Ah, the new employee—a representation simultaneously of good and evil where all hope lies and is lost in one convenient package.

Now, please don’t think I’m against new hires; in fact, it’s the complete opposite. As an executive, it’s my job to continuously seek out talent that can breathe new life into the organization. And regardless of where that person may sit within their career timeline, any new hire is worth bringing on board.

However, in this instance, when I say that a new hire can personify both good and evil simultaneously, the struggle is not actually with the hire, it’s with the employer—and it all circles around IT security. You see, when new people are brought on board, the company is foreign ground. It’s a mystery to the new person who is left to navigate the wilds of the new space, people, politics, and more—to make their way in a new world until they feel comfortable, wanted, and needed.

Key Takeaways

  • New employees often represent an overlooked IT security vulnerability, not because of intent, but because they arrive unfamiliar with company systems, policies, and potential threats specific to the organization.
  • There is a critical difference between security “good practice,” like general advice to avoid suspicious email links, and formal security policy, which legally documents acceptable use, breach response procedures, and consequences.
  • Most new hires at every level of an organization are likely unaware of the company’s specific security policies or the threats it faces, making structured, deliberate onboarding education essential rather than optional.
  • Responsibility for defusing the security risk that comes with onboarding rests with the employer, not the new hire, since a company cannot reasonably expect employees to follow security protocols they were never taught.
  • Building formal IT security policy into onboarding, developed collaboratively by legal, HR, and IT, protects the business from risk and reputational damage in a way that informal advice or assumed common sense cannot.

So, when the ticking time bomb of a new IT security threat is first hired, the responsibility of defusing that bomb rests squarely on the employer. In fact, it speaks to a far greater issue in the world of IT security that we now live in—not the educational aspect of avoiding threats, but the legal aspect of having policy in place to manage the scenario in its entirety.

You see, when a new person is on-boarded, the new hire goes through the usual HR process of signing all things that pertain to insurance, payroll, and so on. As well as the expectation that they’ll buy the VP of Sales coffee once a week—you know, the usual.

But where in the on-boarding process is the “talk” and the paperwork that outlines how the company handles IT security? Yes, of course, there can be the educational aspect of “don’t click on links to cat pictures and lottery winnings from your email.” However, that’s not policy, that’s good practice.

The policy is where the rubber meets the legal road to ensure that people understand what they can and cannot use company assets for, how security breaches are to be dealt with, and more—all there to mitigate risk and bad press in the event that something should go sideways.

Now, I’m at no time going to suggest what your IT security policy should entail. I’ll leave that up to the legal minds of the world, working together with HR and IT to devise the best plan of action and policy that works best for your company.

The point of this blog isn’t to pretend to be the Harvard Law Review—it’s meant to be a suggestion, perhaps even a warning, to be diligent in your educational process. The stark reality is that the majority of your new employees at all levels of your organization are probably completely and utterly unaware of your security policies, or even the potential threats that your company may face.

So when welcoming new hires into the fold, make sure they have a clear idea of what the company does, what the potential IT security threats are, and how they will be handled if a threat occurs. After all, you can blame someone for breaking the coffee maker on their first day—you can’t blame them for tanking your company because you forgot to tell them about your security protocols.

FAQs

Why are new employees considered an IT security risk?

New employees represent an IT security risk not because of any wrongdoing on their part, but because they are unfamiliar with a company’s specific systems, policies, and threat landscape when they first join. Without clear onboarding around security expectations, new hires may unknowingly violate acceptable use policies, fall for phishing attempts, or mishandle company assets simply because no one explained the rules to them. The responsibility for closing this gap falls on the employer, since a company cannot reasonably expect an employee to follow protocols they were never taught in the first place.

What is the difference between security best practices and formal security policy?

Security best practices are general educational guidance, like advising employees not to click suspicious email links, while formal security policy is the legally documented framework outlining acceptable use of company assets, breach response procedures, and consequences for violations. Best practices help build good habits, but policy is what actually protects a business legally and operationally when something goes wrong. Without documented policy, a company has little legal standing to hold an employee accountable for a security incident they were never formally informed about.

Who is responsible for developing a company’s IT security policy?

Developing an effective IT security policy requires collaboration between legal, HR, and IT teams, since it needs to address legal risk, employee training and communication, and technical security requirements simultaneously. No single department can build a comprehensive policy alone. Legal ensures the policy protects the company appropriately, HR ensures it is properly communicated and enforced during onboarding, and IT ensures the actual technical safeguards and threat response procedures are sound.

Talk to an expert

Book an appointment with an expert for a complimentary consultation.

Let’s partner. Together, we’ll build solutions so you can Make the Most of IT.

IT Support & Sales
800-961-3094

 I am very pleased with the quality of service Inteleca provides. I sincerely appreciate your responsiveness and the way you conduct business. I look forward to doing business with Inteleca for years to come.

Contact Us