Are your remote hires who they say they are?

A hand holding a globe

The fastest way to get CISM Certified. Join our bootcamp 

 Check out the CISM BootCamp
Image of masterclass video - Destination Certification

Many businesses want to take advantage of the wealth of remote talent from across the world. This can give them access to excellent skills at a reasonable cost, but there can also be some risks that come alongside it. One of the key ones we’re going to discuss revolves around whether the person you hire is truly who they say they are.

Google recently released a report showing that it has seen an uptick in North Korean actors posing as workers from other countries. Obviously, there’s nothing wrong with North Koreans themselves, but the deception plus potential links to the North Korean government puts companies at risk of things like espionage, data theft, and other types of damage.

Trust is critical in the cybersecurity industry—we need to have a high level of confidence that we can rely on the people we hire. In the good old days, we would do things like:

  • Look through resumes to ensure that people have the backgrounds we need.
  • Physically interview them to verify that their knowledge matches their resume
  • Inspect their government ID to determine whether they are truly who they say they are.
  • Call up their references to see what past employers say.
  • Run background checks.

When we are hiring people from other countries, things can get a little more challenging. When hiring locally, we often have a little more context that makes it easier to vet a candidate. You may know something about their past employers, their university, or even have shared industry contacts. This additional information can help you vet whether the candidate is being truthful. If you’re hiring someone from New Zealand and you know absolutely nothing about New Zealand’s major schools or employers, it’s much harder to gauge whether what they are saying is true.

Keep the camera on

When hiring offshore, it’s critical to perform interviews with the camera on so that you are getting as much information as possible during the process. A candidate may try to come up with excuses to keep their camera off, but it’s just too risky to hire someone without being able to look at them while you interview. You should also inform them prior that they should not use a fake background during the interview. People often use these for legitimate reasons—like because they haven’t had a chance to clean up—but these backgrounds aren’t suitable for an initial interview because they may allow the applicant to deceive you.

Run a thorough background check

If you aren’t able to interview someone in person and if you won’t be seeing each other in the office all the time, then you’re only going to have limited information about the new hire and you could miss out on a lot of red flags. This is why it is important to run a thorough background check from a reputable provider, which can include things like checking their social media profiles and even collecting biometric information. You should also require notarized proof of identity before commencing employment.

Watch out for BYOD (bring your own device)

Many companies allow employees to use their own devices for work, especially startups or smaller scale organizations. In normal contexts, this brings a lot of security challenges, but it can be even worse in the case of remote workers. If an employee uses their own device, it’s harder for a company to keep tabs on them. If you send them company devices, it gives your organization a little more control. Since you have to mail it to their address, the new hire will have to be at the address that they purport to live at. You can also set up company devices with a bunch of admin tools that make it easier to detect their geolocation over time. On top of this, you can monitor for things like VPN usage and mouse jiggling software that employees may use to appear as though they are working when they aren’t.

Once the employee receives the laptop, you should also ask them to send you the serial number to confirm that they do have physical possession of the device.

On top of all of this, it’s good to have semi-frequent video calls with the employee. Even if the person you hire appears to be legitimate, you can’t be sure that they aren’t just passing off the work to someone else.

DestCert CCSP bootcamp image - Destination Certification

Master the REAL CISSP Exam with Our Practice Questions

Standard practice questions create false confidence because they don’t actually mimic real CISSP exam questions well. Our CISSP practice question app is now full of far more realistic questions (1000 new ones). While others test memory, we challenge your applied knowledge — just like the exam.

DestCert newsletter image - Destination Certification

5 Mistakes to Avoid so you easily pass the CISM exam!

Struggling with CISM Exam Prep? Download our FREE Guide. Don't let common pitfalls derail your success. Learn the top 5 mistakes CISM candidates make and how to avoid them. Get expert tips and pass with confidence!

 Download our FREE Guide
Image of the author

Josh Lake

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Checkout the other DestCert Weekly newsletters

We’ll miss you, CVE

Are AI agents the future of cybersecurity?

The zero-click spyware coming to a phone near you

What’s your rubberhose cryptanalysis (torture) defense plan?

What can we learn from the Capital One data breach?

The Capital One data breach

Security takeaways from the Yahoo data breach

The Yahoo data breach: What happened?

Security takeaways from the Marriott breach

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]

First

Previous

Next

Last