When we talk about cybersecurity in the workplace, we often focus on things like requiring strong passwords and training employees to recognize phishing emails. These are important, but they’re only part of the picture. Cybersecurity should be considered at every stage of the employee experience, not just in day-to-day operations.
That includes moments when employees join or leave an organization. Onboarding and offboarding are critical transitions, and overlooking cybersecurity during either can leave sensitive systems exposed or data at risk. Each comes with its own set of risks and calls for clearly defined steps to reduce exposure. When handled thoughtfully, these moments can actually help strengthen your organization’s overall security.
Employee Onboarding: Laying the Groundwork for Cybersecurity
For IT, bringing a new employee into an organization is more than just providing a laptop and login. It’s an opportunity to introduce your cybersecurity culture and ensure access is granted in a controlled, purposeful way. These steps should be built into your workflow and ideally completed as part of your onboarding process.
- Cybersecurity and Privacy Awareness Training
New employees should receive cybersecurity training during orientation. This includes an overview of how to recognize threats, report incidents, and handle sensitive information, as well as company-specific policies. Establishing this baseline helps prevent accidental data exposure and risky behavior and sets expectations early on.
- Acceptable Use Policy (AUP) Acknowledgement
Make sure the employee reviews and agrees with the company’s AUP or equivalent document. This policy outlines how company systems and devices can be used, and sets clear expectations about personal use, data handling, and prohibited activities. Getting this acknowledgement in writing confirms they understand their responsibilities.
- Confidentiality/NDA Signing (if applicable)
If your organization uses NDAs or confidentiality agreements, these should be completed before the employee has access to systems/data. This reinforces the importance of protecting company data and any proprietary information the employee will work with.
- Access Control Account Provisioning
Grant access based on the employee’s role with approval from their manager when possible. Follow the principle of least privilege by providing access only to systems, tools, and data needed for their job responsibilities. Use a documented process to ensure consistency and avoid excessive or shared permissions.
- Multi-Factor Authentication (MFA) Enrollment
MFA adds a critical security layer. Ensure that new employees enroll in MFA and register their devices before accessing any sensitive systems. This step should be non-negotiable for all remote access, cloud services, and any access by IT administrators.
Employee Offboarding: Protecting Systems and Data When Someone Leaves
When an employee departs, whether voluntarily or otherwise, the organization needs to act quickly to secure accounts and retrieve assets. These steps should be built into your offboarding procedures and ideally coordinated across HR, IT, and cybersecurity teams.
- Access Removal
All system and application access should be disabled immediately once employment ends. This includes network access, email, cloud services, VPNs, and facility access. Delayed deactivation creates unnecessary risk, especially if the departure was unplanned. Additionally, accounts should be deleted after a specified period of time, unless they are on litigation hold.
- Asset Collection
Collect all company-owned equipment, such as laptops, mobile devices, security badges, and office keys. Keep a detailed inventory to verify everything has been returned and note any items still outstanding.
- Email and File Storage Handling
Decide how the employee’s email and file storage will be managed after departure. You may want to forward messages to a manager, set up an auto-reply, or monitor the account temporarily. Review and transfer ownership of important files. These steps help maintain continuity and ensure no important communication or information is missed.
Ongoing cybersecurity awareness training is important for helping current employees stay up to date, but they aren’t the only focus. Cybersecurity should be woven into how your organization brings people on board and how it handles their departure. Following a consistent approach can reduce the risk of human error and ensure sensitive data stays protected.
Download our Cyber Do List: Employee Onboarding and Offboarding checklist to make sure your team covers the critical steps every time.