Ian McGowan on New Hire Cyber Risk
With 25+ years in cyber defense, Ian McGowan has seen one pattern repeat: attackers love new hires. He shares why onboarding is now a critical security layer, and using behavior-led training and phishing simulations to protect new starters from day one.
2025-12-19
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
For more than 25 years, Ian McGowan, Managing Director at Barrier Networks, has been helping organizations strengthen their cyber defenses. With a background that includes high-stakes environments and military-grade discipline, he’s seen one truth repeat itself:
“One of the biggest vulnerabilities isn’t technical – it’s human. And especially when it comes to new starts who are still finding their footing.”
In this article, based on the interview with Ian McGowan, we explore why new hires are attackers’ favorite targets, why traditional security awareness training is failing them, and how security awareness training programs that actually reduce risk.
About Ian McGowan and Barrier Networks
Ian McGowan is the Managing Director at Barrier Networks. Before moving into the commercial sector, Ian served in the British Army, starting as an electrical and mechanical engineer and later transitioning into a cyber role.
During his military career, he represented the UK as an OT (operational technology) Security subject matter expert (SME) and worked as a Computer Security Incident Response Team (CSIRT) trainer, experience that shapes his disciplined, real-world approach to reducing cyber risk.
Barrier Networks is a managed service provider (MSP) and value-added reseller specialising in cybersecurity protection, detection, and response. Its mission is to help customers build cyber resilience and develop strategies that defend against cyberattacks. Barrier’s managed services are positioned as a cost-effective way to help organisations identify and respond to threats quickly and efficiently, supporting both private and public sector organisations across the UK, drawing on decades of industry experience within the team.
That’s why Ian is ringing the alarm specifically on new hires—because attackers know they’re most exposed before they’ve built internal context.
Why Ian McGowan Is Ringing the Alarm on New Hires
Ian doesn’t speak in theory. He speaks from decades of real incidents, investigations, and frontline consulting.
From his vantage point:
- New hires are eager to prove themselves
- They’re navigating new tools and processes
- They don’t yet know what “normal” looks like inside the company
That makes them ideal targets for attackers.
As Ian explains:
“The evidence is clear – new hires are the most targeted group in phishing attacks, and it’s understandable. They’re learning new systems, building relationships, and they’re under pressure to perform.”
According to Keepnet’s New Hires Phishing Susceptibility Research (2025), which Ian cites in the interview:
- 71% of new hires fall for phishing in their 3 month
- Nearly 44% of them are more vulnerable compared to tenured staff.
This isn’t carelessness. Ian frames it more precisely:
“It’s highlighting attacker success when the victim lacks context and experience to base their decisions on.”
In other words: if they’ve just joined, they simply don’t have the judgment and context that experienced employees rely on. And attackers know it.
Ian’s Critique: Why Traditional Awareness Training Isn’t Working
Ian is very clear that the problem is not a lack of training materials. The problem is how and when they’re delivered.
“Traditional security awareness training often fails to engage people when they’re most vulnerable – during onboarding. The threat landscape has evolved, but awareness programs haven’t kept pace.”
He calls out three key issues:
3. Training comes too late
Many organizations wait weeks or months before the first security course. Attackers don’t.
3. Training is generic and one-size-fits-all
Everyone, from a junior analyst to a senior finance manager, receives the same video or slide deck.
3. It’s treated as compliance, not behavior change
Success is measured by “completion rates” instead of actual behavior and risk reduction.
Ian sums it up perfectly:
“Generic, one-size-fits-all content delivered after the fact doesn’t lower the risk effectively enough.”
For CISOs and security leaders, that’s a clear call to rethink how security analyst training, new hire journeys, and human risk management fit together.
At Barrier Networks, Ian and his team hold a simple belief:
Cyber resilience begins with behavior
Technology will always be critical, but changing how people think and act in those crucial first weeks is where the real leverage lies.
That’s why Barrier Networks has partnered with Keepnet:
“We’ve partnered with Keepnet to help organizations deliver early, contextual and personalized training.”
Ian is very specific about what this means in practice:
“This isn’t about more content, it’s about precision – delivering the right simulation or the right nudge at the right time to the right person, and training tailored to their role and business environment.”
