Why New Starter Cyber Risk is One of the Most Overlooked Security Gaps And What to Do About It
Introduction
In today’s fast‑evolving threat landscape, organisations invest heavily in perimeter defences, endpoint security and zero‑trust architecture. Yet one of the most consistent entry points for cyber threats often remains overlooked: the new starter onboarding process.
Human behaviour, particularly during the first 30–90 days of employment, continues to be a leading contributor to cyber risk. But traditional security awareness programmes often miss this critical window.
In this blog, we explore why new starter cyber risk deserves spotlight attention, how attackers target new employees, and what practical steps IT, security and compliance teams can take to reduce exposure.
We also share guidance from our latest educational whitepaper, “New Starter Guide: How to Protect New Employees from Cyber Threats”, to help security leaders build a more robust onboarding security strategy.
Why New Starter Cyber Risk Matters More Than You Think
Most organisations recognise that employee cyber risk contributes to breaches. However, awareness usually peaks only after an incident occurs, often when it’s too late. What’s less understood is that the onboarding phase represents a uniquely vulnerable period for new employees:
- They are learning new systems and tools
- They don’t yet know internal communication norms
- They are eager to prove competency
- They may be unfamiliar with security policies
Together, these factors create a perfect storm for attackers. According to industry reporting, around 60% of data breaches involve a human element, such as error or social engineering. That suggests the path of least resistance for many attacks is rarely technical; it’s behavioural.
The Overlooked Vulnerability in Employee Onboarding
Most cybersecurity programmes treat onboarding as a single checklist item: “Complete training module X, sign policy Y.” But this approach assumes training alone resolves risk, and evidence shows it doesn’t.
During onboarding, new starters receive a high volume of legitimate communications about access, tools, policies and processes. Attackers exploit this by timing their phishing and social engineering campaigns to blend in with expected activity.
For example:
- A fake email about “access provisioning” appears on Day 2
- An invoice request looks like it’s from a trusted supplier during handover
- An internal policy link arrives at a moment when the user expects policy updates
These aren’t contrived. They reflect realistic onboarding scenarios that security leaders need to anticipate when assessing human cyber risk in onboarding.
Why Traditional Security Awareness Training Isn’t Enough
Security awareness training has been a foundational control for many organisations. But in practice, completion rates don’t equal behaviour change. Employees may click through training to progress HR checklists, without genuinely understanding how to spot a threat.
A critical shift in mindset is required:
- From training completion to behavioural risk measurement
- From static content to adaptive learning
- From one‑off awareness modules to ongoing reinforcement and validation
This involves not just teaching employees about phishing and malware, but also confirming whether they recognise threats in simulated real‑world situations.
That’s why leading security functions prioritise phishing simulations aligned to real onboarding workflows, coupled with knowledge surveys and adaptive reinforcement. This approach helps security teams understand where risk truly lies, not just where training has been ticked off.
How Attackers Target New Employees (Realistic Scenarios)
Understanding how attackers think is key to mitigating risk. Rather than broad spray‑and‑pray campaigns, modern phishing attacks are often targeted, contextual and timed to exploit onboarding blind spots.
Here are common attack vectors:
1. Credential Harvesting Through Legitimate‑Looking Requests
An email appears to come from IT asking a new starter to “verify your access credentials” as part of onboarding configuration. The link leads to a credential harvesting page designed to mimic internal systems.
2. Fake Policy or Compliance Portals
A new employee is sent what looks like an internal link to read and acknowledge updated policies. In reality, the page captures login information or delivers malicious payloads.
3. Supplier Impersonation During Handover
During role handover, attackers impersonate suppliers or finance contacts with invoice or payment queries. New starters, eager to be helpful, may comply before verifying legitimacy.
These examples illustrate how familiar‑looking messages can bypass instinctive scepticism, especially when the recipient is a new starter still building context.
Human Behaviour & Onboarding: The Missing Link
Cybersecurity isn’t just about technology. It’s about behaviour. Research confirms that:
Human factors are present in the majority of security incidents, with phishing among the top initial attack vectors.
During onboarding, cognitive load is high, confidence is low, and social pressures are strong, all of which impact decision‑making. Security teams must recognise that:
- New starters may over‑trust internal messages
- They may be unfamiliar with how legitimate communications are structured
- They may feel pressure not to ask questions
This is why security behaviours must be measured and reinforced over time, not just once at induction.
Practical Steps IT & Security Teams Can Implement Today
Here are practical, time‑efficient strategies that security leaders can adopt to reduce new starter cyber risk:
1. Start with a Knowledge Baseline
Before diving into simulations, assess what new starters already know. A short knowledge survey on Day 1 helps identify awareness levels and focus points.
2. Use Realistic Simulations, In Context
Simulations should reflect real onboarding workflows, not generic phishing templates. For example:
- Simulate a “tool access confirmation” email
- Send a “policy update” message
- Run supplier impersonation tests during handover
This helps teams see how new starters respond in scenarios that mirror their real working environment.
3. Reinforce Behaviour, Not Just Awareness
Repeat exposures over time with varied scenarios to cement lessons. Reinforcement can be micro‑training triggered by individual survey results.
4. Provide Managers with Insight
Don’t limit visibility to the security team. Provide HR and hiring managers with insights into onboarding risk, especially when behavioural patterns indicate risk.
5. Capture Audit‑Ready Evidence
Security teams operating under ISO 27001, cyber insurance requirements or internal audit standards should collect evidence of risk measurement and mitigation. This includes:
- Survey results over time
- Simulation outcomes
- Training progress mapped to behavioural indicators
How to Build a Secure Onboarding Process
A structured approach helps ensure onboarding security is consistent, measurable and effective. Consider organising onboarding in phases:
Phase 1: Foundational Awareness
- Knowledge survey
- Policy signing
- Introductory cyber awareness
Phase 2: Behavioural Reinforcement
- Adaptive micro‑training based on survey results
- Contextual phishing scenarios
Phase 3: Validation & Assurance
- Phishing simulations aligned to real workflows
- Trend reporting for IT, security and compliance
This phased approach helps security leaders track improvement over time and address specific knowledge gaps.
Compliance Considerations for Onboarding Security
Security compliance frameworks such as ISO 27001 increasingly expect organisations to demonstrate:
- Evidence of risk identification
- Risk mitigation strategies
- Behaviour‑based measurement
Onboarding security, particularly when measured and reinforced, aligns with these expectations. It also supports cyber insurance assessments and internal audits by showing a documented, repeatable approach to reducing human risk.
Conclusion
The modern threat landscape demands a shift in how organisations approach human cyber risk, especially during onboarding. New starters are not simply a checkbox on a compliance form; they represent a predictable risk window that deserves strategic attention.
By understanding attacker behaviour, measuring actual behaviour (not just training completion), and reinforcing learning in context, organisations can strengthen their security posture from Day 1.
If you’re looking to explore this further, our latest whitepaper, New Starter Guide: How to Protect New Employees from Cyber Threats, provides practical frameworks and examples to help security teams reduce onboarding risk with confidence.
