Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Enterprise ServicesSecurity & Business Resilience

Maintaining access control for employees and preventing new hire fraud

By Mike Engle
remote workforce security vulnerabilities new hires
August 20, 2021

New hire fraud is top of mind for Chief Security Officers (CSO) as it has become one of the largest vulnerabilities in any organization. Many assume they have conducted thorough due diligence and verification, but do not have the protocols in place to ensure the person they’re hiring is always the person logging in. Although this concern is nothing new, employees’ increased access to a company’s technology and innerworkings via remote work has made it substantially easier for bad actors to attack organizations from the inside.

When hiring someone (an employee or a contractor), how do you know that the person doing the work is who you truly hired?

Identity fraud happens several ways:

Individual or Consulting Company Work-Sharing

A contractor gets hired. They will get plugged into the company resources - email, work tools, servers and more. For example, they may be a software developer and begin to do some work, learn the ropes, and start contributing to a project requiring more access to the company’s systems. To authenticate their identity to access company resources, they typically have an active directory username and password and some form of “second factor” authentication like a one-time code tool.

Now, for a number of reasons, the contractor decides to bring a third party into the organization to work on their project. It may be because they found someone cheaper to outsource this work to, or the contractor’s intent may be nefarious. They could get paid by the third party to let them in the door of the organization so they can steal intellectual property or inject malware into the organization.

To enable this fraud, all they need to do is give the subcontractor the username, password and send them the two-factor authentication (2FA) code at the start of their day and occasionally when they need to reauthenticate. With collaboration tools such as Slack or WhatsApp, the exchange of this 2FA code can be done in seconds.

There are many security and productivity implications for this. First, the hiring company may have done diligence on the original contractor covering their skills, location and employment history, but the subcontractor could be anywhere in the world and have a checkered background. Second, the company no longer has control over its resources or knowledge of who is in the system, leaving them vulnerable to the will of the subcontractor.  

“Paycheck Jacking” 

Let’s say that Acme Corp. needs to hire 200 developers for a big project. A new form of organized crime will target Acme and apply for a dozen of these jobs with workers that appear to be qualified. They will coach them through the hiring process so that they pass the interview process and any skill assessment tests. Then, when the new hires are scheduled to start, they slip someone else into the process. Their sole intent? To let this unqualified person sit in their chair for a few paycheck cycles until Acme catches on and they get fired. The bad actors collect dozens or hundreds of paychecks until they're all flushed out of the company. 

In both of these cases, companies are seemingly powerless against new hire fraud within the confines of their existing systems. However, with the right identity protocols and investment in new technology, such as biometric identity proofing, companies can fortify themselves from attack.

Identity to the Rescue

Given the remote nature of this problem, identity fraud can be a difficult threat to mitigate. Adding layers of management and oversight can be expensive, but there are options for organizations to embrace. They are the same principles that have been used for years by banks for “Know Your Customer” and companies for “Know Your Employee” protections - proof of identity.

When you onboard a banking customer or hire a new employee, the organization is required to collect evidence about their identity for tax and other purposes. This proof comes in the form of one or more government-issued documents such as a driver's license, passport, or other national identity documents. These documents are inspected for authenticity and the images on them compared to the individual’s face. Until recently, this required the new hire to be in person so the document collection and inspection could be done by company representatives.  

Historically, doing this remotely is less than ideal. For years, these documents have been scanned by the document holder and then emailed, faxed, or uploaded to the requesting company. This introduces many challenges for both parties:

  • The quality of the documents can vary depending on the person taking the picture (poor lighting or angle). 
  • The image file size may change depending on how it is captured (low-DPI scanner) or transmitted (emails often compress photos).
  • The documents are now floating around the digital landscape - in the candidate’s email, in the HR rep’s email, or sitting on some server. This puts personal identification information at risk at every step of the journey. 
  • Even after documents are emailed or uploaded, you don’t have a reliable way to verify the person sending them is truly who you are interacting with.

Remote Digital Proofing and Strong Customer Authentication

Recent advances in technology and new identity-proofing standards give companies secure and trustworthy options to mitigate these risks. In addition, the documents gathered during the hiring process can be used every time the individual needs to access company resources.

