A new employee without proper IT onboarding isn’t just a productivity problem — it’s a security gap that opens the moment they log in for the first time.
Most businesses think of IT onboarding as getting someone a laptop and an email address. That’s about 15% of what needs to happen. The other 85% is the part where security incidents, compliance violations, and access control failures originate. Here’s what a complete IT security onboarding actually looks like — and what the consequences are when pieces get skipped.
Account creation and access scoping. The new employee’s accounts — Microsoft 365, line-of-business applications, cloud platforms, VPN — should be created before they arrive, with access scoped to exactly what they need for their role. Not "give them access to everything and we’ll remove what they don’t need later." Later never comes. Single sign-on makes this manageable — one identity, one place to manage, one place to remove when they leave.
Device preparation. The device they’re using — company-issued or personal under a BYOD policy — should be enrolled in mobile device management (MDM) before they access company data. This means encryption enabled, screen lock required, remote wipe capability active, and EDR installed and reporting. A device that’s never been enrolled in MDM is an unmanaged device, regardless of whether it’s company-owned.
MFA enrollment. Multi-factor authentication should be configured before the employee’s accounts go live — not as an afterthought. An account that exists without MFA is a vulnerability from the moment it’s created. We enroll the authenticator app, verify it’s working, and disable SMS fallback where possible (SMS-based MFA is significantly weaker than authenticator apps).
Security awareness orientation. Not a 45-minute compliance video they click through while mentally elsewhere. A real conversation about the specific threats they’re likely to encounter in their role — phishing patterns, wire transfer verification procedures, how to report something suspicious, and what to do if they think they clicked something they shouldn’t have. The “if in doubt, call us” habit is the one that matters most, and it has to be established on day one.
Password hygiene and credential policy. What the password requirements are, why they exist, and how to use a password manager properly. The goal isn’t a list of rules — it’s an employee who understands why reusing passwords is a problem and what to do instead.
Clean desk and screen lock habits. For businesses with physical offices and sensitive information on screens — healthcare, financial services, legal — physical security habits matter as much as digital ones. HIPAA and GLBA both have physical safeguard requirements. The habit of locking a workstation before walking away takes about two weeks to become automatic, and it starts on day one.
Acceptable use policy acknowledgment. The written policy covering what company devices and systems can be used for, how data should be handled, and what’s prohibited. This isn’t bureaucracy — it’s a compliance artifact. HIPAA, GLBA, and PCI-DSS all require documented workforce policies, and the acknowledgment record is what demonstrates the policy was communicated.
Skipping MFA enrollment. The most common gap. "We’ll set that up next week" turns into never. The account runs without MFA for months. A credential stuffing attack or a phished password later, and you have an account takeover that MFA would have blocked with near certainty.
Over-provisioning access. Giving a new employee administrator rights, access to every shared drive, and full permissions to every application — because it’s easier than figuring out what they actually need — is one of the most common access control failures we see. When that employee leaves, or their account is compromised, the blast radius is much larger than it needed to be.
No device enrollment. A personal device used to access company email, cloud storage, or VPN that’s never been enrolled in MDM is invisible to the security stack. No encryption verification, no remote wipe capability, no EDR. If the device is lost or the employee leaves under difficult circumstances, there’s no technical control over what happens to company data on it.
No offboarding plan established at onboarding. The best time to document what access someone has and how to remove it is when they start — not when they’re leaving under time pressure. Every account, every application, every shared resource the employee accesses should be logged at onboarding so offboarding can be executed completely. Former employees with active accounts are a significant and entirely preventable security risk.
Every item in the onboarding checklist has an offboarding counterpart. Accounts created must be disabled. Device enrollment means remote wipe capability exists. Access scoped precisely means access removal is precise. The same-day offboarding process that prevents a departed employee from accessing company systems only works if the onboarding created the documentation to make it possible.
We manage the full onboarding and offboarding cycle for all managed IT clients — accounts provisioned before the first day, accounts disabled before the last day is done. No gap, no former-employee accounts quietly persisting, no access that outlasts the employment relationship.
For a deeper look at the access control architecture that makes this work at scale, see our articles on SSO, MFA, and BYOD. For the managed IT onboarding process itself, see What happens after you sign?