This is where security analyst training and broader awareness programs need to evolve:
- From static content → to dynamic, personalized journeys
- From ‘once-a-year course’ → to continuous coaching and nudging
- From hoping for awareness → to measuring actual behavior change
What Ian’s Approach Looks Like for New Hires
Working with Keepnet, Barrier Networks helps customers redesign onboarding flows for security. A typical behavior-led journey inspired by Ian’s approach looks like this:
1. Week 1: Early, Contextual Intervention
New starters don’t wait weeks – they get security from day one:
- A short, welcome micro-module from security leadership
- A simulated phishing email that reflects real internal communications (IT setup, HR forms, collaboration invites)
- Instant feedback and a micro-lesson, whether they clicked or reported
The goal is to teach in context, not to shame people.
2. Weeks 2–4: Role-Based Simulations and Analyst Training
For teams with higher exposure – like, IT, finance, and customer support – Ian recommends:
Role-specific phishing simulations
- IT: MFA phishing, ticket-based phishing, escalation scams
- Finance: invoice fraud, CEO impersonation
- Customer-facing roles: urgent customer requests, link and attachment traps
Microlearning tailored to their tools and workflows
Instead of abstract examples, they see scenarios that look exactly like the systems they use every day.
This is where security awareness training evolves from “here’s a policy” to “here’s how real attackers will try to manipulate your queue, your dashboards, your tickets.”
3. Beyond the First Month: Continuous Behavior Coaching
Behavioral change doesn’t happen in a single course. With Keepnet’s platform, organizations can:
- Track individual and team risk scores
- Automate follow-up simulations when risky behavior appears
- Deliver short, high-impact lessons based on real actions, not just scheduled courses
- Use data to inform further awareness training, playbooks, and incident response improvements
As Ian puts it:
“We’re seeing a shift from tick-box awareness to behavior-led strategy. This approach not only reduces phishing susceptibility – it changes how people think about security, especially in those first crucial weeks.”
Onboarding Is No Longer Just HR’s Responsibility
A key part of Ian’s message is aimed directly at business leaders:
“It’s time business leaders recognize that onboarding isn’t just a HR task. Early cybersecurity awareness training is imperative.”
In other words, HR, IT, and Security all share responsibility:
- HR shapes the onboarding experience
- Security defines the risk-based journey and content
- Partners like Barrier Networks and Keepnet provide the platform, simulations, and behavioral insights
For organizations with security operations teams, this is especially important:
new hires must be trained early to recognize social engineering, internal phishing, and escalation-based attacks that target the SOC itself.
Human Intelligence vs Artificial Intelligence: Ian’s Perspective
There’s no escaping AI in cybersecurity: from attackers using deepfakes and generative content to defenders using AI-driven detection. But Ian’s closing message is a powerful reminder:
“Human intelligence, when it’s nurtured and supported, outperforms artificial intelligence every time because context and judgment are what truly keeps us secure.”
AI can help detect anomalies.
But only people can understand:
- Whether a request fits the reality of a project
- Whether the tone of an email matches how a leader usually communicates
- Whether a sudden “urgent” request is plausible in context
That’s why Barrier Networks and Keepnet focus so heavily on empowering people, not just installing more tools.
Watch the Full Interview with Ian McGowan
To hear these insights directly from him, including his remarks on new hire risk, attacker behavior, and behavior-led training:
Place the video near the top (after the introduction or first section), and reference it again midway through the article as a call to action for readers who want to go deeper.
Leverage Keepnet Extended Human Risk Management Platform
If your new hires are not getting targeted, contextual training from day one, you’re leaving a critical gap in your defenses – and attackers know it.
Keepnet empowers organizations to effectively manage and reduce human cyber risk throughout the entire employee lifecycle, beginning with onboarding. We achieve this through:
Security Awareness Training: Our training is delivered early, tailored to specific roles, and focuses on changing behaviors, moving beyond generic, compliance-driven approaches.
Multichannel Phishing Simulator: We provide realistic exercise simulations that mirror real-world attack scenarios, specifically targeting vulnerable groups like new hires and security analysts.
If you want to:
- Reduce the odds that a new starter becomes your next breach story
- Upgrade your security awareness training with realistic, attacker-driven simulations
- Turn onboarding into a core part of your security strategy, not an afterthought
SHARE ON