The Iran War is a Human Risk Crisis

The war in the Middle East that began on February 28th has dominated headlines, disrupted markets, and forced boardrooms into emergency conversations about exposure. Oil rose to above $100 a barrel. Airspace across the Gulf has been closed or restricted. The Strait of Hormuz, through which a fifth of the world’s oil supply moves, is effectively choked. Three AWS data centers in the UAE were struck by drone attacks, taking down S3, EC2, and DynamoDB infrastructure across the region. The head of the International Energy Agency, Fatih Birol, told the BBC’s World Business Report it was the “greatest global energy security challenge in history.”

Most organizations are asking the right operational questions right now. Are our supply chains exposed? Do we have energy cost contingencies? What’s our business continuity posture for the region?

But for security, people, and risk leaders, there’s a question that isn’t getting enough attention relative to everything else on your plate right now: are your people and partners a vector?

Nation-state threat actors don’t only operate through missiles and malware. They operate through people: employees, contractors, vendors, and partners with authorized access to your systems, your data, and your operations. During periods of escalation like this one, those human vectors become significantly more active. Organizations need to be looking at them.

The Threat Isn’t Always at the Perimeter

Security investments tend to be oriented outward. Is the network hardened? Are systems patched? Is detection and response coverage in place? These are the right questions, but they assume the threat is coming from outside the wall.

Increasingly, it isn’t.

Nation-state actors have become sophisticated at exploiting the relationships organizations depend on every day: the staffing firm that sources contract engineers, the software vendor with deep API access to your environment, the consultant embedded in a sensitive project, the new hire who came with a strong resume and interviewed well.

We’ve seen this pattern firsthand. In March 2026, we published a detailed account of our own encounter with a North Korean IT worker who applied for a role at Nisos (a company that specializes in detecting exactly this type of threat – yes, the irony is not lost on us). The resume was polished. The interview responses were rehearsed. The candidate was part of a coordinated, industrialized operation designed to place operatives inside U.S. companies to generate revenue for the regime and, in some cases, access sensitive systems and intellectual property. The investigation, including video documentation of the fraud in action, was later featured by NBC News, bringing national attention to a threat that far too many organizations still underestimate.

Related:

• Nisos DPRK IT Worker Fraud Investigations & Research

The DPRK operation is instructive not because it’s unique, but because it’s a template. When nation-states want access to organizations, they go through people. They exploit hiring processes, vendor relationships, and contractor pipelines. They rely on the fact that most organizations’ defenses face outward while the human layer stays under-examined.

That template doesn’t belong to one actor or one conflict. It’s a playbook, and right now the conditions for running it are near-ideal.

How Geopolitical Conflict Expands Organizational Risk

The geographic footprint of this conflict is worth sitting with for a moment. Iranian retaliatory strikes have hit targets in Bahrain, Jordan, Kuwait, Qatar, Saudi Arabia, and the UAE. A drone struck a British military base in Cyprus. Missiles were intercepted over Turkey. Civilian infrastructure was damaged in Azerbaijan, Kurdistan, and Oman. The Houthis have resumed threatening commercial shipping in the Red Sea and Gulf of Aden, with sixteen reported attacks on vessels in the Persian Gulf since hostilities began.

This is not a localized conflict. If your organization has operations, personnel, vendors, or customers anywhere in that region, you are operating in an active conflict zone. Even beyond the physical geography, active conflict changes the threat environment in several specific ways that security and risk leaders need to understand.

Motivation intensifies. Escalation raises the stakes for all parties. Intelligence collection, economic disruption, and influence operations all accelerate. Organizations that were lower-priority targets in quieter times can become relevant quickly because of who they work with, what technology they hold, or what sector they operate in. Defense-adjacent companies, energy firms, financial institutions, and critical infrastructure operators are obvious targets. So are the vendors and partners those organizations rely on.

The extended enterprise becomes a pressure point. Direct attacks on well-defended organizations are hard. Attacks through their suppliers, contractors, and partners are easier. Third parties often carry legitimate access and lower security maturity – a natural path of least resistance. The AWS strikes in the UAE are a sharp illustration of this: the conflict reached cloud infrastructure that organizations around the world depend on, through a physical attack on a third-party provider operating in a conflict zone.

Coercion becomes a tool. Not every insider threat is a planted operative. Some are people who come under pressure after they’re already inside, whether through family ties in affected regions, financial leverage, or ideological appeal. Geopolitical escalation expands the surface area for that kind of coercion, particularly for employees and contractors with personal connections to the countries involved.

Identity fraud accelerates. When operational tempo increases, so does the use of fraudulent identities and credentials to gain access to target organizations. Fake employment candidates, misrepresented vendor relationships, and front companies that appear legitimate on the surface are all established tools in the nation-state playbook. And they become more prevalent during active conflict, not less.

Where Most Organizations Are Exposed to Human Risk

Most organizations were not built to detect these threats. Security investments are oriented toward technical controls. HR processes were designed for efficiency, not adversarial scrutiny. Vendor management programs focus on operational and financial risk, not human risk. That leaves consistent, predictable gaps.

Vetting that doesn’t account for changing circumstances. A vendor relationship that was clean eighteen months ago may look very different today. A contractor who checked out during onboarding may have changed affiliations, come under external pressure, or been compromised since. The Iran conflict changed the risk calculus for a significant number of third-party relationships almost overnight, but most organizations have no mechanism to reflect that in real time.

Insufficient visibility into third-party personnel. Organizations often scrutinize the companies they work with while paying far less attention to the specific individuals from those companies who have access to sensitive systems and data. The risk doesn’t live in a vendor’s corporate registration. It lives in the people walking through your door, whether physical or virtual.

