Onboarding and Offboarding: A Quiet but Real Cybersecurity Risk

A new structural engineer starts Monday. By Tuesday they still cannot open the project files, the Revit license has not been assigned, and the senior engineer meant to mentor them has spent two days chasing IT instead of doing their own work. Meanwhile, three weeks ago someone left the firm, and nobody is entirely certain their access was ever fully removed.

Both of these are the same problem wearing different clothes: onboarding and offboarding without a defined process. It looks simple, which is exactly why it gets mishandled.

The fix is boring, and it works: a checklist

There is really only one reliable solution, and it is not glamorous. A role-based checklist. Without a clear definition of which applications, systems, file permissions, and vendors each role needs, every new hire’s setup becomes improvised, and every departure becomes a guess.

A good checklist is built around roles, not individuals. A drafter, a project manager, a principal, and a bookkeeper each need a different, predefined set of access. Define it once and both ends of the employee lifecycle stop being a scramble.

Why offboarding is where the real risk lives

When someone leaves, especially abruptly, the request is usually “cut their access, fast.” Fast and undefined is the dangerous combination. Without a list, it is easy to disable the obvious things and miss the rest:

• Email and calendar
• The design and project applications they used (and the licenses you are still paying for)
• Building or door access
• Third-party and web apps tied to their work
• Access from personal devices

Miss any of these and a former employee can still reach your systems, your project data, and your building, often for months, without anyone noticing. A checklist that spells out everything to remove turns that scramble into a five-minute, near-zero-error routine.

Onboarding: the cost shows up as lost time

Get onboarding wrong and the bill is paid in billable hours. A new designer who cannot open files, run their software, or reach the project archive starts the job behind, and the senior person assigned to bring them up to speed loses their week to it instead of their own work. Multiply that across a growing firm and it is real money.

There is a flip side, too. When access is not defined by role, you get the opposite failure: a brand-new hire who can suddenly see payroll or financials they should never touch. We see both extremes regularly when we take on a new client, and both trace back to the same missing checklist.

What good looks like

A proactive technology partner has already sat down with you to build this: the role definitions, the apps and systems per role, the steps your team handles versus the steps IT handles. The setup usually takes under 30 minutes and saves countless hours and a lot of risk afterward.

At Resolved, this is standard practice for the architecture and engineering firms we support. We document access by role so new people are productive on day one and departures close cleanly, with nothing left open behind them. If your current provider has never walked you through an onboarding and offboarding checklist, that is a gap worth closing now, not after the next hire or the next resignation.