The Overlooked Weak Point in Business Security
Onboarding is often treated as a box-ticking exercise. A new starter arrives, HR handles the paperwork, IT issues the laptop, and managers run through the basics of the role. It’s a process designed to be efficient, compliant, and welcoming. But in many organisations, there’s a blind spot.
While contracts are signed and systems are set up, little thought is given to how vulnerable that new hire is in their first days. They don’t yet know what “normal” looks like in the organisation. They don’t know the patterns of communication, the processes behind approvals, or the subtle red flags that long-term staff would recognise instantly. And it’s exactly this gap that criminals exploit.
It’s easy to assume that cyber threats only come through technical breaches or sophisticated attacks. In reality, many of the most effective scams are simple, cheap, and ruthlessly targeted at people. All it takes is a well-timed message to someone eager to prove themselves, and the results can be costly.
I saw this play out first-hand early in my career, when a LinkedIn update announcing my new role was enough to make me a target. Within days, I received an email that looked like it came from the Managing Director, urging me to handle an urgent request. It was a scam — one that I spotted before it succeeded — but it left me with a lasting reminder of just how exposed new hires really are.
A Lesson From Early in My Career
Not long after I began working with a training provider, I updated my LinkedIn profile to reflect the new role. It was a simple update, something most of us do without thinking. Within a couple of days, I received an email that looked like it came from the organisation’s Managing Director.
The message was short, polite, and carried authority: “I’m tied up in meetings today, can you drop me a quick WhatsApp message when you have a chance?”
At that point, I was new. I didn’t yet know what “normal” communication looked like in that company. Was WhatsApp something senior staff used to get things done quickly? Did the MD typically bypass email for urgent requests? I had no frame of reference, so I followed the instruction.
On WhatsApp, the “MD” explained that the company wanted to recognise an employee of the month but that they were too busy in back-to-back board meetings to organise it. Could I quietly purchase several hundred pounds’ worth of Amazon vouchers and send them across?
The request was carefully designed. It used urgency: “This needs to happen now, I can’t step away.” It used flattery: “I knew I could rely on you.” And it used authority: this was supposedly coming directly from the Managing Director, someone I barely knew but felt I couldn’t refuse.
Fortunately, I noticed the red flags. The original email had come from a free account, not the company’s domain. The switch to WhatsApp felt odd. And while I was keen to prove myself, the whole situation didn’t quite add up. I didn’t fall for it.
But that experience stuck with me. It was a perfect example of how criminals exploit the hidden gaps in onboarding — targeting people who are new, eager to please, and not yet confident in the organisation’s processes.
Why New Starters Are Prime Targets
Scams like the Amazon voucher request work because they arrive at exactly the right moment. A new employee hasn’t yet learned what “normal” communication looks like inside the organisation. They don’t know whether a rushed WhatsApp from a senior manager is out of character, or just part of the culture.
At the same time, most new hires are eager to prove themselves. They want to show they’re reliable, trusted, and quick to respond. That enthusiasm is positive — it’s part of why onboarding is designed to build confidence and inclusion. But it’s also why attackers move fast when they see someone has just joined a business.
Criminals exploit human instincts: the pull of authority, the pressure of urgency, the desire to fit in. When layered onto the stress of the first week, those instincts can override common sense. A message that might look suspicious to someone settled in can feel entirely believable to someone still finding their feet.
That combination — eagerness, pressure, and uncertainty — is why the onboarding stage is such a prime target. Without the right awareness in place, it’s not technology that gets bypassed, but people.
The Gaps in Traditional Onboarding
Most onboarding processes are designed with the best of intentions. They aim to welcome new staff, cover compliance, and provide the information people need to settle in quickly. But when it comes to cybersecurity, there are blind spots that attackers are quick to exploit.
One of the biggest is the way policies are handled. New hires are often given a pack of documents to read and sign on their first day — acceptable use policies, GDPR statements, data handling guidance. On paper, it looks thorough. In practice, people skim, sign, and forget. Without context or explanation, policies remain abstract rules rather than habits that shape daily behaviour.
Another blind spot comes from the division of responsibility. HR takes care of induction, IT takes care of systems, and somewhere between the two, the human element of cybersecurity gets lost. A new starter might receive a laptop configured securely, but no one has explained what a phishing attempt looks like, or why multi-factor authentication isn’t optional. The technical setup is there, but the behavioural preparation is missing.
Culture also plays a role. In the first weeks of a new job, many people don’t feel comfortable questioning authority or asking what might seem like a “silly” question. If a request looks unusual but comes from someone senior, the safer option often feels like simply doing it. That hesitation to speak up is exactly what scammers count on.