Functional silos that create blind spots. Detecting human risk requires security, HR, legal, and intelligence functions to work together. In most organizations, these teams operate independently with different tools, different data, and different mandates. That fragmentation is exactly what sophisticated threat actors exploit. As we noted in our DPRK investigation, a single red flag may not trigger action. But several indicators, visible to the right people at the right time, tell a very different story. When those people aren’t talking to each other, the story never gets told.

Overreliance on self-reported information. Employment applications, vendor questionnaires, and onboarding documentation all depend on honesty. In a normal environment, that assumption holds reasonably well. In an adversarial one, it doesn’t. Verification – of identity, credentials, affiliations, and associations – requires going beyond what someone tells you about themselves.

No trigger-based review process. The conflict that began in late February is exactly the kind of event that should automatically prompt a reassessment of third-party and workforce risk. Many organizations don’t have a process for that. The threat environment shifted materially in a single day, and risk postures built for a different environment are still in place.

What You Should Be Doing Now

None of what follows requires abandoning fairness, trust, or good judgment as organizational values. It requires applying appropriate rigor in proportion to the current environment – which is a reasonable ask of any serious security or risk function.

Audit your third-party roster with current context in mind. Review active vendors, contractors, and partners against what you now know about the conflict’s geographic footprint. Look at ownership structures, personnel with access to sensitive systems, and entities with operational ties to affected regions. Ask honestly whether the access you’ve granted reflects a risk assumption that still holds.

Strengthen identity verification in your hiring process. Polished applications and smooth interviews are not sufficient validation, as our DPRK investigation made clear (in an environment far less charged than the current one). Verify identity, credentials, and employment history independently. Be alert to the specific indicators of coordinated fraud: AI-generated application materials, evasiveness under technical questioning, reluctance to demonstrate work live on camera. Apply additional scrutiny to roles with access to sensitive systems, intellectual property, or financial infrastructure.

Look beyond the organization to the individual. When contractor or vendor personnel have meaningful access to your environment, they warrant scrutiny proportional to that access – not because anyone should be assumed a threat, but because visibility is the foundation of informed decision-making. Affiliations, associations, and online presence are relevant data points that point-in-time organizational due diligence rarely captures.

Establish ongoing monitoring, not just point-in-time review. Threat postures change. People’s circumstances change. A monitoring capability that surfaces new risks, such as behavioral changes, newly exposed affiliations, or emerging associations with concerning actors, gives you the ability to respond before damage occurs rather than after. In a conflict environment that is still evolving, this is not a nice-to-have.

Build a cross-functional response posture. Security cannot own this problem alone. HR, legal, and intelligence functions all have a role to play. Even a lightweight process that allows these teams to share information and act together when indicators emerge is significantly better than the alternative. The organizations best positioned to handle human risk threats are those where no single indicator gets siloed in a team that doesn’t have the full picture.

Brief your executives. Senior leaders are not just organizational assets, they’re targets. High-profile individuals with public digital footprints are attractive to influence operations, intelligence collection, and social engineering. Make sure your executives understand their personal exposure in the current environment and have appropriate support to assess and reduce it.

Visibility Is the Starting Point

The scale of this conflict is significant. The economic disruption is real and already being felt – in energy prices, in supply chains, in financial markets, and in the cloud infrastructure organizations depend on daily. Security and risk leaders are being asked to respond on multiple fronts simultaneously.

The human dimension of that response deserves a place on the list.

Not out of alarm, but out of recognition that this is how nation-state actors operate. They find the path of least resistance; they exploit trust; they use people, whether real or fabricated, to get where technical controls won’t let them go. That’s not a new observation, but it’s one that becomes more urgent when the geopolitical temperature rises and the operational tempo of threat actors increases with it.

The good news is that these threats, while sophisticated, are detectable. Our DPRK investigation demonstrated that a determined, well-resourced operation can be identified, investigated, and exposed when organizations are paying attention in the right places and the right functions are working together. That’s the posture worth building: not fear, not paralysis, but visibility, process, and the ability to act on what you find.

How Nisos Can Help

At Nisos, human risk is our entire focus. We built our solutions around the understanding that the most consequential threats to organizations often come through people, and that detecting, investigating, and mitigating those threats requires a different kind of capability than traditional security tools provide.

For organizations reassessing their human risk posture in light of the current environment, we offer four areas of support:

Third Party Intelligence Solutions: We help you assess the risk posture of vendors, partners, contractors, and other third parties. We go beyond organizational due diligence to examine the individuals involved, their affiliations, and their associations, giving you the visibility you need to make informed decisions about who has access to your environment.

Employment Shield: We help you identify and prevent employment fraud across the hiring lifecycle. From identity verification and credential screening to deeper investigations of high-risk candidates, we give your hiring teams the tools and expertise to catch what standard processes miss.

Insider Threat Intelligence Solutions: When the risk is already inside, whether from a compromised employee, a coerced contractor, or a planted operative, we help you investigate, attribute, and respond. We work across the full picture: who the actor is, what they’ve accessed, why they did it, and what the downstream impact looks like.

Executive Protection Solutions: We monitor and reduce your senior leaders’ digital exposure, provide alerts when threats emerge, and investigate risks to executives and their families. In a period when influence operations and targeted harassment are elevated tools of geopolitical conflict, protecting the people at the top of your organization is not a secondary concern.

If you’re reassessing your human risk posture in light of the current environment, or if you’re not sure where to start, we’d welcome the conversation.