A new hire accepts the offer. HR sorts the paperwork. IT creates their account. On day one, they sit down, log in, and start working.

That is the ideal version. The reality in most organisations looks different. Accounts are created with excessive permissions because it is faster to copy an existing user’s access than to build a role-specific profile. Shared passwords get passed along in plain text. Nobody checks whether the new starter’s personal email was involved in a previous data breach, meaning their reused password could already be compromised before they even log in.

Onboarding is not just an HR process. It is a security event. Every new account you create is a new potential entry point into your network. Getting it right from day one is significantly easier, and cheaper, than cleaning up a breach caused by getting it wrong.

Concerned about how new starters access your systems? Run a credential exposure check to see if any of your organisation’s credentials are already exposed online, or call us on 0151 452 3060.

The Security Risks Hiding in Your Onboarding Process

Most onboarding processes focus on productivity. Get the new person set up quickly so they can start contributing. That is understandable. But speed without security creates gaps that attackers exploit:

  • Excessive permissions. New accounts are often cloned from existing users, inheriting access to systems the new starter does not need. Over time, this creates permission sprawl where people have access to data far beyond their role.
  • Shared credentials. Departmental logins, shared inboxes, social media accounts, and software licences often get shared via email or sticky notes. If one person’s credentials are compromised, everything they had access to is exposed.
  • No MFA from day one. Only 40% of UK businesses enforce multi-factor authentication on email (DSIT 2025). If a new starter’s account is not protected with MFA from the moment it is created, it is vulnerable from the moment it exists.
  • Personal device risks. Staff accessing company systems from personal devices without mobile device management (MDM) in place means company data sits on devices the organisation does not control.
  • No security training before system access. Giving someone access to your email, CRM, and client data before they have completed basic security awareness training is like handing over the keys before the driving lesson.

85% of cyber attacks start with a phishing email (DSIT 2025). A new employee who has not been trained to recognise phishing is the most vulnerable person in your organisation on their first day.

What Secure Onboarding Actually Looks Like

A proper onboarding process balances speed with security. Here is the framework that covers both:

Before Day One

  • Create the account with role-specific permissions only. Do not clone an existing user.
  • Enable MFA before the first login, not after.
  • Pre-configure the device with endpoint protection, encryption, and MDM enrolled.
  • Send security awareness training as part of the preboarding pack, before they touch any systems.
  • Run a credential exposure check on the new starter’s email address to see if it appears in any known data breaches.

Day One

  • Verify the new starter has completed security awareness training before granting full system access.
  • Walk through the organisation’s acceptable use policy and incident reporting process.
  • Confirm MFA is active on all accounts, not just email.
  • Ensure no shared passwords have been passed along. If shared accounts exist, change the credentials.

First 30 Days

  • Review access logs to check the new account is only accessing appropriate systems.
  • Conduct a simulated phishing test to assess awareness.
  • Manager check-in to confirm the right tools and access levels are in place.
  • Document the access granted for compliance audit trails.

Onboarding and offboarding are two sides of the same risk

If your onboarding process creates security gaps, your offboarding process will inherit them. Every account created without proper controls becomes an account that is harder to properly revoke when that person leaves.

A Cyber Risk Check examines your network, external exposure, and credential security in one assessment. It reveals active accounts for people who should not have access, shared credentials that were never changed, and permissions that have drifted far beyond their original scope.

We work alongside your existing IT team as a specialist security layer, handling the architecture and compliance requirements that sit outside day-to-day support.

Why This Matters for Professional Services

Recruitment agencies, accountancy practices, and law firms all have specific onboarding security requirements driven by regulation:

  • Recruitment agencies with high staff turnover need repeatable, consistent onboarding processes. Every new consultant gets access to candidate personal data under GDPR. Without proper access controls, a departing temp could walk away with your entire candidate database.
  • Accountancy practices onboarding junior staff during tax season often rush the process. A new starter with access to client bank details and tax returns needs proper controls from the start, not after the January deadline has passed.
  • Law firms granting access to case management systems must consider SRA compliance obligations around client confidentiality. A trainee with excessive access to files beyond their caseload is a compliance risk.

The average time to detect a breach is 241 days (IBM 2025). If a new starter’s compromised credentials give an attacker access on day one, that is eight months of undetected access to your client data.

One Thing You Can Do Today

Even if you never work with us, start here: review the last three accounts you created for new starters. Check what access each one has. Compare it to what they actually need for their role. If there is a gap between the two, you have found your onboarding security problem.

What To Do Next

Secure onboarding is not about slowing people down. It is about making sure every new account is a controlled entry point, not an open door. Combined with a proper offboarding process, it creates a complete access lifecycle that protects your organisation from day one to last day.

Here is how to start:

  1. Credential exposure check – Check whether any of your organisation’s credentials are already exposed online. This includes credentials that may have been compromised through a new starter’s personal email reuse.
  2. Vulnerability assessment – A CREST-accredited assessment that identifies exploitable weaknesses in your network, including those created by excessive permissions and ungoverned access.
  3. Cyber Risk Check – A full assessment covering network security, external exposure, and credential hygiene in one report.

Book your assessment or call 0151 452 3060. We are based in Liverpool and cover the entire North West.