Playbook: Cómo Debe Manejar una Firma de Administración de Propiedades el Riesgo de Exfiltración de Datos por un Empleado que se Va

This is a playbook for a scenario we structure engagements around regularly across the Inland Empire. The firm described is a composite — no specific client. The mechanics, controls, and remediation steps are the real engagement structure we use.

Picture a property management firm in Corona managing 380 doors — a mix of single-family rentals and small multi-family buildings across the Inland Empire. The firm has four property managers (each owning a portfolio of roughly 90 doors), three brokers handling sales transactions, one office manager, and one part-time bookkeeper.

The stack: a cloud property-management platform for tenant and lease records, a transaction-management platform for sales-side documents, a separate accounting platform for trust and operating accounts, and M365 for email and file storage. Sensitive data lives everywhere — tenant credit reports, owner statements, bank account details for rent disbursements, signed leases, and a steady stream of broker-client communications.

The triggering scenario: a Friday. One of the property managers gave two weeks' notice the prior Monday and is planning to move to a competitor. The office manager has noticed unusually high download activity on the departing property manager's account — large numbers of file downloads from SharePoint and OneDrive late at night, an unusual sync to a personal OneDrive account, and an external email forward set up the day after the resignation.

The office manager calls us before confronting the employee.

Over the next 48 hours, the right engagement runs the audit, locks down the access, preserves the evidence, and builds the playbook the firm wishes they had used three resignations ago.

Discovery runs in parallel with the access lockdown work. At a firm this size the picture is almost always the same.


M365 is typically on Business Standard. MFA is on for the brokers and the office manager, off for the property managers and the bookkeeper. Conditional Access off. Defender for Office 365 off because the license does not include it. Mailbox auditing at default — which on a Business Standard tenant is on but with limited retention.

The property-management platform has individual user accounts for every staff member. MFA is an available add-on the firm has not purchased. The platform's permission model gives each property manager full access to every property in the firm's portfolio — not just their own portfolio — because the original setup was done at the broker level for convenience.

The transaction-management platform has individual logins, MFA on, but the property managers have been granted access for cross-team transparency. They can view and download every transaction file in the firm — including pending sales, owner statements, and tenant credit reports.

SharePoint and OneDrive are configured with broad permissions. Every staff member has Read access to the firm's main "Owners" library, which contains many months of owner statements, bank routing info, and signed property management agreements. External sharing is on with no expiration policy. OneDrive personal-account sync is not blocked.

The accounting platform is usually the only system with tight access — the bookkeeper and the office manager have access; the property managers do not. The owners' bank account details live there.

No documented offboarding playbook exists. The previous departure was typically handled by changing email passwords on the last day. No mailbox audit. No file-access review. No SharePoint permission cleanup.

Two parallel audits run in the first 48 hours — one on what the departing employee has already accessed, and one on what the firm's structural permission model would have allowed anyone to access on their way out the door. Typical findings:

• The departing property manager has accessed several thousand files in the prior 14 days, far above a normal baseline. Of those, a large fraction are inside SharePoint libraries the employee has no operational reason to touch — competitor-broker transaction files, owner financial statements for portfolios they do not manage, and the firm's broker-of-record agreements.
• An external email forward has been configured on the M365 mailbox to forward every inbound message to a personal email address — typically set up within days of the resignation.
• A personal OneDrive sync has pulled a couple of gigabytes of files from the firm's main "Owners" library. Sync activity is timestamped to evenings over a multi-day window.
• The property-management platform shows reports run on every property in the firm's portfolio, not just the employee's assigned portfolio, in the prior week. The reports include tenant contact information, lease end dates, and rent amounts — the exact data set a competitor would need to make outreach.
• The cross-tenant permission graph in SharePoint is a structural problem, not an individual one. Every staff member, including the part-time bookkeeper, has Read access to every property file. The departing employee is simply the first person to act on the access they were quietly given on day one.
• OneDrive external sharing is open with no expiration. Files shared externally during the employee's tenure (to clients, vendors, prospects) are still accessible at the share URL with no time limit.
• Mailbox auditing is on but the retention window on the Business Standard license is short. Pull what is still in the window before it rolls.

> Giving everyone Read access to everything is not transparency — it is structural risk. The principle is least privilege: each role gets exactly the access the role requires, and elevated access is logged.

The work runs in two tracks. Track A is the immediate departing-employee response — lock down, preserve, evidence, coordinate with the firm's employment attorney. Track B is the structural remediation that makes sure the next departure does not look like this one.

