Is Your New Hire Your Next Insider Threat

When we hire someone in good faith to work for our company, we assume they'll respect our organization, policies, and sensitive business data. But sadly, we don't yet live in this utopia. Therefore, we must take precautions to ensure the safety and sanctity of our organization and the critical business and personal data we have access to.

It's been a year since I wrote about new-hire risks in the first 90 days. The adoption of deepfake technologies and generative AI (GenAI) have made it increasingly easy for threat actors to impersonate credible candidates. Insider Threat Awareness Month is a good opportunity to assess your strategy for vetting new employees and to evaluate your security controls during an employee's first few months. After all, you don't want your new hire to become your next insider threat.

The new reality

Threat actors have always targeted the most vulnerable areas in an organization. When we all worked in brick-and-mortar offices, slipping in the door as an insider threat was very challenging. However, that's not the world that we live in today. Remote work has created a lack of visibility of individuals beyond their digital personas. It's now easy to use deepfake technologies and GenAI to create facades that know the most likely answers and can articulate them with clarity.

With the demand on HR teams to filter a larger number of applications per position, AI and machine learning tools have been adopted to scan resumes and perform initial applicant engagement. This is a business necessity that plays favorably into the capabilities of threat actors. They have the experience and tools to deduce the critical elements of job postings and fabricate the right personas to pass through initial screenings as top candidates. This might be the first indication that something is amiss: when a candidate seems too good to be true, they probably are. That was the case when KnowBe4 inadvertently hired a North Korean cyber attacker posing an IT software engineer in 2024.

Best practices to reduce new hire risk

Implement rigorous vetting processes

HR teams must adjust their processes to ensure that malicious insiders don't slip through. There are several steps that can reduce the risks from a new hire:

• Record the interview. With the consent of the interviewee, record the interview. Ensure that Legal has approved this, but it's important to ensure that both the interviewee and interviewer are acting in good conscience.
• Research candidates thoroughly. Using available tooling and manual intervention, cross-reference the job history of the interviewee with public social media, locations of employment, and residences. Look for discrepancies between what their resume says and feedback from previous employers.
• Perform rigorous background checks. Use provided Legal tools to perform background checks and ensure that individuals don't appear on nation-state actor lists. Make sure that provided email addresses and phone numbers work and are not void or non-existent. Don't rely on email references; talk to people who have worked with the candidate.

There are many tools to accomplish the above and many organizations already have capabilities like these in place. Now, it's time to target the weakest element of any process: the people.

Spread awareness through ongoing, targeted training

To help those involved in interviews learn tips and techniques, organizations must develop strong security awareness training processes. It's important that interviewers are aware of current impersonation trends and how to counter these. Interviewers must interact with the interviewee on a deeper level, asking questions outside the scope of the basic job requirements and engaging in physical interaction. Foundational to an effective insider risk program, there should be close alignment and collaboration between the security team and HR. This ongoing communication ensures that when suspicious activity is detected, a feedback mechanism and escalation path already exists.

For example, during a past interview, I commented on something in the background of the interviewee's home office. This caused them to turn their head to look at it. If they were using deepfake technology, this action would have produced blurring or image degradation. Then, I asked them to hold up another item we were talking about. If there was anything "off" about the camera digital replacement technology, it would have distorted the image. These requests also forced the interviewee to talk about something non-job-related. Aside from ensuring the candidate was legitimate, it provided a glance into the person behind the keyboard and not just the image they were portraying during the interview.

Stay close for the first 90 days

Now, let's say the interview is a stunning success and the candidate is hired. We know that the first 90 days can be one of the riskiest times for accidental data sharing, malicious data exfiltration, and other risky behavior. So, how can we ensure that the new hire is behaving in a responsible manner?

• Force the unexpected. Make sure that the person who shows up on day one is the person that was interviewed, not someone else. Yes, this happens and is something to look out for. If it's a remote employee, pursue similar tactics as those used during the interview process: engage the person dynamically over video to ensure that they are who they say they are and there is no deepfake or image manipulation. It's best to do this with a mix of scheduled and impromptu meetings. Draw the new hire into a video call without time to prepare. Their calendar will be quite empty, so there won't be good reason to avoid this meeting. Doing so is a red flag.
• Monitor as a high-risk user. From a technology perspective, all new hires should be in advanced monitoring groups for the first 90 days of employment. Doing so provides visibility-and often forensics evidence should it be needed-into risky behavior. It's critical not just to detect malicious insiders who wish to cause harm, but to also help in preventing accidental data loss as the new hire learns the organization's processes and procedures.
• Don't grant access without education. It's a common practice to simply mirror the access levels of the prior employee for the new hire. While this makes sense for uniformity-and in Identity and Access Management (IAM) systems this practice is called hereditary rights-you should not grant access to sensitive data without first discussing appropriate use of it with the new hire. In many organizations, inherited rights for a given role grant new hires full access from day one. Even though the employee will be enrolled in acceptable use training, that momentary window is more than enough time for many threat actors to take full advantage. Instead, work with the IAM team in your organization to see what can be done to create gating of these rights and assign them only when training thresholds have been met. Layer security controls on top of this approach to prevent exfiltration of sensitive data.

Conclusion

Lastly, and most importantly, trust in human intuition. As a hiring manager, if you feel that something is wrong, take steps to enhance user monitoring for a short period. After all, humans are skilled at picking up nuanced signals. It's important to trust your gut as you get to know a new employee. Don't overlook elements that could cause risk to your organization. When in doubt, invoke an old-fashioned strategy: meet in person. It will go a long way to forming the trust needed.

• To keep your organization out of the headlines by taking a proactive approach to insider threats, read our blog.
• For a rich set of resources on building and enhancing your insider threat program, explore our Insider Threat Management Starter Pack.