Onboarding new employees is an important time for any organization — after all, it’s your opportunity to integrate new team members into your company and its culture. But the onboarding time frame also creates a unique set of security risks as you share sensitive information with people who are new to the organization. 

This article explores why the onboarding process (and new employees) are attractive targets for cybercriminals. Identify the riskiest areas during onboarding and learn the best practices for mitigating these risks.

Why are new employees good targets for hackers?

When new employees join your organization, they’re in completely unfamiliar territory, with little (or no) knowledge and understanding of your company’s processes, communication styles, or security protocols. And this lack of knowledge makes them prime targets for social engineering attacks.

Hackers — impersonating colleagues or authority figures within the company — focus their efforts on tricking new joiners into divulging sensitive information or granting access to secure systems.

Additionally, new employees are often quite eager to make a favorable, positive impression on their colleagues and their managers. They want to seem engaged, responsive, and cooperative, and this enthusiasm may lead them to quickly click on links or attachments without thoroughly verifying their legitimacy. Hackers exploit this eagerness by crafting targeted phishing campaigns that are more likely to succeed with new joiners.

How do hackers identify their new joiner victims? The same way we learn if a colleague or old boss has a new job — via LinkedIn or other professional networking platforms.

Hackers peruse LinkedIn to identify new employees and their new position within the organization, then use that information to create highly personalized phishing emails or social engineering attempts that have the greatest likelihood of deceiving a new employee.

Where is risk created in onboarding?

Numerous areas of risk exist during the onboarding process. One of the biggest is sharing sensitive information, particularly passwords. Many organizations still rely on insecure methods for sharing passwords with new employees, including sending them via plain text SMS or email.

These methods are vulnerable to man-in-the-middle attacks, where hackers intercept the communication and gain access to the password.

Some companies try to mitigate this risk by having managers verbally communicate passwords to new employees. But while this approach may seem more secure, the reality is that it introduces another potential compromise point in the chain of custody. In essence, it turns the manager into an additional hacking target, increasing the chances that the password may be compromised. 

Specops research found another alarming trend when it comes to breached passwords: employees often fail to change the “temporary” login passwords that the IT team provides for their initial logins. When new employees are given temporary passwords during onboarding, they may not prioritize changing them to strong, unique passwords. This oversight leaves the organization vulnerable to attacks, as these temporary passwords are more likely to be weak or easily guessable.

Best practices to reduce onboarding risk

To minimize the risk associated with onboarding new employees, your organization should adhere to several best practices:

• Follow the principle of least privilege: When setting up new user accounts, grant employees only the permissions they need to perform their job functions. Limiting access to sensitive information and systems can reduce the potential damage if an account is compromised.
• Establish clear cybersecurity policies: Your organization’s cybersecurity is only as robust as its weakest area. With this in mind, ensure you develop comprehensive security policies that cover all aspects of your organization’s digital environment. These policies should be clearly communicated to new hires during onboarding, ensuring they understand their roles and responsibilities in maintaining a secure work environment.
• Conduct regular security awareness training: Providing ongoing training to all employees, including new hires, is important for keeping them informed about the latest security threats and best practices. This training should cover topics like identifying phishing attempts, creating strong passwords, and handling sensitive information securely.
• Implement secure password distribution: Instead of sharing an employee’s first password in plaintext or verbally, consider using a secure solution like Specops’ First Day Password functionality in Specops uReset. This tool allows new employees to set their own passwords through a secure, self-service portal, eliminating the need for plain text transmission or verbal communication. And by integrating with other Specops products, such as Specops Password Policy with Breached Password Protection, your organization can ensure that new employees create strong, unique passwords that comply with your organization’s security policies.

Protecting digital assets

The onboarding process presents organizations with unique security challenges. To protect your digital assets, you must understand why new joiners are such attractive hacking targets and identify areas during your onboarding process that introduce risk.

Implementing best practices — including following the principle of least privilege and conducting ongoing security awareness training — will allow you to reduce your likelihood of a data breach. And for even greater protection, consider adopting a secure password distribution solution like Specops’ First Day Password tool. 

By taking proactive measures to secure your onboarding process and equipping new employees with the knowledge and tools they need to protect your organization’s digital assets from day one, you can significantly reduce the risk of costly data breaches and ensure your company’s sensitive information stays safe. Interested in learning how First Day Password can boost your organization’s security?

Speak to an expert today.

Sponsored and written by Specops Software.