What Happens to Your Data When an Employee Quits — Most SMB Owners Never Find Out

Thought Leadership Insider Threat

May 2026  ·  8 min read

The moment someone gives their notice, a clock starts ticking. 70% of IP theft happens within 90 days of a resignation. Most small businesses don't know what their departing employees took, what access they still have, or what the next employer just inherited. Here's what the data says — and what to do about it.

---

In March 2025, a research scientist at Yahoo received a job offer from a competitor. Within minutes of accepting it, he downloaded approximately 570,000 pages of proprietary information to his personal devices. Intellectual property, research data, competitive intelligence — files he had legitimate access to right up until the moment he decided to leave. By the time Yahoo's security team identified the exfiltration, the data was already gone.

This case made headlines because Yahoo is a known company. But the same pattern — a departing employee, a download window, an access gap — plays out in small businesses every week. The only difference is that small businesses rarely have the forensic capability to know it happened.

Most SMB owners think the employee departure risk ends when someone hands in their badge. The data says it starts there.

70% of IP theft occurs within 90 days of an employee's resignation announcement Deepstrike / industry research, 2025

67 days average time to detect and contain an insider incident — by which point data is long gone Ponemon Institute, 2026

$4.99M average cost of a malicious insider breach — the most expensive initial attack vector tracked IBM Cost of a Data Breach, 2025

The departure timeline — what's actually happening

Walk through what a typical employee departure looks like in an SMB with no formal offboarding security process. This isn't a worst-case scenario — it's what happens by default when nobody is watching.

Day -14

Employee accepts offer from competitor

Elevated risk window opens

The clock starts before you even know they're leaving. They still have full access to every system, every client file, every contract. And now they have a reason to want some of it. The download activity that gets companies sued typically starts here — before resignation, not after.

"70% of IP theft occurs within 90 days of a resignation announcement — and often begins before that announcement is made." — Deepstrike, 2025

Day 0

Resignation received — HR notified

Two-week notice begins

In most small businesses, the security response at this stage is: nothing. The employee continues working. They retain full access to every system they had before. Two weeks of full, legitimate access to everything they know about your business.

Microsoft's insider risk research specifically identifies the resignation-to-departure window as the highest-risk period for data downloads, file printing, and personal cloud uploads.

Last day

Farewell lunch. Laptop returned. Keys handed in.

Access revocation — maybe

IT disables the main account. Sometimes. If someone remembered to ask. But the CRM login they configured themselves, the project management account they created with their personal email, the shared folder in Dropbox — those don't get swept up in a standard offboarding. They sit there, live, indefinitely.

Day +7

Former employee starts new job — still has access

Active risk, zero visibility

They're sitting at a competitor's desk. Their old login for your CRM still works. Their personal email still receives your shared folder notifications. Whether they use it or not, that access exists and you have no idea it does.

Day +67

Detection — if it happens at all

Average containment timeline

67 days is the current average time to detect and contain an insider incident, per the 2026 Ponemon report. That's over two months of a window most SMBs leave wide open — by which point data is with a competitor, a client list has been used, or credentials have been leveraged that nobody knew were still active.

"Only 12% of insider incidents are contained within 31 days." — Ponemon Institute, 2026

The FinWise Bank case: a former employee's unauthorized access attempts went undetected for over a year — from initial access in mid-2024 to identification in June 2025. The resulting breach triggered multiple class-action lawsuits, with plaintiffs alleging the bank failed to implement basic security controls. The access gap wasn't sophisticated. It was an account that wasn't properly closed when employment ended.

The four types of departure risk — most SMBs only think about one

When SMB owners think about departing employee risk, they picture the disgruntled former employee who deliberately takes something. That person exists. But focusing exclusively on them means the other three categories go unmanaged.

Type 1 — Most visible

The malicious departure

Intentional data theft — client lists downloaded before leaving, IP transferred to a competitor, trade secrets sold. High consequence per incident at $4.99M average. The one everyone worries about.

Type 2 — Most common

The negligent departure

No malicious intent — just files saved to a personal Dropbox "just in case." A work project continued from home. Your data is now on an unmanaged device at their new employer's network.

Type 3 — Most overlooked

The lingering access gap

Nobody stole anything. Nobody did anything wrong. But six months later their login still works on three SaaS tools, their email forwards to a personal account, and their API key is live in your production system.

Type 4 — Fastest growing

The recruited insider

Flashpoint documented 91,321 insider recruiting instances in 2025. Ransomware groups actively approach employees — including those who just resigned — offering payment for access or data before their last day.

It is far more efficient for a threat actor to recruit an insider who can bypass multi-million dollar security stacks than to develop a complex external exploit. Flashpoint identified 91,321 insider recruiting posts in 2025 — averaging 1,162 per month. The departing employee window is when that recruitment is most likely to succeed.

What your departing employee's last 30 days actually look like

Microsoft's insider risk management research is specific about the departure window. In the 30 days surrounding resignation and departure, behavioral signals include: unusual volume of downloads from shared drives, files being printed that were never printed before, data copied to personal cloud storage, and email forwarding rules set up to personal accounts — rules that may persist and continue forwarding after the account is theoretically disabled.

Most small businesses have none of the monitoring to see any of these signals. They don't know what their employee downloaded in their last week. They don't know whether email forwarding was set up. And 67 days later — if ever — something surfaces that tells them what they missed.

The offboarding security checklist most SMBs don't have

Treating employee departure as a security event — not just an HR formality — closes the majority of this risk.

1

Elevate monitoring from the resignation date, not the departure date

The highest-risk window is the notice period. Flag the account for elevated monitoring the moment resignation is received. Unusual download volumes, external email forwards, and personal cloud uploads during this window are the signal, not the aftermath.

2

Build a complete access inventory — not just Active Directory

The risk is everything beyond the main account: every SaaS tool configured directly, every API key generated, every shared folder created, every external service connected under their credentials. You can't revoke what you haven't inventoried. Build the list before the final day.

3

Revoke everything on the final day — not the following Monday

The gap between an employee's last day and when IT processes offboarding is one of the most documented windows for unauthorized access. Same-day revocation is non-negotiable. "We'll sort out the access next week" is how the FinWise case happened.

4

Audit what was accessed in the final 30 days

After departure, review the preceding 30 days. What files did they open? What did they download or email externally? Knowing what left your environment tells you what to protect, which clients may need notification, and whether you have a legal or regulatory obligation to act.

5

Check for forwarding rules and persistent connections

Email forwarding rules set up before departure can continue operating after accounts are disabled. Check for active forwarding rules, OAuth tokens granted to third-party apps, and integrations set up under personal credentials. These are invisible access paths that don't appear in a standard account audit.

Platforms like Veriti Spottr are built to give SMBs the external visibility that makes offboarding security actionable — identifying exposed credentials, monitoring your attack surface for access paths that shouldn't exist, and flagging the gaps that manual offboarding processes miss. You can't revoke access you don't know about. Continuous visibility is what closes that gap.

The exit interview nobody gives

Every HR team conducts an exit interview — asking departing employees what they think about the company, what could be better. Nobody conducts the security equivalent: an audit of what they accessed, what they downloaded, what access points remain live, and what your organization's data exposure looks like in the wake of their departure.

That audit doesn't require accusing anyone of anything. It requires visibility — the same visibility that would tell you, 67 days from now, what you're going to wish you'd looked at today.

Your former employee may have taken nothing. Their access may be completely benign. But right now, you almost certainly don't know — and not knowing is itself the risk.

Know what access exists in your business — and what shouldn't. Veriti Spottr's beta is free.

Join the free beta →

VS

Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com