1. Lock down the departing employee's access same-day. Suspend (do not delete) the M365 account, which preserves mailbox content and audit logs. Remove the user from every shared mailbox, distribution list, and Teams channel. Revoke the property-management platform login. Revoke the transaction-management platform login.

Remove the user from every SharePoint group. Kill the external email forward. Force sign-out on all devices via the M365 admin center. Coordinate timing with the office manager, who handles the in-person conversation that afternoon.

2. Preserve evidence in a forensically defensible way. Pull the M365 audit log, the property-management platform activity log, the SharePoint file access log, and the OneDrive sync log. Export each into a date-stamped archive. Document chain of custody. Loop in the firm's employment attorney before the conversation with the departing employee.

3. Rebuild the cross-tenant permission graph. Each property manager's SharePoint access is scoped to their assigned portfolio. Cross-portfolio access requires the office manager's approval and is logged. Brokers retain firm-wide access on the sales side because the operational pattern requires it; property managers no longer have transaction-management access by default.


4. Upgrade M365 to Business Premium and turn on the controls. Defender for Office 365 (Safe Links, Safe Attachments, anti-phishing impersonation rules). Conditional Access requiring MFA on every sign-in for every user, blocking sign-ins from countries the firm does not work in, blocking unmanaged devices from accessing OneDrive and SharePoint. Intune enrollment for every laptop. Mailbox auditing extended to the maximum retention window.

5. Block personal-account OneDrive sync. Conditional Access prevents the OneDrive client from syncing a corporate library to a personal OneDrive account. External sharing requires the office manager's approval and every external share has a 30-day default expiration.

6. Build and sign off on a written departing-employee playbook. A one-page checklist signed by the office manager and the broker of record on every departure. The playbook covers: same-day access revocation across every platform (M365, property-management platform, transaction-management platform, accounting platform, payroll, building access, vendor portals), mailbox conversion to shared mailbox or forwarding to the assigned successor, laptop wipe, key-fob deactivation, password manager group removal, SharePoint permission audit on libraries the employee had elevated access to, and a 14-day mailbox-audit log review on every voluntary departure.

7. Set up a continuous insider-risk baseline. Defender's anomaly detection alerts the office manager on unusual download volumes, large external transfers, and new external email forwards. The baseline takes about 30 days to calibrate. The firm then sees the kind of pattern that triggered this engagement before it has been running for ten days.

When this playbook runs cleanly, here is what the firm exits with.

The departing employee's access is cut same-day, before the most damaging file transfers can happen. The forensic record is preserved in a way the firm's employment attorney can use if it becomes necessary. Personal-OneDrive sync is identified, documented, and stopped. A preservation letter goes through counsel.

The property managers' SharePoint access is scoped to their own portfolios. A property manager who decides to leave for a competitor can no longer download the firm's full owner list as a parting gift — the access does not exist by default. Cross-portfolio access is logged.

Mailbox auditing retention is at the maximum the Business Premium license supports. External sharing has a 30-day expiration by default. Personal-OneDrive sync from corporate libraries is blocked.

> The time to build the offboarding playbook is before the resignation, not after it. "Change the email password on the last day" is not an offboarding playbook.

The departing-employee playbook gets signed off on every departure. A routine departure under this playbook takes the office manager roughly 25 minutes to fully process.

Whether the firm pursues civil action is a decision the employment attorney drives. The evidence package is kept on hand in case it becomes necessary.

Three things worth taking from this.

First — the departing-employee playbook is not optional. Every property management firm and every real estate brokerage will eventually have a departure that walks out the door with whatever they can carry. The difference between a forgettable departure and a cease-and-desist letter is whether access was scoped correctly on day one and revoked correctly on the last day. "Change the email password on the last day" is not an offboarding playbook.

Second — the cross-tenant permission graph is the part most firms get wrong. Giving everyone Read access to everything is not transparency, it is structural risk. The principle is least privilege: each role gets exactly the access the role requires, and elevated access requires approval and is logged. This is not a paranoid posture. It is a baseline.

Third — the time to build the playbook is before the resignation, not after it. The firm above got lucky — the office manager noticed the download volume in time. The next firm in this situation may not.

If you are a property management firm or a brokerage in the Inland Empire and want a structured look at your permission graph and your offboarding posture, our [real estate IT page](/industries/real-estate) covers the vertical specifics, the [security baseline assessment](/services/security-assessment) walks through the audit methodically, and the [free 12-question self-check](/self-check) gives a rough grade in three minutes.