The onboarding of new staff isn’t the most exciting part of an MSP tech’s day, but it often means that our clients are growing, which is great! Offboarding departing staff, however, is the unavoidable and fraught flipside.
When notifying us about departing staff, our clients’ natural inclination is to request that we delete the departing staff member’s accounts. “Get it out of here, I never want to see that account again…” is often the tone of the request. While the sentiment is understandable, deleting accounts can leave you blind.
If you delete your account at, say, Facebook, it doesn’t – poof! – disappear. Think about what the disappearance of your account would do to their metrics. Management would be unable to accurately answer questions like, “How many users did we have last month?” or “How much computing power is necessary to provide our service our userbase?” When you delete your account, your account is only marked as deleted.
Side note: the same principle applies when you delete a file on your computer – it’s only marked as deleted in a database of the files on your computer. Removing the deleted mark for that file in the database is how your computer magically recovers deleted files.
The same principle applies to your business. If we delete the account, we would be unable to answer network security-related questions such as, “What did Betty have access to when she was here?” Nor would we be able to “give the new person access to everything that Betty had access to” as is often requested of us when onboarding new staff.
For those concerned about security, a disabled account is tantamount to a deleted account insomuch as one cannot authenticate with a disabled account. Maybe one day, someone will find a vulnerability that allows a threat actor to re-enable a disabled account, but if one can flip that bit, the chances are that it’s game over anyway.
Perhaps someone will offer a different perspective that will change my mind, but for now, I recommend sticking with disabling accounts vs. deleting them.