📋 GRC compliance for CMMC 2.0, CPCSC, CPA Canada, IIROC…SaaS discovery for data governanceFree enriched web chat widget🚀 Enriched remote support without your laptop

Security moment

An employee is leaving.
Are your files leaving too?

Most data theft by departing employees happens in the weeks before the resignation letter. Here's the offboarding checklist that protects your data and your legal position — free to follow, no signup required.

Get a forensic review See the checklist

Suspect active exfiltration right now? Call ThreeShield: 1-403-538-5053

The offboarding checklist

1. Preserve first, disable second

Before you disable anything, place the mailbox on litigation hold, snapshot the OneDrive, and export the user's audit log activity. Deleting the account 30 days after departure is normal — discovering you needed the logs on day 45 is expensive. Preservation costs you an hour; it can save a lawsuit.

2. Review SharePoint and OneDrive activity for the last 30–60 days

Search the audit log for mass downloads, bulk sync of libraries the person rarely touched, and files copied out of team sites into their personal OneDrive. A sales rep syncing the entire CRM export folder two weeks before resigning is the classic pattern.

3. Check external shares they created

Anonymous links and shares to personal addresses outlive the account. List every external sharing link the user created recently, note where each points, and revoke the ones with no business purpose. This is the exfiltration channel people forget.

4. Look for forwarding rules and USB copies

Check for inbox rules or mailbox forwarding to a personal address — often set up weeks in advance. If the person had a company laptop, review USB device history and large local copies before the machine is reimaged for the next hire.

5. Revoke everything, not just the password

On the end date: disable the account, revoke sessions and refresh tokens, remove MFA methods, revoke app passwords and OAuth grants, and kill any shared links tied to the account. Don't forget third-party SaaS tools that authenticate outside Microsoft 365.

6. Document a chain of custody

If anything looks wrong, write down what you found, when, who accessed the evidence, and how it was stored — before you tell anyone outside IT and HR. Evidence handled casually gets challenged; a simple dated log of who touched what keeps your findings usable in a legal dispute.

Know before they hand in notice

SharePoint & OneDrive monitoring

Lavawall watches for mass downloads, unusual sync activity, and new external shares — with actor attribution — so the collection phase gets flagged while the person still works for you.

Learn more →

On-prem file change monitoring

The same visibility for your file servers: who read, copied, changed, or deleted what, and when. Your offboarding review takes minutes instead of a log-diving afternoon.

Learn more →

M365 breach detection

Forwarding rules, suspicious sign-ins, and token abuse are also how departing employees keep access after their last day. Lavawall alerts on all of it.

Learn more →

Need findings that hold up in a dispute?

ThreeShield — the CISSP/CISA team that builds Lavawall — performs forensic reviews of departing-employee activity and delivers evidence-quality reporting with documented chain of custody, ready for your lawyer or insurer.

Common questions

Should I disable the account immediately?
Disable access on the end date, but preserve first: audit logs, mailbox, OneDrive. Deleting too aggressively can destroy the evidence you'd need if files turn out to have left with them.
How far back should I look?
At least 30 days; 60 or 90 if the departure is contentious or the role had access to sensitive data. People who plan to take files usually start collecting before they hand in notice.
Can someone produce a report we could use in a legal dispute?
Yes — ThreeShield performs forensic reviews of departing-employee activity and produces evidence-quality reporting with a documented chain of custody.

Start monitoring free