middle Tennessee.

What We Commonly See During Cybersecurity Assessments

Many onboarding and offboarding risks are not obvious until someone reviews the environment. 

During cybersecurity assessments, common issues include: 

    • Former employees still have active accounts 
    • MFA is enabled for some users but not enforced consistently 
    • Shared passwords are still being used 
    • Microsoft 365 groups and permissions are outdated 
    • Devices are not fully documented 
    • Remote access accounts were never removed 
    • Users have more access than they need 
    • Admin rights are too broad 
    • Software subscriptions are unknown or unmanaged 
    • Email forwarding rules were created and never reviewed 
    • Security training was not completed during onboarding 
    • Personal devices are accessing company data without clear controls 

These issues usually build slowly over time. 

They are not always obvious during daily operations, but they can create serious risk during employee turnover, cyber insurance renewal, ransomware incidents, Business Email Compromise attempts, or compliance reviews. 

Why This Matters for Small and Mid-Sized Businesses

Large companies usually have dedicated HR, IT, compliance, and security teams. 

Small and mid-sized businesses often do not. 

That means onboarding and offboarding may be handled by a combination of owners, managers, HR staff, office managers, and outside IT support. 

Without a clear process, things get missed. 

For growing businesses, this becomes even more important. Every new employee, new device, new office, new software subscription, and new remote worker adds complexity. 

This is especially true for businesses expanding across multiple locations or between states. 

Network Computer Pros supports organizations across South Florida and Middle Tennessee, where many businesses are growing, hiring, opening new offices, and supporting hybrid teams. 

The more your business grows, the more important it becomes to standardize onboarding and offboarding.

How Network Computer Pros Helps Businesses Create Better IT Processes

Network Computer Pros helps small and mid-sized businesses improve the IT processes behind employee onboarding, offboarding, cybersecurity, Microsoft 365 management, help desk support, and managed IT services. 

Our approach is practical and vendor-neutral. 

We help businesses review: 

    • Microsoft 365 user setup
    • MFA enforcement
    • Employee onboarding steps
    • Former employee offboarding
    • Device assignment and tracking
    • Remote access
    • User permissions
    • Administrator access
    • Email security
    • Security awareness training
    • Backup and disaster recovery readiness
    • IT documentation

The goal is to help businesses reduce avoidable security gaps and make IT easier to manage as the company grows. 

Network Computer Pros supports businesses throughout South Florida and Middle Tennessee. 

In South Florida, we support businesses in: 

    In Middle Tennessee, we support businesses throughout: 

    Whether your business is hiring new employees, opening another office, supporting remote workers, or cleaning up old access, better IT processes can reduce risk and make day-to-day operations smoother. 

    Click to learn more about our:

    Managed IT Services

    Cybersecurity Services

    Help Desk Support

    Security Assessment & Training

    Tennessee IT Consultation

    Frequently Asked Questions About Employee Onboarding, Offboarding, and IT Security 

    Why does employee onboarding matter for cybersecurity?

    Employee onboarding matters because it determines which systems, devices, accounts, and data a new employee can access. If access is not set up correctly, the business may create unnecessary cybersecurity risk from day one. 

    Why does bad onboarding make offboarding harder?

    Bad onboarding makes offboarding harder because the business may not know exactly what access the employee had. If accounts, devices, software, and permissions were never documented, it becomes much harder to remove everything when the employee leaves. 

    What should be included in an IT onboarding checklist?

    An IT onboarding checklist should include Microsoft 365 setup, MFA, device assignment, email groups, file permissions, software access, remote access, security training, password procedures, and documentation of all accounts created. 

    What should be included in an IT offboarding checklist?

    An IT offboarding checklist should include disabling accounts, revoking sessions, removing remote access, collecting devices, preserving needed data, removing software access, reviewing email forwarding, changing shared passwords, and updating documentation. 

    Should every employee have their own login?

    Yes, whenever possible. Individual accounts improve security, accountability, access control, and offboarding. Shared logins should be avoided because they make it difficult to know who accessed a system and whether former employees still have access. 

    What are the risks of former employees keeping access?

    Former employees with active access can create security, privacy, compliance, and business continuity risks. Even if the employee has no bad intent, an active unused account can be compromised by attackers.

    How does Microsoft 365 affect onboarding and offboarding?

    Microsoft 365 often contains email, files, Teams, SharePoint, OneDrive, calendars, and company communication. Because it holds so much business data, Microsoft 365 accounts should be created carefully and disabled promptly when employees leave.

    Can poor offboarding affect cyber insurance?

    It can. Cyber insurance applications may ask about MFA, user access, administrator accounts, offboarding procedures, and security controls. Former employee accounts, shared logins, or unmanaged access may create issues during renewal or after an incident.

    How can managed IT services help with onboarding and offboarding?

    Managed IT services can help standardize employee setup, secure accounts, configure devices, manage Microsoft 365, document access, remove former employee accounts, and keep systems monitored as the business grows. 

    Does Network Computer Pros help businesses clean up old employee access?

    Yes. Network Computer Pros helps businesses review Microsoft 365 accounts, user permissions, remote access, devices, security settings, and old accounts that may no longer be needed. 

    Not Sure Whether Former Employees Still Have Access?

    Employee turnover is normal. 

    Security gaps from employee turnover should not be. 

    If your business is not completely sure which former employees, vendors, devices, or old accounts still have access, it may be time to take a closer look. 

    A Cybersecurity Assessment can help review Microsoft 365 accounts, user permissions, remote access, devices, administrator rights, and other access points that may have built up over time. 

    For businesses in South Florida and Middle Tennessee, Network Computer Pros can help identify practical IT and cybersecurity gaps before they create bigger problems. 

    If you are not sure whether old access is still open, that question is worth answering before an incident, renewal, or employee departure forces the issue.