Ah, the new employee—a representation simultaneously of good and evil where all hope lies and is lost in one convenient package.

Now, please don’t think I’m against new hires; in fact, it’s the complete opposite. As an executive, it’s my job to continuously seek out talent that can breathe new life into the organization. And regardless of where that person may sit within their career timeline, any new hire is worth bringing on board.

However, in this instance, when I say that a new hire can personify both good and evil simultaneously, the struggle is not actually with the hire, it’s with the employer—and it all circles around IT security. You see, when new people are brought on board, the company is foreign ground. It’s a mystery to the new person who is left to navigate the wilds of the new space, people, politics, and more—to make their way in a new world until they feel comfortable, wanted, and needed.

So, when the ticking time bomb of a new IT security threat is first hired, the responsibility of defusing that bomb rests squarely on the employer. In fact, it speaks to a far greater issue in the world of IT security that we now live in—not the educational aspect of avoiding threats, but the legal aspect of having policy in place to manage the scenario in its entirety.

You see, when a new person is on-boarded, the new hire goes through the usual HR process of signing all things that pertain to insurance, payroll, and so on. As well as the expectation that they’ll buy the VP of Sales coffee once a week—you know, the usual.

But where in the on-boarding process is the “talk” and the paperwork that outlines how the company handles IT security? Yes, of course, there can be the educational aspect of “don’t click on links to cat pictures and lottery winnings from your email.” However, that’s not policy, that’s good practice.

The policy is where the rubber meets the legal road to ensure that people understand what they can and cannot use company assets for, how security breaches are to be dealt with, and more—all there to mitigate risk and bad press in the event that something should go sideways.

Now, I’m at no time going to suggest what your IT security policy should entail. I’ll leave that up to the legal minds of the world, working together with HR and IT to devise the best plan of action and policy that works best for your company.

The point of this blog isn’t to pretend to be the Harvard Law Review—it’s meant to be a suggestion, perhaps even a warning, to be diligent in your educational process. The stark reality is that the majority of your new employees at all levels of your organization are probably completely and utterly unaware of your security policies, or even the potential threats that your company may face.

So when welcoming new hires into the fold, make sure they have a clear idea of what the company does, what the potential IT security threats are, and how they will be handled if a threat occurs. After all, you can blame someone for breaking the coffee maker on their first day—you can’t blame them for tanking your company because you forgot to tell them about your security protocols.