Two ordinary moments quietly create most of the identity risk in a small business: the day someone joins and is handed more access than they need, and the day someone leaves and quietly keeps it. Neither feels like a security event. Both are.
You do not need an identity platform team to handle this well. You need a short, repeatable process for the three moments in every working life: joining, changing roles, and leaving.
Why this matters more than it looks
Access has a way of accumulating and never leaving. The former contractor whose login still works, the ex-employee who can still open the shared drive, the new hire given "the same access as everyone else" on day one: each is a door left unlocked. Attackers actively look for these dormant accounts because nobody is watching them. And because a modern small business runs on a dozen separate apps, access is scattered across all of them, so it is easy to disable someone's email and forget they still have the CRM, the file share, and the accounting tool.
This is also increasingly expected of you. Cyber insurers and larger customers now ask whether you run regular access reviews and remove access promptly when people leave. "We think we got everything" is not a great answer when a claim or a contract is on the line.
The joiner, mover, leaver idea
The simplest way to think about it is the identity lifecycle, sometimes called "joiner, mover, leaver":
- Joiner: give a new person exactly the access their role needs, no more.
- Mover: when someone changes role, add what the new role needs and remove what the old one did.
- Leaver: when someone leaves, remove all of it, the same day.
Most small businesses do the joiner step and skip the other two. That is where risk quietly builds up.
Onboarding: start with least privilege
The goal on day one is to set someone up to do their job and nothing more. A simple standard makes it repeatable:
- Grant access by role, not by copying a person. "Give them the same as Sarah" is how access sprawls. Define what each role needs and assign that.
- Use groups, not one-off grants. Putting people in role-based groups makes access consistent to give and, crucially, easy to remove later.
- Set the essentials at the start: their own individual account, multi-factor authentication enrolled, their device enrolled in management, a password manager seat, and only the apps their role actually uses.
- No shared logins. Individual accounts are what make it possible to remove one person cleanly later.
Role changes: add and remove
When someone moves teams or gets promoted, it is natural to add the new access they need. The step everyone forgets is removing the access they no longer need. Over a few years, that omission is how one long-tenured employee ends up able to touch nearly everything, a problem known as privilege creep. Treat every role change as both an addition and a subtraction.
Offboarding: the same-day checklist
This is the step that matters most and gets rushed most. When someone leaves, especially if the departure is involuntary, work through a set list on their last day, ideally at a set time:
- Disable the identity account first. Turning off their central Microsoft 365 or Google account cuts access to everything connected to it, and does so in one move.
- Kill active sessions and MFA. Sign them out everywhere and remove their MFA methods, so an already-open session cannot linger.
- Rotate any shared secrets they knew. Wi-Fi passwords, shared service logins, door codes: change anything they had that is not tied to their personal account.
- Reclaim and wipe the device. Retire or wipe their laptop and phone through your device management before it walks out the door.
- Preserve their data, do not just delete. Reassign or archive their mailbox and files, and set a forwarding rule or auto-reply, so nothing important is lost.
- Catch the apps outside single sign-on. Any tool they logged into directly, rather than through your main account, has to be removed on its own. These are the ones that get missed.
- Revoke physical access too: building keys, fobs, and alarm codes.
Make it stick
Two habits keep this from decaying. First, write the onboarding and offboarding steps down as checklists, so it does not depend on one person remembering. Second, run a quick access review every quarter: list who has access to your important systems and confirm each person should still be there. That review is what catches the account that should have been removed months ago. And the more you route apps through a single sign-on, the smaller the whole problem gets, because one switch handles most of it.