The window is 90 days. Most programmes waste it.
New starters are the most receptive audience in your organisation. They haven't formed habits yet. They're paying attention. The first 90 days are the only time you can genuinely shape how someone thinks about security from scratch.
Talk to us
You will never have their attention this completely again.
New starters go through more structured learning in their first few weeks than at almost any other point in their career. Induction programmes. Line manager meetings. Culture sessions. Buddy schemes. They're absorbing everything because they have to. They don't know how things work yet.
That's exactly the window security needs to use. Not because the compliance module needs a tick, but because behaviour is genuinely shapeable right now in a way it won't be once the job becomes routine. Habits form early. Culture is absorbed before people even know it's happening. What new starters experience in week one shapes how they think about security for the rest of their time in your organisation.
Most organisations invest heavily in induction. Security gets a 20-minute module and a signature. That's not a training decision. It's a missed opportunity.
The alternative is making security part of what induction feels like. Not bolted on at the end. Not a compliance obligation to get out of the way. Something that signals, from the start, that this organisation takes security seriously and that the general workforce is part of how that works.
attack
surface.
New joiners are targeted.
The vulnerability of a new starter isn't just about habits. It's about the social conditions that attackers actively exploit. Someone new to an organisation doesn't know voices. They don't know processes. They don't know who has authority over what. And they're strongly conditioned to comply, to be helpful, to avoid causing problems.
That's a profile attackers recognise and target deliberately.
They don't know anyone's voice yet. A call from "IT support" or "the CFO's EA" in week one carries authority the new starter has no way to verify.
They're conditioned to comply. Saying no to an authority figure in the first week of a new job feels professionally risky. Attackers know this and use it.
They don't know the right procedures yet. Even if they want to verify, they may not know how. The challenge behaviour that protects experienced employees hasn't been built yet.
They have new credentials and fresh access. New accounts, new system access, and recently issued credentials are a specific target for harvesting attacks in the early weeks of employment.
What to deploy, when.
The sequence matters. Each product serves a different purpose in the onboarding window. ESC creates the shared moment. SHIFT reinforces it. ALT keeps security visible during a busy period. CTRL+Vish tests what's actually landed once they're established.
Run ESC as part of the induction cohort experience. New starters go through it together, creating shared language and a shared reference point from day one. Security isn't a module they complete alone. It's something they experience with the people they're starting alongside.
Follow up with SHIFT. A solo, browser-based scenario they can run in their own time during the busy settling-in period. No facilitation required. Reinforces the learning from ESC while the memory is still fresh, and reaches anyone who missed the induction session.
Deploy ALT as a standalone experience or a team touchpoint. Works solo or as a group. AR keeps security visible and engaging during a period when induction momentum can fade. Novelty-driven enough to cut through a crowded schedule without adding delivery burden.
Once new starters are established but still in the vulnerable early window, run CTRL+Vish. They've had the learning. Now test whether it's landed. The results tell you who needs follow-up support and where the programme should focus next.
Four products. One onboarding programme.
Each product serves a specific purpose in the 90-day window. None of them require the new starter to have any prior security knowledge. All of them are designed to be engaging rather than obligatory.
Creates a shared security experience within the induction cohort. New starters work through a scenario together, building a common frame of reference for security before the job gets in the way. The conversations it sparks continue long after the session ends.
New starters are already in a group learning mode. ESC fits naturally into induction week without feeling like an add-on. The experience signals that this organisation treats security differently, before they've had the chance to form assumptions about what security training looks like here.
Reinforces the ESC experience in the weeks that follow. Solo-play, browser-based, no facilitation required. New starters can complete it in their own time during a period when their schedule is unpredictable. Also reaches anyone who missed the physical induction session.
Memory fades fast without reinforcement. SHIFT hits the window between the ESC session and the point where new starter attention begins to shift to day-to-day work. It doesn't require any coordination and can be pushed to new starters as a standard part of the onboarding checklist.
Keeps security visible and engaging during weeks four to eight, when induction momentum tends to fade. Works solo or as a small group experience on people's own devices. Novel enough to cut through a crowded onboarding schedule and memorable enough to create another reference point.
New starters are settling in and starting to form habits. ALT arrives at the moment those habits are still in formation. The novelty factor is particularly effective with people who are still in the "everything here is new" mindset, before routine sets in and security becomes background noise.
Tests whether the learning from the first 60 days has actually landed. Runs a realistic vishing simulation against new starters who are now established enough to have learned the procedures, but still in the vulnerable early window where attackers target them. Results identify who needs further support before bad habits form.
Days 60 to 90 is the ideal testing window. New starters have completed their formal induction and had time to embed. They should know the verification procedures. Now find out if they'll actually use them under pressure, while there's still time to intervene before the habits become permanent.
Security culture starts on day one or it starts wrong.
Culture isn't built in training sessions. It's built in the spaces between them. What new starters see, hear, and experience in their first few weeks becomes their baseline for what's normal here.
If the security training they receive is a module to click through, that's what security feels like at this organisation. If it's a high-energy team experience that people are still talking about at the end of the week, that's a different baseline entirely.
The cohort effect
Running ESC with an induction cohort rather than individuals creates something that a solo digital experience can't: a shared memory. The people who went through it together have a reference point that lives in conversation, not just in individual recall. When something feels off six months later, the instinct that fires isn't just a training memory. It's connected to a real experience shared with real colleagues.
What champions inherit
New starters who go through an immersive induction are also better candidates for the security champions programme later. They've already experienced what good security engagement looks like. They have the shared language. They know it's possible for security training to be something people actually want to take part in.
"Beyond having enjoyed the game, this was the most impactful messaging we've been able to deliver to support our guidance regarding passwords and use of MFA. The discussions these events have sparked within the Peabody workforce have demonstrated a level of impact and understanding we haven't previously achieved."
BISO, Peabody
Start the culture conversation on day one.
Tell us about your onboarding programme and we'll show you how to build security in from the start, not bolt it on at the end.