Someone joins your team. They are enthusiastic, capable, and keen to get started. Within their first week they are handed logins, added to email groups, given access to shared drives, and introduced to the payment approval process. Nobody mentions cyber security until the induction checklist gets to the last page, if it gets there at all.
New employee cyber risk is one of the most consistent and underaddressed vulnerabilities we see in Australian organisations. It is not caused by bad intent. It is caused by the simple reality that new starters do not yet know your systems, your processes, or the red flags that an experienced team member would recognise instantly.
The first 90 days of employment are, statistically, the period when a person is most likely to make a costly mistake. And in most organisations, that window receives almost no structured cyber attention.
Why new employee cyber risk is a governance issue, not just an IT one
It is tempting to think of onboarding security as something the IT team handles. They set up the accounts, issue the devices, and apply the access controls. That is a necessary part of the picture, but it is not the whole one.
The decisions a new employee makes in their first few weeks, which emails they trust, which links they click, how they handle an unusual request from a manager, whether they reuse a personal password for a work account, are behavioural. No technical control fully addresses them.
Furthermore, new employees are a known target. Attackers understand that someone who has just joined an organisation is less likely to question an urgent request, less familiar with internal verification processes, and often eager to appear helpful and competent. That combination makes them valuable to exploit.
For directors and owners, the governance question is straightforward. If a new staff member received a convincing phishing email in their first week, or was asked to process an unusual payment by someone claiming to be the CEO, would your onboarding process have given them the context to pause and verify? In most organisations, the honest answer is no.
What we see when new starters and cyber risk collide
The patterns that emerge in this area are consistent across organisations of different sizes and sectors. They are worth naming plainly.
Access is granted broadly and quickly
In the rush to get a new person productive, access permissions are often set too wide and rarely reviewed once the initial onboarding period passes. A new starter in finance may receive access to systems they will not need for months, or ever. That unused access creates unnecessary exposure that persists long after the onboarding period ends.
Cyber awareness training comes too late, or not at all
In many organisations, cyber security awareness training is treated as an annual exercise for existing staff, with new employees folded in at the next scheduled session. That can mean a new starter goes weeks or months without any structured guidance on how to recognise a threat, handle a suspicious request, or report something that does not feel right.
That gap is precisely when new employees are most vulnerable and, therefore, when the organisation is most exposed through them.
New starters are not included in phishing simulations
Many organisations run phishing simulations periodically with existing staff. However, new employees are frequently excluded from these exercises, either because they are not yet on the distribution list or because it is considered unfair to test someone who has not been trained. The result is that leadership has no visibility into how a new starter would respond to a real attempt.
Password and credential habits from personal life carry over
New employees arrive with existing digital habits, some good, many not. Reusing passwords, using personal email addresses for work related logins, and storing credentials in browsers or on paper are common. Without deliberate guidance at the point of onboarding, these habits do not change simply because someone has started a new job.
The handover period creates confusion that attackers exploit
When someone is new, they are often unsure about who to contact, how decisions get made, and which requests are normal. Attackers who target organisations often time their attempts to coincide with staff transitions, knowing that the usual verification habits are disrupted and that a new person is less likely to push back on an unusual request.
What a sensible approach to new employee cyber risk looks like
Addressing new employee cyber risk does not require a complex or expensive program. It requires a deliberate decision to treat the onboarding period as a high risk window and to build a small number of consistent practices around it.
A well governed organisation typically does the following.
- Includes a short, plain English cyber briefing in the onboarding process, covering what to look out for, how to report something suspicious, and who to contact.
- Applies the principle of least access from day one, meaning new starters receive only the access they need for their immediate role, with a review scheduled after 90 days.
• Runs phishing simulations that include new employees within their first 60 days, so leadership can see how they respond before a real attempt occurs.
- Requires completion of a concise cyber awareness module before or within the first week of employment, rather than waiting for the next scheduled cohort.
• Uses a cyber security dashboard to track onboarding training completion by individual, so there is a clear record of who has and has not been through the process.
None of this is onerous. Most of it takes minutes per new starter. The point is not to overwhelm someone on their first day, but to ensure the basics are in place before the risk window opens fully.
A practical starting point for organisations
If you are not sure how your current onboarding process handles cyber risk, start by asking two simple questions.
First, what does a new employee know about cyber security by the end of their first week? Not what they have been sent, but what they actually understand and have demonstrated. Second, would you know within 30 days if a new starter had clicked a phishing link, used a weak password, or shared credentials with someone they should not have?
If the answer to either question is unclear, that is your starting point. A cyber security assessment can help surface where the gaps sit across your organisation, including how well your onboarding process addresses the risks that new starters introduce.
From there, even small structural changes to your onboarding process can substantially reduce the exposure that the first 90 days create.
Make the first 90 days work for you, not against you
At 4walls, we work with boards, owners, principals and CEOs who want a clear, practical picture of where their human cyber risk actually sits. That includes the onboarding window, which is one of the most consistent gaps we see across Australian organisations of all sizes.
If you would like to understand how your organisation manages new employee cyber risk, our cyber governance principles training and Board Cyber Crheck-fin are designed to help leadership teams build the visibility and structure that makes these questions straightforward to answer.
Our structured cyber dashboard and reporting framework is fully set up and live within 30 days, giving leadership a clear view of overall cyber posture, technical compliance, prioritised actions, and user awareness engagement. Within that first 30 days, cyber becomes trackable and reportable, ready for leadership, board, or insurer discussions. If you are not sure how your organisation would stand up to that level of scrutiny, our 3-minute cyber starting point check gives you an immediate view of where the gaps are.
New employee cyber risk does not have to be a blind spot. It just needs a bit of deliberate attention at the right moment.
Get started with 4walls >> https://4walls.au/support/