We get a version of this call more than you'd think. It usually starts with: "Our IT guy just quit and we realized we don't know any of our passwords." Sometimes there's more urgency: "He left on bad terms and we're not sure if he still has access." Occasionally it's a full-blown emergency: "He's gone, our server is down, and nobody knows what's running on it."
Having a single person who knows everything about your IT environment is called key-man risk. It's one of the most common and most quietly dangerous situations in small and mid-sized businesses. And it almost always surfaces at the worst possible time.
What's Usually Living in One Person's Head
When a solo IT person — or even just your most technical employee — leaves, they take a lot with them. Things like:
- Admin credentials for servers, firewalls, and cloud accounts
- The logic behind how your network is configured (why is that port open? what does that rule do?)
- Vendor relationships and account logins for third-party services
- The workarounds for things that were "fixed" but not really fixed
- Backup schedules, retention policies, and whether backups have been tested lately
- Software license keys and renewal dates
- Which systems are end-of-life and being kept alive through sheer force of will
None of this is typically documented. In our experience, the documentation that does exist is usually out of date, incomplete, or stored in a personal folder on the IT person's laptop — which is now with the IT person.
The Offboarding Scenario Nobody Plans For
When a departure is planned and friendly, you at least get a transition period. Two weeks of knowledge transfer is never enough, but it's better than nothing.
When a departure is abrupt or hostile, you have a different problem. An employee who leaves with active credentials — intentionally or because nobody thought to revoke them — is a security incident waiting to happen. Disgruntled ex-employees rank consistently as one of the top sources of data theft and system sabotage in small businesses. Not because ex-employees are especially malicious as a group, but because access was never properly removed.
The uncomfortable truth: in most small businesses, there is no formal offboarding checklist. Access gets revoked from the obvious things (email, maybe Slack) and quietly forgotten everywhere else. The firewall admin panel. The domain registrar. The server hosting provider. The backup console.
What Good IT Documentation Looks Like
The goal isn't a 200-page manual nobody reads. It's a living document that answers: "If our IT person disappeared tomorrow, what would we need to keep running?"
At minimum, that document should include:
- Network diagram — what's connected to what
- Inventory of hardware and software, with license keys and renewal dates
- Credentials stored securely (in a business password manager, not a doc)
- Vendor contacts and account numbers for internet, hosting, support contracts
- Backup schedule, where backups go, and when they were last tested
- Known issues and technical debt — the things that are held together with duct tape
This documentation should live somewhere that doesn't require the IT person to retrieve it. That's the whole point.
Structured Access Management
Every person who has admin access to your systems should be documented. That access should be tied to their role, not their personality. When someone leaves, removing access should be a checklist item — automated where possible, verified as part of standard offboarding.
This sounds obvious. In practice, most small businesses don't have a list of who has access to what. When we do IT assessments, we regularly find active accounts belonging to people who left years ago.
How an MSP Changes This Dynamic
One of the underappreciated benefits of managed IT services is that the institutional knowledge lives with the MSP, not with an individual. When a technician leaves our team, your documentation, your configurations, your monitoring — none of it goes with them. The systems and the knowledge stay.
We also maintain consistent access management as part of standard operations. Onboarding and offboarding your employees triggers a defined process on our end, not a to-do item that gets lost in the shuffle.
If you're currently in the situation where one person knows everything, the right time to fix it was before they gave notice. The second-best time is now. We're happy to do an IT audit and get your environment properly documented — before the next call starts with "our IT guy just quit."