And finally, there’s compliance. Many industries expect organisations to demonstrate that staff are trained and aware of cyber risks. A signed policy document isn’t enough to satisfy regulators or auditors. Without proper awareness training built into onboarding, businesses risk failing those expectations before new staff have even finished their induction.
These gaps don’t exist because onboarding teams are careless. They exist because the focus has always been on policies, procedures, and paperwork. But while the paperwork is filed neatly away, the real-world risks remain.
The Psychology of the New Hire
Starting a new role is rarely a calm experience. Even when the welcome is warm and the induction is well structured, there’s still an inevitable mix of nerves, excitement, and pressure. People want to show they belong. They want to prove that the organisation made the right decision in hiring them. And in those early days, they’re often balancing information overload with the urge to make a good impression.
That combination is powerful — and criminals know it. Messages that might be questioned a few months in are more likely to be acted on in week one. A request that feels unusual can easily be rationalised away when someone is still learning what “normal” looks like in the business.
The psychology at play is simple. Authority has extra weight when you don’t yet know your leaders personally. Urgency feels harder to challenge when you’re keen to be seen as responsive. Flattery carries more influence when you’re still building confidence. And isolation — being asked to take a request to a private channel like WhatsApp or deal with it quietly — makes it even harder to check with a colleague or manager. These are the same instincts that help people integrate quickly into a team, but in the wrong hands, they become vulnerabilities.
It’s not a matter of intelligence or technical skill. It’s human nature. And without the right preparation, it leaves new starters exposed at precisely the moment they most want to succeed.
Closing the Gap With Cyber Awareness
Awareness is often the missing piece in onboarding. Systems get set up, policies are signed, and responsibilities are explained — but what’s rarely addressed is how those responsibilities play out in the real world. That’s where cyber awareness makes the difference.
When awareness training is part of the induction process, it gives new starters something they don’t usually get: context. Instead of a policy that tells them what not to do, they see why it matters. Instead of a checklist, they get practical examples of the very scams that criminals are likely to throw their way. A simple exercise — like comparing a genuine company email with a spoofed one — can make a far stronger impression than a signed policy ever will.
It also helps to establish culture from day one. If new hires are told, “If something feels off, it’s always okay to check,” that message becomes part of how they see the organisation. They’re less likely to worry about bothering a manager or asking a “silly” question, because they’ve been shown that questioning unusual behaviour is a strength, not a weakness. That small shift gives people the confidence to pause before acting — and that pause is often what stops a scam from succeeding.
For organisations working to meet GDPR, Cyber Essentials, or ISO 27001, building cyber awareness into onboarding also shows regulators and auditors that training isn’t just an afterthought. It’s evidence that staff are prepared from the moment they join, not months down the line after mistakes have already been made.
At its core, awareness is about people. Technology may catch some threats, but it can’t override human instincts like authority, urgency, or isolation. Training can. It gives new hires the space to recognise those triggers, understand why they’re being used, and respond with confidence. And when that happens in week one, the weakest point in onboarding becomes one of the strongest.
From Weakness to Strength
The Amazon voucher scam that landed in my inbox was designed to take advantage of one thing: the uncertainty that comes with being new. For many organisations, it works — not because people aren’t capable, but because they haven’t yet been given the tools or the confidence to handle situations like it.
That’s why onboarding is such a pivotal moment. It’s the point where habits are formed, where culture is experienced for the first time, and where expectations are set. If cybersecurity isn’t part of that moment, it remains an afterthought. And in the meantime, attackers exploit the very qualities that make onboarding successful — trust, enthusiasm, and willingness to deliver.
But it doesn’t have to stay that way. When awareness is built into induction, those qualities stop being vulnerabilities and start becoming strengths. New staff still want to prove themselves, but now they know how to recognise a suspicious request. They still want to be responsive, but now they understand that taking a moment to double-check is part of the culture. They still want to feel included, but now inclusion comes with the confidence that they’re protecting themselves and the organisation.
At Cyber Rebels, that’s why we developed Cyber Ready Onboarding. It’s not about overwhelming people with technical jargon. It’s about giving them practical awareness, the confidence to question, and the reassurance that they’re supported from day one. It closes the hidden gaps that attackers rely on and turns the induction process into the first step of building a security-first culture.
Because criminals don’t wait for probation periods to end. They strike the moment someone updates their LinkedIn profile. The question is whether your onboarding process leaves people exposed — or makes them ready.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
