10 Security Awareness Lessons New Starters Need in Their First Week
The first week is the best time to set security expectations. New starters are learning how the business works, which tools to use and what good behaviour looks like.
These lessons help security feel like part of normal work, not a separate annual task.
New starters should learn how to use MFA, report suspicious messages, handle customer data, use approved tools, protect devices, request access, escalate incidents and avoid risky shortcuts from their first week.
First-week lessons
- How to use MFA: Require MFA setup during onboarding for email, cloud apps and critical tools.
- How to report suspicious messages: Show the reporting route before they receive customer or finance messages.
- Where customer data should live: Explain approved storage, sharing and export rules.
- How to use a password manager: Set up password manager access before tool onboarding gets messy.
- What tools are approved: Give a list of approved tools and a route to request new ones.
In this list
- 1. How to use MFA
- 2. How to report suspicious messages
- 3. Where customer data should live
- 4. How to use a password manager
- 5. What tools are approved
- 6. How to request access
- 7. What to do if they make a mistake
- 8. How to protect devices
- 9. How to recognise social engineering
- 10. Why security matters commercially
10 Security Awareness Lessons New Starters Need in Their First Week
Use this list as a practical review prompt. Each item is either a visible issue, a behaviour to reinforce, a responsibility to assign or an action to take before customer, audit or growth pressure makes the gap harder to fix.
1. How to use MFA
MFA should be presented as a normal part of work, not an optional extra or technical inconvenience.
What to do: Require MFA setup during onboarding for email, cloud apps and critical tools.
2. How to report suspicious messages
New starters should know where to send phishing emails, suspicious links or unusual requests.
What to do: Show the reporting route before they receive customer or finance messages.
3. Where customer data should live
People need to know which systems are approved for customer data and which shortcuts are not acceptable.
What to do: Explain approved storage, sharing and export rules.
4. How to use a password manager
Password reuse often begins when people are setting up many accounts at once.
What to do: Set up password manager access before tool onboarding gets messy.
5. What tools are approved
New starters may bring tools from previous jobs. That can create shadow IT and data sprawl.
What to do: Give a list of approved tools and a route to request new ones.
6. How to request access
Access should not depend on copying someone else’s account or asking in informal channels.
What to do: Explain access request, approval and removal routes.
7. What to do if they make a mistake
People need permission to report mis-sends, clicks, lost devices or accidental sharing quickly.
What to do: Use no-blame examples during onboarding.
8. How to protect devices
Device security habits should start before remote work, travel or customer data handling.
What to do: Cover locking screens, updates, encryption and secure working spaces.
10. Why security matters commercially
Security is easier to follow when new starters understand its link to customer trust, deals and reputation.
What to do: Explain how security supports growth, not just compliance.
How to Turn These Issues Into Action
The fastest way to make this useful is to turn each issue into an owner, an action, a review date and a simple piece of evidence.
| Issue / Area | Action to Take | Evidence to Keep |
|---|---|---|
| How to use MFA | Require MFA setup during onboarding for email, cloud apps and critical tools. | Owner, review date and supporting evidence |
| How to report suspicious messages | Show the reporting route before they receive customer or finance messages. | Owner, review date and supporting evidence |
| Where customer data should live | Explain approved storage, sharing and export rules. | Owner, review date and supporting evidence |
| How to use a password manager | Set up password manager access before tool onboarding gets messy. | Owner, review date and supporting evidence |
| What tools are approved | Give a list of approved tools and a route to request new ones. | Owner, review date and supporting evidence |
| How to request access | Explain access request, approval and removal routes. | Owner, review date and supporting evidence |
Which Next Step Fits?
If you need clarity
Use the quiz to identify visible security gaps across awareness, access, vendors, risk and evidence.
Take the quiz →If you need a programme
Use the toolkit to turn awareness into onboarding, reminders, scenarios, evidence and behaviour change.
View the awareness toolkit →If you need judgement
Book a consultation if awareness issues are connected to customer pressure, audit readiness or unclear leadership decisions.
Book a consultation →Security awareness next step
Turn awareness into behaviour your team can repeat.
Use practical prompts, onboarding, scenarios and evidence so security awareness does not stay as a one-off training task.
Get the Security Awareness ToolkitFind the gaps first
Not sure where your awareness gaps are showing?
Use the quiz to identify visible security gaps across awareness, access, vendors, risk and evidence before customer pressure makes them harder to fix.
Take the security quiz to identify gapsFrequently Asked Questions
When should new starters receive security awareness training?
Start in the first week, then reinforce through reminders, manager prompts and role-specific examples.
What is the minimum to include?
MFA, phishing reporting, customer data handling, approved tools, access requests and incident reporting.
Should contractors receive the same onboarding?
Contractors should receive relevant security awareness based on their access, data exposure and role.