The 2026 Verizon Data Breach Investigations Report says North Korean IT worker schemes used stolen identities, remote hiring and laptop farms run by local accomplices. It estimates that those operations may have leveraged about 15,000 possible identities.
The report, which analyzed more than 31,000 incidents and more than 22,000 confirmed breaches, documents how cyber risk and workforce risk occupy the same organizational space. Here are three findings from the report that may land on the CHRO’s desk.
The fake worker problem has a hiring solution
The North Korean IT worker operation documented in the 2026 DBIR has mechanics that are familiar to any recruiter, including polished resumes, strong technical interviews and remote onboarding. But these “candidates” are, in fact, coordinated state actors using tools that once seemed futuristic.
“The North Korean IT worker threat is no longer just a cybersecurity issue. It is now an insider risk and workforce integrity problem,” Ensar Seker, chief information security officer at SOCRadar, a threat intelligence firm, told HR Executive. “Traditional background checks are often ineffective because these actors use synthetic identities, stolen credentials, AI-enhanced resumes and even deepfake-assisted interviews.”
The DBIR found that third-party supply chain breaches jumped 60% and now account for 48% of all incidents. Many infiltrations occur through subcontractors or fast-tracked technical recruiting pipelines where identity validation is weakest.
“Hiring can no longer operate independently from cyber risk management,” Seker says, “especially for remote technical roles with privileged access.” He suggests that organizations need to implement multi-layered identity verification such as live identity validation during interviews, device and geolocation consistency checks, payroll banking verification and tighter contractor onboarding controls.
Behavioral monitoring after hire matters, too, according to Seker. Unusual working hours, unexpected VPN patterns and attempts to access source code repositories or collaboration platforms beyond an employee’s assigned scope are all red flags.
Read more: How North Korean operatives get hired, and how HR can stop them
Social engineering has outpaced awareness training
The volume of AI-assisted text in malicious emails has doubled, and attackers are no longer sending recognizable phishing templates. “Annual phishing videos are no longer enough,” says Seker. “Employees are now facing highly convincing AI-generated voice calls, deepfake executives, synthetic recruiters and real-time social engineering attacks designed to create urgency and bypass critical thinking,” Seker says.
Organizations need to teach employees verification discipline, rather than simply teaching ‘suspicion,’ says Seker. “Employees should be trained to slow down high-pressure requests, independently verify sensitive actions through secondary channels and recognize manipulation tactics involving urgency, authority or fear,” he says.
Continuous micro-training and live simulations should be built around the actual attack scenarios employees encounter: fake Teams calls, AI voice messages, payroll scams, multifactor verification fatigue attacks and impersonation attempts targeting HR and finance teams specifically. HR is a high-value target in these scenarios because compensation data, direct deposit information and identity documents are exactly what attackers are after.
Shadow AI is a data governance crisis
According to the DBIR, employee use of unapproved AI tools tripled in a single year, from 15% to 45% of the workforce. The report also found that shadow AI is now the third most common non-malicious insider action detected in data loss prevention systems, a fourfold increase from the previous year.
The most common data type being uploaded to unauthorized AI platforms, by a significant margin, is source code. Research and technical documentation appeared in 3.2% of those policy violations, according to the report. “As if the source code part was not enough, you now have potential intellectual property walking out the door,” according to the report.
The increase in employees uploading sensitive data into generative AI platforms reflects a gap between attention to security and attention to productivity, Seker says. “Employees are adopting AI tools faster than organizations are building governance around them. This is not purely a technology problem. It is a workforce behavior and policy problem.”
Blanket bans have not worked because employees use banned AI at work anyway. Seker says the more effective path is clear usage policies that define what data can and cannot be shared, with role-specific guidance for departments like HR, legal, engineering and finance that handle sensitive information daily.
“The companies handling this best are treating generative AI governance similarly to cloud adoption years ago,” Seker says, “enabling innovation while building visibility, guardrails and accountability around how employees use these tools.”
Credit: Source link
