Cyber security for new hires: why the first 90 days matter

Why new hires are a top cyber security risk

It’s a few years back. A brand‑new apprentice at one of our suppliers gets an email from “her manager”. Friendly tone. Urgent favour. Could she nip out and grab some iTunes vouchers for client gifts? These days, that request to “nip out” would seem wild, but remember this was a few years ago, when gift vouchers, especially for iTunes (in the days before Spotify), were all the rage. Keen to impress, she heads to the high street.

Half an hour later, her actual boss calls: “Where are you?”
Cue alarm bells. Thankfully, she hadn’t bought the vouchers. No harm done, just a racing pulse and a story that keeps paying off. Why? Because that trick, manager impersonation + gift cards, has been around for years, and it still works. Apple even warns people not to share gift‑card codes because scammers love them: they’re fast, cash‑like and hard to trace.

Phishing attacks: what the data shows us

Most leaders focus on the essentials: laptop, email account, system access and a quick round of intros. All important. But the first few months are also one of the most dangerous times for your cyber security, and it often flies under the radar.

New research shows just how risky those early days are

• 71% of new hires fail phishing or social‑engineering tests in their first 90 days.
• They’re 44% more likely to be duped than colleagues who’ve been around a while.
• When scammers impersonate executives, new starters are 45% more likely to take the bait.
• Organisations running tailored onboarding training and simulations saw risk drop by ~30%.

Why this happens (and how criminals exploit it)

Starting a new job means unknown processes, new faces, and a healthy desire to help. Attackers lean into that uncertainty with believable messages that look like they’re from the boss, HR or IT:

• “Please update your details on the HR portal.” (It’s a spoofed site.)
• “Urgent invoice, can you pay this today?” (It’s fabricated but looks genuine.)
• “I’m in a meeting, can you do me a quick favour?” (Buy gift cards, share the codes.)

Authority + urgency + unfamiliar routines = the perfect social‑engineering recipe.

It’s not just theory, the numbers are clear

Executive impersonation emails land harder with new hires (+45% susceptibility), and gift‑card requests remain a staple of manager‑spoofing scams in email and text. Culture matters too: teams that encourage quick reporting, without blame, recover faster and get phish‑spotting momentum on their side.

Simple steps to protect your new starters

Don’t wait for a new starter to “settle in”. Those early days are when you lay secure habits.

A first‑90‑days playbook you can run now

1. Pre‑boarding nudge – Send a short “How we handle email & approvals” primer before day one. List approved domains, sign‑off patterns, and what you’ll never ask (e.g., “We will never ask you to buy gift cards or share MFA codes.”).
2. Week‑one training – Ten‑minute modules using your real comms (HR portals, IT tickets, expenses). Include one realistic simulation they’re likely to see.
3. Safe escalation paths – One‑click email reporting, plus a clear “If in doubt, call…” policy. Reward reporting, even false alarms. A no‑blame culture improves resilience.
4. Simulations – A light cadence of impersonation, fake vendor, and tech‑support simulations (ask for their MFA). Track improvement; recognise areas of improvement. Expect meaningful risk reduction (~30%) as they onboard.

Cyber essentials still count

Email security, endpoint protection and filtering are non‑negotiable. But people make the difference. Set your newest people up to win on day one, and you shrink your largest early‑tenure risk window dramatically.

Need a hand? We can work with you and all your employees (not just new hires) to improve their cybersecurity and, therefore, the security of your business.