We’ve collated a few insights from some executive conversations we’ve been having this quarter around the risk that new employee onboarding introduces into an organisation:

• There is generally a lag between an employee starting and having them carry out cyber security awareness training, with policies ranging from 30 days to 3 months before the training is forced upon them.
• It can be tricky to apply the training to C-level executives and/or board members if there is no buy-in at the C-level.
• Cyber criminals are increasingly monitoring LinkedIn new joiner announcements from monitored firms to identify phishing targets.
• New joiners are being hit with phishing emails as early as on their first day of employment.
• New employees in different regions (MENA and APAC especially) are very prone to attacks from cloned executive email addresses requesting the new employee to carry out a financial action. Culturally, it’s very hard for them to question orders, and this is exasperated when they are a new employee.

We’ve heard a mixture of the above from clients across all sectors and sizes, and below we’ve outlined some best practices we’ve seen that have helped to combat these risks:

• A CEO we were speaking to recently updated their company policy because of this growing threat. All new joiners must complete their security awareness training prior to any PR or LinkedIn profile updates.
• The best practice that we have seen shows that employees should carry out their cyber security awareness training as part of the onboarding process and ideally within their first 2 weeks of employment.
• We are also seeing some organisations not allow employees to update their LinkedIn until they have passed probation.
• It’s also wise to augment education with technology to minimise risk. The security capabilities of most email gateways, like Microsoft 365, will often miss advanced social engineering attacks, whereas AI-powered solutions with superior detection capabilities will block these attacks without introducing false positives.
• A CTO we spoke to mentioned that they hired two new board members over the last 6 months, and both had been hit very quickly with targeted, sophisticated email attacks aiming to get their credentials. As such, they had to get CEO buy-in to ensure cyber security policies (including training) are applied to all employees, even part-time board members.

The solutions architecture team is here to discuss any of these findings or recommendations, and as a reminder, Saepio continues to offer its industry-leading Managed Cyber Security Awareness Training (M-SAT) service, which has over 150 clients and 150,000 users. If you would like to learn more, visit our Managed Security Awareness Training Page