Employee Offboarding: The Security Checklist Most Northern Alberta Businesses Skip

A surprising number of cyber-insurance claims and small-business breaches trace back not to sophisticated attacks but to old accounts that should have been disabled and were not. A former employee's M365 account. A shared admin password that nobody rotated. An OAuth consent granted to a personal app three years ago. A forgotten VPN credential. A long-unused signatory account at the bank.

The technical offboarding checklist is well-documented and not particularly novel. What goes wrong at northern Alberta SMBs is rarely the checklist itself. What goes wrong is the process discipline around exits in tight-knit communities where firings are rare, where the departing employee is often a neighbour, a friend, or a family member of one, and where the conversation around the exit is emotionally weighted in a way that office workers in Edmonton or Calgary rarely experience.

This article is the honest version. The 18-point technical checklist. The political reality of exits in small communities. The contractor and seasonal-worker edge cases. And a 24-hour timeline showing what gets done when.

The 18-point offboarding checklist

This is the working list for a typical M365-based SMB. Adapt for Google Workspace or other stacks as needed. Every item gets checked off, in writing, by a named person.

1. M365 / Google Workspace user license — block sign-in immediately (faster than license removal), then convert to shared mailbox or archive within 30 days
2. MFA tokens revoked — remove authenticator app registrations and any FIDO2 security keys from the identity provider
3. Active sessions terminated — force sign-out across all devices in the identity console
4. Email forwarding stopped — check user's mailbox rules for auto-forwards to personal addresses, remove them
5. OAuth app consents pulled — review and revoke third-party app permissions the user granted on their own behalf
6. Shared mailbox and group memberships — remove from distribution lists, shared mailboxes, Teams, security groups, SharePoint sites
7. VPN credentials revoked — disable account in firewall or remote-access platform, revoke any device certificates
8. RMM / endpoint management agent — wipe or re-image the device, then remove from the management console
9. Password rotations on shared accounts — every shared password the user had access to: rotate immediately, log in the password manager
10. Privileged accounts — if the user held any admin role anywhere, audit every action in the past 30 days before disabling
11. SaaS app accounts — itemize every third-party SaaS (accounting, CRM, design, project management) the user touched and disable each one
12. File ownership reassignment — transfer ownership of OneDrive, SharePoint, Google Drive files to a manager before deactivation
13. Physical badges and keys — collect, log, and either return to inventory or destroy
14. Equipment return — laptop, phone, hardware tokens, secure storage devices, vehicle if applicable, signed return receipt
15. Banking signatories and corporate cards — for anyone with signing authority, contact the bank to remove. Cancel corporate cards.
16. Vendor portal access — equipment supplier portals, insurance broker portals, supplier login pages — anywhere the user was a named contact
17. Customer-facing handoff — update voicemail, email auto-reply, CRM ownership, and direct customers to a successor contact
18. Documented exit record — date, who completed each item, anomalies noted, archived for the standard records-retention period

For an organized SMB, the technical portion of this list takes 60 to 90 minutes of focused work. The non-technical portion (equipment return, banking, customer handoff) takes longer because it depends on other people.

The political problem in small communities

In Edmonton or Calgary, an employee exit is impersonal. The IT team disables the account at 4:30 PM, HR processes the paperwork, and most coworkers will not see the departing employee again. None of that is true in Mackenzie County, La Crete, or the broader Peace River region. The departing employee's spouse runs the next business over. Their kids go to school with yours. They will be at the same coffee shop tomorrow morning. The pastor knows everyone involved.

This creates real and recurring failure modes:

• The owner delays the technical lockout because "we are still friends, I will give them a few days." Those few days are the highest-risk window in the entire employment relationship.
• The shared-password rotation gets skipped because rotating it feels like an accusation. It is not. It is the standard control.
• The vendor portal access stays in place because nobody wants to make the call. The departing employee remains on the vendor's contact list for years.
• The equipment return becomes a negotiation. The laptop sits in the employee's home for six weeks. During those six weeks, the laptop has business data, business email, and possibly active sessions.

The fix is not to be cold about the exit. The fix is to separate the relationship (which can remain warm) from the process (which has to be complete). Honour the person. Complete the checklist. Both are possible.

A practical phrasing for the owner: "Standard procedure for any exit is this checklist, regardless of how it ends. None of it reflects on you. It is the same list we will follow for anyone, including me, when the day comes." Most people accept this because most people understand that systems and process protect everyone, including the person leaving.

Contractors and seasonal workers — the edge case

Ag and oilpatch operations both run on seasonal labour. Many positions are filled by contractors, sub-contractors, or short-term hires whose access ends not at a formal "exit" but at the end of a season or a job. The offboarding checklist still applies. The discipline often does not.

Common patterns that go wrong:

• A summer student in the office had a guest M365 account. The account is still active two years later because nobody documented who was supposed to clean it up.
• A contracted controls technician was given the OT VPN credential. The credential is still working because it was never tied to a specific person, just shared between contractors.
• A seasonal yard worker had a building-access fob. The fob was never collected because the worker simply did not show up the next year.

The disciplined approach for seasonal and contractor relationships is to time-box every access at the moment of issue. M365 guest accounts get a 90-day expiry. VPN credentials are named, not shared, and expire at the documented end of the contract. Access fobs are issued against a deposit and tracked by serial number. None of this is novel security theory. It is operational hygiene.

A 24-hour timeline

Here is what a clean offboarding looks like in practice, assuming a planned voluntary or involuntary exit.

Hour 0 (during the exit conversation). Owner conducts the exit conversation. At the close of the conversation, IT is signaled — usually a single text message — to begin the technical lockout. The departing employee is not yet on the office floor.

Hour 0 to 1. IT executes items 1 through 7 on the checklist: identity provider sign-in block, MFA revoke, session termination, mail forwarding check, OAuth review, group memberships, VPN revoke. This is the highest-risk window. It closes fast.

Hour 1 to 4. Item 8 onward: device collection, RMM agent removal, shared-password rotations on every account the user touched, physical badges, equipment return. Done by end-of-day where possible.

Day 1 to 7. SaaS app cleanup, vendor portal updates, customer handoff, banking signatory updates, file ownership reassignment, documented exit record.

Day 7 to 30. Mailbox conversion or archive, license reallocation, final review of audit logs for the user's last 30 days of activity, sign-off on the completed checklist.

Done in that sequence, an exit closes cleanly with minimal residual risk. Done out of sequence — or with items skipped because they felt awkward — exits become the most common single source of preventable SMB security failures.

The honest pitch

Most northern Alberta SMBs we work with do not have a written offboarding procedure. They have a habit, usually carried in the head of the owner or the IT contact, and the habit is incomplete in predictable ways. Writing it down once, then following it every time, costs almost nothing and closes a significant share of the avoidable risk most insurance carriers ask about.

If you want a starting point rather than building it from scratch, the offboarding checklist is one of the items inside our free 30-item Compliance Checklist. Self-administered, downloadable, scored.

Peace Country Cyber publishes the free 30-item Compliance Checklist covering offboarding, MFA, backup, training, and the rest of the standard SMB security baseline. Download it →