The Hidden Risk Period
The first 90 days of employment represent one of the most dangerous periods for your organisation's cyber security. New starters are prime targets for cyber criminals—and most businesses don't even realise it.
The Onboarding Security Gap
When bringing a new team member on board, most organisations focus on the essentials: setting up their workstation, creating email accounts, granting system access, and introducing them to colleagues. What often gets overlooked is cyber security awareness training during this critical vulnerability window.
Recent research has uncovered an alarming statistic: nearly three-quarters of new employees (71%) fall victim to phishing or social engineering attacks within their first three months on the job. This isn't a coincidence—cyber criminals are actively targeting your newest recruits.
of new employees fall for phishing within 90 days
more likely to click malicious links than experienced staff
more susceptible to CEO impersonation attacks
Why New Starters Are Prime Targets
Understanding why new employees are so vulnerable helps explain why cyber criminals specifically target them. The psychology of starting a new job creates the perfect conditions for social engineering attacks:
Eagerness to Impress
New employees want to make a positive impression and are more likely to respond quickly to requests, especially from perceived authority figures.
Unfamiliarity with Colleagues
They haven't yet learned who's who in the organisation, making them unable to spot impersonation attempts or unusual requests.
Unknown Processes
Without knowledge of standard procedures, they can't identify when a request deviates from normal business operations.
Following Instructions
The natural tendency to follow guidance from more senior colleagues makes them susceptible to fake requests from 'managers' or 'IT support'.
Common Attack Methods Targeting New Starters
Cyber criminals employ sophisticated tactics specifically designed to exploit new employee vulnerabilities:
- 1Fake HR Portal Requests: Emails asking new starters to "verify" or "update" their personal details on a spoofed HR system
- 2CEO Fraud: Messages impersonating senior executives requesting urgent favours or sensitive information
- 3IT Support Scams: Fake tech support requests asking for credentials or remote access to "fix issues"
- 4Bogus Invoice Scams: Urgent payment requests that appear legitimate but redirect funds to criminal accounts
The Solution: Security-First Onboarding
The good news is that organisations taking a proactive approach to new starter security see dramatic improvements. Businesses implementing tailored security awareness training and realistic phishing simulations during onboarding reduced their risk by 30% after the initial training period.
Essential Onboarding Security Measures
People: Your First Line of Defence
Whilst technical security measures like firewalls, endpoint protection, and email filtering remain essential, they cannot catch everything. Your employees—particularly your newest ones—form the critical human layer of your security infrastructure.
Without proper training and awareness, your newest team members may inadvertently become your weakest security link. The investment in comprehensive onboarding security training pays dividends in risk reduction, employee confidence, and organisational resilience.
Strengthen Your Onboarding Security
Graphite IT can help you implement effective cyber security training programmes for new starters, including phishing simulations and awareness training powered by KyberONE.
Get a Security Assessment