Category: Digital Infrastructure
Reading time: Approximately 8 minutes
Author: Kaiah Digital
Published: 2026

According to the 2023 Verizon Data Breach Investigations Report, 74% of all breaches involved the human element — including misuse of access privileges by current and former personnel.

When a professional firm hires a new employee, the process is well understood. There is a contract, an induction, and a clear record of the engagement. When that same employee leaves, the digital dimension of that departure is often handled inconsistently — or not at all.

Email accounts remain active. Google Drive access persists. Shared passwords are never changed. Login credentials to client portals and billing systems sit in the memory of someone who no longer works for the organisation — and in some cases, someone who left under difficult circumstances.

This is one of the most prevalent and underappreciated operational risks in small professional firms, and it is almost entirely preventable through structured administrative oversight.

What Is Access Lifecycle Management?

Access lifecycle management refers to the structured process of controlling who has access to digital systems throughout the full arc of their relationship with an organisation — from the moment they are onboarded to the moment they leave.

In a properly managed environment, this includes:

  • A defined onboarding process that grants access only to systems relevant to each role.
  • Regular access audits that confirm who has access to what, and whether that access is still appropriate.
  • A documented offboarding checklist that revokes access across all platforms immediately upon departure.
  • Multi-factor authentication enforced so that retained credentials cannot be used without a second verification factor.
  • Separation of administrative credentials from general user accounts.

Most small professional firms have none of these processes formally documented or consistently followed. Access is granted informally, rarely reviewed, and frequently never revoked when relationships end.

Why This Problem Is More Common Than Most Firms Realise

A 2022 survey conducted by Beyond Identity found that 83% of respondents said they retained access to accounts from a previous employer, and 56% admitted to using that access after leaving [9]. These are not cybercriminals — they are ordinary former employees who were simply never removed from systems.

The problem is compounded in firms that rely on shared accounts or informal password management. When a single email account is used by multiple team members, offboarding one person does not naturally trigger a credential reset — it requires deliberate administrative action that many firms do not have a process for.

The IBM Cost of a Data Breach Report 2023 found that breaches caused by compromised credentials had an average total cost of $4.62 million, with detection and containment timelines averaging 292 days [10]. For a small professional firm, even a fraction of that exposure would be significant.

“The most dangerous access is not from an outside attacker. It is the login credentials that were never revoked from someone who left six months ago.”

The Practical Reality in Professional Practice Settings

Consider the following scenarios, each representing a documented category of access-related incident in professional services environments:

Scenario 1: The Departed Team Member

A paralegal at a law firm leaves to join a competing practice. Their Google Workspace account is deactivated within 48 hours, but their access to three shared client folders — added informally six months earlier — is never reviewed or removed. Those folders remain accessible through a personal account for months.

Scenario 2: The Shared Admin Account

A small accounting firm uses a single shared email for administrative correspondence. Over four years, the password has been shared with seven staff members, three of whom have left. The password has never been changed because updating all connected services would be too disruptive. There is no record of who currently knows the credentials.

Scenario 3: The Freelance Contractor

A marketing consultant is engaged for six months and given access to Google Drive, an email marketing platform, and the website backend. The engagement ends. Two years later, those accounts are still active. Nobody has a clear record of what was shared.

None of these scenarios require a sophisticated attacker. They are administrative gaps that accumulate quietly in any organisation that treats digital access as an afterthought rather than an operational function.

The Regulatory Dimension

For professional firms, unmanaged access is not just an operational risk — it can carry regulatory consequences.

Legal practices in many jurisdictions have professional obligations to protect client confidentiality. In Barbados, the Legal Profession Act imposes duties of confidentiality that extend to digitally stored and transmitted information. In the United States, ABA Model Rules of Professional Conduct Rule 1.6 requires lawyers to make reasonable efforts to prevent unauthorised access to client information [11].

For firms handling data of EU residents under GDPR, Article 32 requires appropriate technical and organisational measures to ensure data security, including controls on who can access personal data [12].

Allowing former employees indefinite access to systems containing client data, simply because no offboarding process exists, is unlikely to be considered a reasonable measure by any regulatory body.

What a Properly Managed Access Environment Looks Like

  • Every user account is tied to an individual — no shared credentials for sensitive systems.
  • Access is provisioned by role — new staff receive only what their position requires.
  • A departure checklist is followed without exception for every departure, voluntary or otherwise.
  • Multi-factor authentication is enforced on all accounts, particularly email and file storage.
  • An access audit is conducted at minimum quarterly, reviewing all permissions against current staff roles.
  • Administrative credentials are held separately and are not shared casually.

The goal is not to make access difficult. It is to make access deliberate — so that every person who can access your systems has a documented reason to be there, and every person who leaves takes nothing with them except their professional experience.

The Administrative Overhead Problem

The most common reason small professional firms do not maintain structured access management is not indifference — it is capacity. The administrative work of maintaining access records, conducting audits, and managing offboarding falls to whoever is available, and in a small firm, that person is often already at full capacity.

This is precisely where structured outsourced oversight adds operational value. When access lifecycle management is handled as part of a formal service arrangement — with documented processes, scheduled audits, and clear accountability — it stops being something that happens informally and starts being something that happens consistently.

The cost of managing this proactively is a fraction of the cost of managing the consequences of not doing so.

How Kaiah Digital Addresses This

Access lifecycle management is a core component of all Kaiah Digital infrastructure service plans. As part of our structured onboarding we document all existing accounts and access permissions, identify gaps, and implement a policy baseline appropriate to the organisation’s size and risk profile.

Ongoing services include structured user onboarding and offboarding, MFA enforcement, quarterly access audits, and permission reviews. Every action is documented and our clients maintain a clear record of who has access to what at all times.

This is not a reactive service — it is a preventative one. And in professional services, prevention is almost always the more cost-effective choice.

References

[9] Beyond Identity (2022). The Annual Breach Report: Insider Threat Edition. Beyond Identity Research. https://www.beyondidentity.com/research

[10] IBM Security (2023). Cost of a Data Breach Report 2023. IBM Corporation. https://www.ibm.com/reports/data-breach

[11] American Bar Association (2023). Model Rules of Professional Conduct: Rule 1.6. American Bar Association. https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_6_confidentiality_of_information/

[12] European Parliament and Council (2016). GDPR: Article 32 — Security of Processing. Official Journal of the European Union. https://gdpr-info.eu/art-32-gdpr/

[13] Verizon (2023). Data Breach Investigations Report 2023. Verizon Business. https://www.verizon.com/business/resources/reports/dbir/

This article was prepared by Kaiah Digital. Visit kaiahdigital.net. For educational purposes only. Does not constitute legal or cybersecurity advice.