Hiring someone new? Great. The first week is when good security habits stick (or don’t). This simple plan gets a new starter set up safely without turning day one into an IT saga.

Goal: Create the right accounts, set the right permissions, and build 3 essential habits: strong passwords, MFA, and quick reporting.

✅ Day 0 (Before They Start)

Create only what they need for week one.

Account setup: Email + core tools (calendar, docs, chat, CRM/accounting if relevant).
Groups/roles: Add them to team groups (e.g., “Sales-EU”, “Ops-APAC”) — avoid giving “All Admin” access.
MFA required: Enforce MFA on first login (app-based or hardware key).
Device ready: Issue a laptop with auto-lock (5–10 mins), full-disk encryption, and automatic updates enabled.
Welcome note: Send a friendly “how we do security” message and the checklist below.

Why it matters: Least-privilege access prevents accidental data exposure and keeps you compliant with client/insurer expectations. MFA significantly reduces account-takeover risk.

For a plain-English overview you can share with your team, see CISA’s quick guide to enabling MFA.

Make access simple, safe, and successful.

Password manager: Install and show how to use it (unique, long passwords — no sharing).
MFA set-up check: Confirm the authenticator works and capture one secure recovery method.
Phishing basics (5 mins): Show one real example; agree on your “report suspicious” path (Slack/Teams/email).

Tip: Keep it human — “If you’re unsure, ask. Reporting early is always OK.”

✅ Day 2 (Tools & Files)

Share the right stuff, the right way.

Shared drives/folders: Add to the team’s working areas; avoid private doc silos.
Calendar & comms: Subscribe them to team calendars; set channel norms (what to share where).
Client data rules: Plain-English dos/don’ts (no personal cloud, no unknown USBs, no forwarding to personal email).

Outcome: Work flows from day two, without scattering files across personal devices or inboxes.

✅ Day 3 (Device Confidence)

Lock it down without killing productivity.

Auto-lock & updates: Confirm screen lock is active and OS/browser updates are automatic.
Mobile access: If using a phone for work email, ensure screen lock + remote-wipe are enabled.
Backups: Verify docs live in shared storage or are auto-backed up (no “desktop only” files).

Reason: Most small-team incidents come from lost devices or exposed files — these steps remove that risk early.

✅ Day 4 (Access Review in 10 Minutes)

Right level, no oversharing.

Check they can access everything needed for this role.
Remove any extra access accidentally granted (test links for “Anyone with link” and fix to “Team”).
For shared mailboxes/API keys, store credentials in the manager — never a note or DM.

Outcome: Least privilege from week one — and fewer surprises later.

✅ Day 5 (Quick Practice & “What If”)

One tiny exercise beats a 30-slide deck.

Two-minute drill: Ask them to “report a suspicious email” using your agreed path.
Mini-scenario: “If you lose your laptop/phone, what’s step one?” (Answer: tell us immediately; we’ll remote-lock/wipe.)
Wrap-up: Remind them that mistakes are reported, not hidden — speed matters, not blame.

📌 Ongoing (Set It and Forget It)

Monthly: Manager checks access for their team (adds/removes as roles change).
Quarterly: Rotate any shared passwords/API tokens still in use.
When they change roles: Review permissions the same week — don’t wait.

🧰 Handy Templates You Can Use

New-starter security checklist (this page)
“How we report suspicious stuff” one-pager
Device set-up sheet (auto-lock, updates, encryption)

🎁 Free Resource

Need a ready-to-use training starter that matches this plan?
👉 Download the Free Cyber Security Training Kit

Related post:
For fast policy and training wins, read Audit-Ready in Under an Hour: A Cyber Hygiene Checklist next.

Your First Week With a New Hire: A Simple Security Onboarding Plan