New Employee Cyber Security Onboarding Checklist

Every new employee is a potential entry point until they are properly briefed and set up correctly. For IT providers, practice managers, and the employee themselves.

Download PDF

New Employee
Cyber Security
Onboarding Checklist

Every new employee is a potential entry point until they are properly briefed and set up correctly. This checklist is for IT providers, practice managers, and the employee themselves.

stealthcyber.io

How to Use This Checklist

Complete Section A (IT Setup) before the employee's first day where possible. Complete Section B (Access and Permissions) on day one. Complete Section C (Security Briefing) within the first week. Have the employee sign off Section D once the briefing is done.

IT Setup (Complete Before Day One)

Account Provisioning

Microsoft 365 account created with a role-appropriate licence

Account added to relevant Microsoft 365 groups and distribution lists only

Access granted to SharePoint sites and Teams channels appropriate to the role only. Default is no access unless the role requires it.

Email signature configured

Shared mailboxes added only where the role requires them

No admin rights assigned unless the role specifically requires them and this has been approved

Authentication

MFA is enforced on the account before first login

MFA method configured: Microsoft Authenticator app minimum, hardware key for privileged roles

A temporary password has been set and must be changed on first login

The account is in the correct Conditional Access policy scope

Device Setup

Corporate device is enrolled in Intune before being handed to the employee

Endpoint protection (Defender for Endpoint or equivalent) is deployed and active

BitLocker or FileVault encryption is enabled and verified

Device compliance policy is met before the device can access corporate resources

Standard software load is applied. No admin rights on the device by default.

Screen lock configured to activate after 5 minutes of inactivity

A password manager account is provisioned for the employee

Access to Business Systems

Accounting software access provisioned at the appropriate permission level

Practice management software access provisioned

Any additional line-of-business applications provisioned with least-privilege access

Access to financial data restricted to what the role requires

Day One Access Verification

Employee has logged in successfully and changed their temporary password

MFA is working correctly on the device and on the employee's personal phone

Employee can access all systems required for their role

Employee cannot access systems or data outside their role scope (spot check this)

Password manager is set up and the employee has completed onboarding to it

Corporate email is confirmed working on corporate device only, or on personal device enrolled in Intune if BYOD is permitted

Employee has confirmed they understand that personal devices need to be enrolled before accessing corporate email or data

Security Briefing (Complete Within First Week)

Cover each topic verbally and confirm the employee understands it. This is a conversation, not a form.

Phishing and Social Engineering

Employee understands what a phishing email looks like and the specific variants relevant to your industry

Employee knows to report suspicious emails to IT or the security provider rather than just deleting them

Employee understands that urgency in an email is a manipulation tactic, not a reason to skip verification

Employee knows never to enter credentials on a page they reached by clicking a link in an email

Employee understands what MFA fatigue is and knows to deny unexpected MFA prompts and report them

Password and Account Security

Employee understands the requirement for unique passwords for every account

Employee understands that credentials must not be shared, written down, or stored in unencrypted documents

Employee knows how to use the password manager and has created their master password securely

Employee understands that their business credentials must not be used for personal accounts

Data Handling

Employee understands the firm's data classification scheme and which categories apply to client data

Employee knows which data cannot be shared externally without authorisation

Employee understands the firm's policy on AI tools: which are approved, which are not, and what data cannot be processed through public AI platforms

Employee understands their obligations under the Privacy Act in the context of their role

Employee knows not to store client data on personal devices or personal cloud accounts

Payment and Financial Processes

Employee understands the firm's payment verification process

Employee knows that bank account details are never changed based solely on an email instruction

Employee knows the escalation process for any unusual financial request

Device and Physical Security

Employee knows not to leave devices unattended and unlocked

Employee knows not to connect corporate devices to public Wi-Fi without using a VPN

Employee knows not to use personal USB drives or external storage on corporate devices

Employee knows the procedure for reporting a lost or stolen device immediately

Incident Reporting

Employee knows what to report: suspicious emails, unexpected MFA prompts, unusual system behaviour, accidental data exposure, lost or stolen devices

Employee knows who to report to and how: IT provider contact details, security provider contact details, and the internal escalation path

Employee understands that reporting quickly is always the right call, even if uncertain

Employee Acknowledgement

To be signed by the employee after completing Sections A, B, and C.

I confirm that I have:

Received and reviewed the firm's cybersecurity policies

Had the security briefing in Section C explained to me

Set up my accounts, devices, and password manager as required

Asked questions about anything I did not understand

I understand that I am responsible for following the firm's security policies and that I should report anything suspicious to IT or the security provider without delay.

Employee name:

Role:

Date:

Signature:

Onboarding completed by:

Ongoing Requirements After Onboarding

Security awareness training is required annually at minimum and will be assigned through the firm's training platform

Phishing simulations are run periodically. Clicking on a simulation is a training moment, not a disciplinary one, but results are monitored.

Security policies are reviewed and updated and employees are expected to stay current with them

Any change in role that involves increased access to financial data or privileged systems requires a review by IT

Need help with your onboarding process?

Stealth Cyber provides managed cybersecurity for Australian professional services firms, including security awareness training through Huntress SAT and managed endpoint protection.

Website

stealthcyber.io

contact@stealthcyber.io

Phone

AU: +61 7 5230 8381

US: +1 (855) 774-2595

Offices

Gold Coast, Australia

São Paulo, Brazil

Texas, United States