Document-centric identity verification is a growing trend in enterprise cybersecurity. A recent study by Gartner found that by 2022, 80% of companies will be using this method of verification in their organizations, and over 60% of mid-size to global enterprises will implement passwordless authentication methods in the same timeframe. However, deploying this technology effectively requires an integration of document-centric verification and passwordless authentication, and careful attention to industry standards that will provide organizations maximum protection.

In 2017, the US federal government introduced the NIST 800-63-3a identity proofing standard which is of critical importance for organizational security measures to comply. In short, NIST 800-63-3a gives guidance on how to capture two forms of identity documentation, validate them, and compare them to the images on the documents with the person’s face. For organizations hiring new employees, this means they have verifiable proof, backed by a rigorous standard, that everyone signing onto their systems is who they say they are every time. 

Breakthroughs in technology have made this process possible by leveraging the smartphone or computer of the new hire. Specifically, biometric ID proofing and digital authentication make this process much easier for companies to verify their employees’ identities without a significant investment in sophisticated systems. They simply scan the documents, take a selfie, and the system does the rest, including guiding the user through the capturing of quality images. The results are a standards-based identity that an organization can trust for onboarding and re-authentication throughout their time with the organization.

It’s important to distinguish that this form of biometric enrollment is not the same as TouchID, FaceID and other device-based biometrics. Those forms of biometric are not linked to a real identity. The biometric must be a representation of one user and instantly matched to the government documents.

Advancements in cryptography and computing hardware now allow this enrolled identity to be verified every time that the new hire accesses a computing resource. When a user enrolls their identity documents and their selfie, they are given a private key. Their identity information and selfie are encrypted and stored in a secure location. This private key is the same concept used by cryptocurrencies to keep digital wallets safe and secure. The only way that it can be unlocked is with the user’s permission. Nobody has access to the user’s data except the user

As they embrace an identity proofing solution, companies can issue a digital credential that allows them to access their internal systems, such as an active directory certificate. This is protected the same way the identity documents are. The usage of cryptographic keys is a growing trend backed by another standards body, the FIDO Alliance. The acronym “FIDO” stands for “Fast Identity Online”. FIDO’s aim is to get rid of usernames and passwords. They set the bar on how a company can implement various authentication technologies. However, FIDO alone is not strong enough to entirely protect organizations, because it does not have proof of identity as part of the standard (i.e. verifying against government-issued documents).

When FIDO is combined with the strong identity proofing, like NIST 800-63-3, the process provides indisputable proof that employees, contractors or partners are who they say they are. When a person transmits their credentials, they have the same digital signatures that were enrolled with their identity that cannot be used or replicated by a third party.

When a user needs to access a resource, they provide their biometric (selfie) and they can access the company’s network. There are several ways for a user to connect to a remote resource including the scanning of a QR code or triggering of a push message to their smartphone. Because of this, the organization now knows with a high degree of certainty that the person sitting at the keyboard is who they say they are - every time they authenticate.

The time is now for organizations to embrace these identity standards - for their sake, and for their users. As hybrid work is likely here to stay and companies assess their hiring and security practices, there has never been a better time to invest in new systems that ensure maximum protection for their most important assets.

KEYWORDS: Chief Security Officer (CSO) data privacy fraud detection fraud mitigation fraud prevention fraud trends remote workforce

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Mike Engle is Chief Security Officer (CSO) of 1Kosmos.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Ben Scaglione

    Preventing Healthcare Crime With Access Control and ID

    See More
  • Preventing Cargo Crime with Access Control

    See More
  • NFL's New Orleans Saints uses facial recognition technology for training facilities

    New Orleans Saints deploy facial recognition tech for touchless access control at training facilities

    See More

Related Products

See More Products
  • 9781138378339.jpg

    Surveillance, Crime and Social Control

  • 150 things.jpg

    The Handbook for School Safety and Security

  • Physical-Security-and-Safet.gif

    Physical Security and Safety: A Field Guide for the Practitioner

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!