Key Takeaways
- ›Most small businesses lose 1–3 productive days per new hire because IT wasn’t notified or prepped in time.
- ›Over-provisioning “just in case” access at onboarding becomes the breach-severity multiplier two years later.
- ›A 5-phase checklist — pre-day-1 provisioning, day-1 handoff, week-1 training, day-30 review, quarterly access reviews — fixes both.
- ›Group-based permissions and a documented offboarding mirror are the highest-leverage habits a small business can build.
The most expensive day in a new hire’s first month isn’t a particular Tuesday. It’s the day they show up and IT isn’t ready. Most small businesses lose one to three productive days per new hire because the laptop wasn’t imaged, the accounts weren’t provisioned, the password manager wasn’t set up, or the access request hadn’t reached the right person.
Worse, what gets handed to the new employee in that scramble is usually MORE permissions than they need — because granting “all the access just in case” is faster than figuring out the minimum. Then those permissions never get cleaned up. Six months later, the new sales coordinator has the same access as the CFO they replaced as a backup approver.
A real onboarding checklist solves both problems at once: faster productivity AND tighter security. The version below is a five-phase process that starts BEFORE the employee shows up and continues for their first 30 days.
Phase 1 — Before Day 1: Provisioning
The trigger for IT onboarding should be HR’s accepted-offer notification, not the manager’s panic text at 7:45am on the first day. The standard window is one week. In that window, IT needs: the role, the manager, the start date, and the requested access set (which apps, what level). With that information, IT can:
- Image the laptop with your standard build (Microsoft 365 apps, security tools, VPN client, browser policies)
- Create the M365 account with the right license tier and add to the correct security groups (which control access by job function, not by individual request)
- Request equipment with lead time (specific monitors, accessories, anything needing approval)
- Schedule the day-1 IT handoff and reserve a working desk / Wi-Fi profile
Phase 2 — Day 1: Equipment and Account Handoff
Day 1 should not be about IT scrambling. It should be 30 minutes of structured handoff:
- Laptop powered on and signed in to the new account
- MFA enrollment walked through (Microsoft Authenticator or hardware key, depending on role)
- Password manager enrollment, with role-specific vault items pre-shared by the manager
- VPN or Zero Trust client configured if remote access is needed
- A brief walkthrough: how to reach help desk, what to do if the device is lost, the short Don’t list (don’t paste customer data into ChatGPT free tier, don’t use personal email for work)
- Acceptable Use Policy signed — the legal ground for what they can and can’t do
Phase 3 — Week 1: Training and Role-Specific Access
In the first week, security awareness training should be assigned and completed. This is not an annual checkbox — it’s a foundational set of expectations the new employee needs to know before they start handling real work. The training covers: phishing recognition, password practices, data classification (what’s confidential), reporting a suspicious email, what to do if a device is lost or stolen.
Role-specific access requests get processed in this phase too. If the new sales rep needs CRM access, the manager submits the request, IT provisions it, and the employee gets access. This is the phase where “what they actually need” becomes clear — and where over-provisioning gets caught if you have a review step.
Phase 4 — First 30 Days: Access Review
At day 30, the manager and IT should walk through the actual access the employee has versus what they’ve actually used. This catches two common problems: over-provisioned access that was granted “just in case” but isn’t needed, and missing access where the employee has been working around it (asking colleagues to do things for them).
This is also where the IT documentation for that employee gets updated: their final equipment list, their role-specific access set, who their manager is, and what their offboarding will look like if they leave. Documenting offboarding at onboarding time sounds odd but is the single highest-leverage habit a small business can build.
Phase 5 — Ongoing: Quarterly Access Reviews
Onboarding doesn’t really end. Every quarter, IT should run an access review across the whole company: who has access to what, are those people still in their original roles, are there orphaned accounts (people who left but the account is still active), are there shared accounts that should be individual.
This is the phase that’s most often skipped and most often the cause of breach severity. The Verizon Data Breach Investigations Report consistently shows that compromised accounts in long-tenure businesses had drift: access that accumulated over time, was never reviewed, and gave attackers far more reach than they should have had.
Common Mistakes
Three patterns we see most often:
The manual-email workflow. Manager emails IT: “New person starts Monday, can you set them up?” IT replies: “Send me the role and what apps they need.” Manager: “I’ll get back to you.” First Tuesday rolls around. New employee sits in a chair with no laptop. This pattern is fixable with a single shared document (intake form, ticket template, anything structured).
No offboarding mirror. When the employee leaves (and they all eventually do), the same access set that was so carefully provisioned needs to come off. Many businesses don’t have a documented record of what to disable, in what order. The result: dormant accounts staying active for months after departure, plus departed employees retaining access to OneDrive and SharePoint content nobody knows to recover.
Permissions-by-individual instead of by-group. Each new hire gets their access granted as individual permissions. Six months later, when someone asks “who has access to the finance shared drive?”, the answer is a list of 47 individual accounts instead of “the Finance security group.” Group-based access is the foundational practice that makes onboarding AND offboarding fast and auditable.
What Automation Looks Like
Mature IT onboarding doesn’t rely on manual checklists. The mature version:
- HR system (BambooHR, Gusto, ADP) integrates with the IT identity provider (Microsoft Entra)
- Accepted offer triggers a workflow: account created, license assigned, group memberships applied based on role, laptop ordered
- Day 1, the employee signs into a pre-configured environment
- Offboarding triggers the same workflow in reverse: license revoked, group memberships removed, devices wiped, files transferred to manager
Most small businesses can’t afford full automation. But the principles — written checklist, role-based access, group-based permissions, manager attestation at 30 days — are achievable without enterprise tooling. A shared Notion or SharePoint doc with a 20-line checklist is light-years better than three Slack messages and a panicked Tuesday morning.
The Bottom Line
New hire IT setup is invisible when it works. When it doesn’t, it costs you a day or two of productivity, sets a tone with the new employee that “IT here is reactive,” and quietly accumulates the kind of access drift that turns a small breach into a big one. A 5-phase checklist that lives somewhere accessible — and gets followed for every hire, no exceptions — is the simplest possible fix.
Talk to Brydan
Is Onboarding Still a Frantic Tuesday?
Brydan sets up new-employee onboarding workflows for Las Vegas businesses as part of every managed IT engagement. If yours still looks more like a panicked email chain than a documented checklist, let’s talk.
Continue Reading
