When a new hire joins your business, there is plenty to cover. Introductions, training, settling into their role. But there is one critical area that should not be overlooked: cyber security.
Your newest team member represents both an opportunity and a vulnerability. They are eager to contribute but they are also unfamiliar with your systems. With a structured approach, you can turn new hires into informed defenders of your business from day one.
Here is what you can do:
1. Create a security essentials checklist
You might or might not have a formal ICT policy document and that is okay. What matters is ensuring new hires understand the basics before they start accessing your systems.
Start with a simple checklist covering:
- What they can and can't do on company devices (personal use, software downloads, USB drives).
- How to create strong passwords and where to store them.
- How to recognise suspicious emails and phishing attempts.
- Who to contact if something seems wrong.
- Basic physical security (visitor management, locking devices, secure document disposal).
NOTE:
- Make it practical, not overwhelming.Even a two-page document reviewed on their first day makes a significant difference. You can always build from there.
- Consider assigning a security buddy, someone they can approach with questions during their first few months. When they receive that suspicious email claiming to be from you, they will have someone to check with before clicking anything.
2. Cover your most critical policies (even if they are informal)
You might not have dozens of formal security policies but you likely have established ways of doing things. Document the most important ones, even if it is just a simple shared document or handbook section.
Focus on what matters most for your business:
- Device security: What happens if a laptop is lost or stolen? Who do they call?
- Password practices: Do you use a password manager? How often should passwords change?
- Remote work basics: If they work from home, what security measures are non-negotiable?
- Data handling: What information is sensitive? How should it be shared or stored?
NOTE:
- Keep it conversational. Instead of dense policy language, explain things the way you would tell a friend: "We use LastPass to manage passwords because reusing passwords across accounts is one of the easiest ways to get hacked. Your IT buddy will help you set it up on day one."
- Schedule a 30-minute security overview during their first week. Walk through your key practices, explain why they matter and answer questions. This personal touch makes security feel less like bureaucracy and more like team responsibility.
3. Share real risks and practical defences
Forget the theoretical threat landscape. Talk about what actually happens to businesses like yours.
Have a conversation about the real risks you face:
Examples –
- "We have had people receive fake invoices claiming to be from suppliers. Always verify payment requests by calling the supplier directly and never use contact details from the email."
- "Ransomware is a real threat in our industry. That is why we back up our files daily and why you will never lose access to critical information."
- "We have seen competitors get hit by phishing emails that look like they are from the boss asking for gift cards. If I ever need something urgent, I will call or walk over and not just email."
Share your team's practical defences:
You don't need a formal "Risk Register" or "Business Continuity Plan" (though these are excellent to develop over time). Start with practical knowledge:
- Which files and systems are absolutely essential to keep the business running?
- Who has backup access if the primary person is unavailable?
- What is your plan if email goes down for a day? A week?
- Where are your backups, and how quickly can you restore them?
Encourage questions and fresh perspectives. New hires often notice things veteran employees overlook. "Why don't we lock our screens when we step away?" might seem like a naive question but it could reveal a blind spot.
Don't know all your risks?
Start by listing your three most valuable business assets (e.g. customer data, financial information, proprietary processes etc.) and think about what would happen if you lost access to them. That is your risk conversation starter.
4. Clarify who to contact when things go wrong
You might not have a formal Incident Response Team but you absolutely need new hires to know who to contact when something seems suspicious.
Make it crystal clear:
"If you receive a strange email, click on something you shouldn't have, lose your laptop or notice anything unusual with your accounts or our systems, contact [name] immediately. Day or night."
Help them understand the people landscape:
Cyber criminals love to impersonate colleagues, especially to new employees eager to prove themselves. A simple conversation helps:
"You will receive emails that look like they are from me, from our accountant, from our IT provider. Before you action anything urgent, especially involving money, passwords or sensitive information, verify through a different channel. Call the person. Walk to their desk. Use Teams. Don't just reply to the email."
Create a simple contact card with key security contacts:
- Primary IT contact (internal or external provider)
- Manager or business owner
- After-hours emergency number
- Any relevant service providers (your MSP, cloud provider, etc.)
Test their awareness:
After a week or two, send a harmless test phishing email (something obviously suspicious, not deceptive) and see if they report it. Use it as a learning opportunity, not a gotcha moment.
5. Secure remote work setups (the basics)
If your new employee will work from home, even occasionally, you need to address home office security. But this doesn't require a comprehensive policy or formal validation process.
Focus on the non-negotiables:
- Wi-Fi security: "Is your home Wi-Fi password-protected with a strong password? Still using the default one that came with your router? Let's change that."
- Device security: "Your work laptop should lock automatically after 5 minutes of inactivity. Let's verify that is configured. And never leave it in your car unattended."
- Workspace privacy: "Can delivery drivers or guests see your screen when you are working? Can family members access your work laptop? Let's think through the setup."
- Software security: "You should have antivirus running and automatic updates enabled. Let's confirm that together."
- Physical document security: "If you print anything confidential at home, where will you store it? How will you dispose of it?"
NOTE:
- Make it a collaborative check-in, not an interrogation. Walk through these items together during a video call or in person. It shows you care about their security and the business's security.
- Provide simple guidelines: "When working from a café, never access financial systems or customer data on public Wi-Fi. Use your phone's hotspot instead or wait until you are on a secure connection."
- Don't have a remote work policy? Create a simple one-page checklist of security requirements for working from home. It doesn't need to be comprehensive, just clear about your minimum standards.
Building cyber security into your culture
Here is the reality: most small-medium businesses don't have formal security documentation, dedicated security teams or comprehensive policies. And that is okay. What matters is creating a culture where security is everyone is responsibility and where people feel comfortable asking questions.
If you need help developing your business’s cyber security onboarding process, do reach out to Netway for a friendly chat.