Nobody (well, nobody with a heart) likes letting employees go, even when you're firing them for cause. But you do what you have to do, and one of the things you have to do is to remove the employee's access to company resources. This many companies don't do, at least not effectively.
Tech Pro Research: Security
Much of this is common sense, such as deactivating card keys and other physical access methods. Where it gets murkier is when IT resources are involved. Indeed, Lieberman Software's recent 2014 Information Security Survey found that more than 13 percent of respondents could still access a previous employer's systems with their old credentials. The survey points out other discouraging indications of bad policy.
Not every termination is on bad terms. I myself have twice been laid off and immediately brought on as a consultant, making it senseless to remove my system access. But if the employee's gone then you really need to have a policy and a procedure in place to deny the employee any access.
Ground zero of this effort has to do with passwords. Before going further, I'd like to take this opportunity, as I do so often, to point out that this is yet another example of the benefits of two-factor authentication. If you can just deactivate an OTP FOB or something similar, then your job is much easier and you can take your time with the passwords.
When you don't have two-factor authentication in place you have to deactivate accounts and/or change passwords. For internal resources controlled through Active Directory, this is not a lot of work. But nowadays companies use many outside services, typically with their own username and password. If the company has a Twitter account, you don't want the ex-employee tweeting through it. If there's a company PayPal account, you might want to make sure the employee can't access it.
Just as password managers are the only way individual users can use passwords securely these days, enterprise versions of password managers may be the only way to track and manage secure use of company passwords by employees. There are many such products, including LastPass Enterprise, RoboForm and Thycotic Secret Server. I've been a LastPass user for some time.
The main value in an enterprise password manager, just as with a single-user password manager, is to make it easier for users to use passwords securely: to make them complex, unique for each site and easier to change periodically. At certain times, such as when "offboarding" an employee, they show added value by providing audit information on what resource the employee has had access to and logged into.
The possibility of having to lock out an employee may make you consider measures you have avoided so far. Consider a shared wifi password. Do you really want to change it for everyone or is it time to use a managed router and individual authentication?
There are limits to what password managers can do. They can't — at least not yet — change a user's passwords en masse, so you may have to change a lot of passwords manually. But they usually make things better and don't ever make things worse.