Blog Articles

Cybersecurity Checklist for Onboarding New Staff

Sep 29, 2022
New call-to-action

Recent Content

Many companies provide employees with a flood of information on their first day of work, such as the organization’s values, vision, work directions, and the various technology platforms used for different activities. However, few remember to discuss cybersecurity practices and expectations on the first day, yet cybersecurity onboarding should be a priority. Every HR department should prioritize onboarding cybersecurity procedures and policies to ingrain an information security culture from the first day a new employee starts. A robust relationship between HR and IT departments can help businesses implement a consistent and productive onboarding experience focused on cybersecurity best practices. 

 

Start with a cybersecurity onboarding checklist

Every business should foster a cyber-secure environment as soon as a new employee signs the offer letter. For instance, creating a checklist comprising the roles of everyone involved in the cybersecurity onboarding process can ensure organizational compliance with cybersecurity requirements and minimizes the risks of new hires making common security mistakes that can compromise data and critical systems.

 

CYBERSECURITY CONSIDERATIONS FOR NEW STAFF MEMBERS:

Which department will the new employee be in?
  • Determine the scope of the new employee’s information, application, and network access 

What resources does the new employee need to access in their assigned roles?

  • Define specific access to information and apps
  • Provide role-based access based on employee access needs

Who will manage new employees?

  • Establish a formal line of communication 
  • Define the approval workflow for removing or granting future access privileges 

What are the special access needs for the new hires?

  • Define privileged access management 
  • Establish special access rights beyond the established role-based access permissions 

Have the new employee’s access and accounts been requested?

  • Monitor and track the provisioning/onboarding process 

Have the new employee’s accounts been provisioned?

  • Create new accounts for information, apps, systems, and network access 

Have the new employee’s physical IT assets been requested and configured accurately?

  • Determine the required assets (phones, laptops, computers, key fob) the employee needs to gain access to various resources within the workplace
  • Provision of the new employee’s account before the release of physical assets to enable the employee to commence work immediately after they receive the physical IT assets 

Have the relevant personnel followed up to confirm the new hire has access to necessary resources?

  • If yes, commence cybersecurity training and awareness to ensure the new hires understand the best security practices when using the provisioned accounts, apps, physical IT assets, access rights, etc.

 

Cybersecurity OnBoarding Best Practices

1. Cybersecurity Training and Awareness

Once the IT department has provisioned the necessary access rights for the new hires, cybersecurity becomes their responsibility. Access to company data, networks, or systems increases security risks since employees may lack awareness of the expected cybersecurity best practices. Cybersecurity awareness and training are essential to equipping new employees with knowledge of real-world cyber threats, their impacts on business operations if actualized, and the best practices for mitigating them. In addition, information security training and awareness explain the implemented cybersecurity policies, their importance, and the implications of non-compliance. Investing the time and resources during cybersecurity training programs stresses the need for adhering to best practices, thus producing vigilant employees who actively participate in maintaining a strong cybersecurity culture. 

2. Enforce Password Security Policies

With new employees having access to critical company data, applications, and systems, they must prevent unauthorized users or insider threats from gaining unwanted access. Hence, you must enforce and reiterate the importance of strong password policies. While many employees may want to create easy-to-remember passwords, such as 123456 or qwerty12345, new staff must understand that weak passwords contribute to the highest number of breaches and intrusions. Therefore, you should ensure that the new employees understand the best password security practices. At the very least, a password should contain eight or more characters, uppercase and lowercase alphabets, numbers, and special characters.

3. Encourage Communication and Reporting

Training and awareness educate new employees regarding specific threats in your IT environment and their potential impacts, but do they know how to report them for further action? Cybersecurity knowledge, communication, and reporting are vital tools to help new hires navigate the murky cyber-threat landscape. For instance, enabling new staff to report concerns about suspicious phone calls, texts, or email messages can be the intervention needed to thwart a phishing incident that could lead to a ransomware attack. In other words, your dedicated IT team or personnel should always be available to discuss any cybersecurity issues or challenges facing new employees. 

4. Share Security File Sharing Guidelines

Sensitive information can have adverse impacts if it falls into the wrong hands, whether through data leakage, breaches, or insecure file sharing. New employees must understand best practices for securely sharing confidential business, customer, or employee data. For example, if the employees work from home, they must use a VPN service to secure remote access to company resources and information. The onboarding process allows new employees to review and understand such procedures. Secure file sharing practices should also include strong encryption to ensure they are inaccessible even if leaked, breached, or sent to the wrong recipient. Understanding such secure file sharing techniques ensures data integrity, confidentiality, and availability. 

 

Strategies for Successful Cybersecurity Onboarding

Onboard at Micro and Macro Sales

Cybersecurity onboarding at the macro level involves briefing new employees on their cybersecurity roles. Essentially, macro-onboarding creates a common understanding and baseline of the company’s cybersecurity posture. This may include understanding the organization’s risk tolerance and how it fits into the service-level agreements. For example, what cyber-risks should the new employees report, to who, and in which format? In addition, since the organization’s information security personnel plays specific roles, you should ascertain that new employees understand how those roles support the organization’s cybersecurity programs to convey the message that they are joining a collaborative team.

On the other hand, micro-onboarding is more refined and focuses on the intricacies of the company’s cybersecurity programs. These include knowledge of the implemented cybersecurity tools and technologies and how they work together to deliver a security architecture. Also, micro-onboarding includes the general procedures and processes involved in the daily cybersecurity checklists, dashboards, and processes, including cyber hygiene, patching, and updating. Micro onboarding further focuses on incident response and management should a successful intrusion, malware attack, or network intrusion occur. New employees must understand their roles in managing an incident and other cross-functional responsibilities and roles. 

Definitive Markers

A cybersecurity onboarding program for new employees requires definitive markers, which provide a structured process for ingraining a cybersecurity culture in new employees. Additionally, a cybersecurity onboarding program should be ongoing and implemented over several months. Although many companies think cybersecurity onboarding can be completed in the first few days of a new hire, this may lead to failure. New employees require more time to understand the workings of deployed technologies, and new threats emerge frequently. Hence, a cybersecurity onboarding process should last at least three months to ensure new employees understand each IT asset, real or perceived threat, and the best security practices to protect from attacks. The risk of lacking an in-depth cybersecurity onboarding program has broader implications and may set up an organization to fail due to breaches and attacks.

 

About Pulsar Security

Pulsar Security is a team of highly trained and qualified ethical hackers whose job is to leverage cybersecurity experience and proprietary tools to help businesses defend against malicious attacks. Pulsar is a Veteran, privately owned business built on vision and trust, whose leadership has extensive military experience enabling it to think strategically and plan beyond the problems at hand. The team leverages offensive experience to offer solutions designed to help analyze and secure businesses of all sizes. Our industry experience and certifications reveal that our engineers have the industry's most esteemed and advanced on the ground experience and cybersecurity credentials.

Corey Belanger

Corey Belanger

Corey is a Security Consultant and leads QA of product development, using his expertise in these dual roles to more effectively test and secure applications, whether while building enterprise applications or while performing penetration tests and vulnerability assessments for customers. An Army veteran with a tour of duty in Afghanistan, Corey has built a post-military career in security while earning Network+, Security+, GIAC Certified Incident Handler, GIAC Python Coder, GIAC Web App Penetration Testing, and GIAC Penetration Tester certifications. Corey is also a BsidesNH organizer and founding member of TechRamp, avenues which he uses to help others build their skills for careers in security and technology. Fun Fact: When not manning a terminal or watching the Bruins, Corey can often be found snowboarding or riding his motorcycle.