The 2026 DBIR Has a Section Every Company Should Read. Here’s Why It Matters to You.

Earlier this year, a suspected North Korean IT worker applied for a job at Nisos. We investigate employment fraud and insider threats as core services. They tried to come after us anyway. If they target us, they will target anyone.

That experience is the reason I want you to read page 73 of the 2026 Verizon Data Breach Investigations Report. The section is titled “North Korean IT Workers,” and the numbers are sobering.

They are using those identities to land real jobs at real companies, passing interviews and performing work remotely through laptop farms run by local accomplices. Some of them are not collecting a paycheck and coasting. Some of them are your top performers. The identity fraud is not a red flag you can reliably expect to see in a performance review.

The report notes that technology and SaaS companies are the most heavily targeted. And I’ve seen people look at that and think: okay, tech problem, not my problem.

That’s the wrong read.

Technology and SaaS companies are the canary in the coal mine. They were the first to aggressively adopt remote employment at scale, and so they’re seeing this threat first. But this isn’t a technology sector issue. It is a remote employment issue. If your organization hires remotely, regardless of your industry, this is already your problem or it will be soon.

The DBIR also shows that the human element is present in 62% of breaches. DPRK IT workers are one of the clearest and most damaging examples of what that human risk looks like when it is tied to organized, state-backed actors.

The real entry point isn’t your firewall

The entry point for these workers isn’t your firewall. It’s your job posting. It’s your recruiter’s inbox. It’s your interview process. The first line of defense against a North Korean IT worker isn’t your CISO. It is your talent acquisition team.

That’s the shift most organizations haven’t made yet. They still treat this as a pure security problem, when the earliest and often best chance to stop it lives inside HR and recruiting.

Our experience reinforced a hard truth we’ve been telling for years: the standard background check process will not catch this. Traditional background checks verify whether the identity presented is real. They are not designed to verify whether the person presenting that identity is actually who they claim to be. That’s a fundamentally different problem.

What this looks like in your pipeline

The DBIR notes that affected companies spanned widely different sectors. These aren’t unsophisticated operations. These workers perform the jobs. Some of them perform them well. They pass the interview. They pass the background check. They show up, digitally, every day.

The signals are not in the resume. They are in the broader digital footprint: inconsistencies across public sources, anomalies in the age and history of an identity, patterns in addresses and credentials that do not hold up under scrutiny, and signs of one person appearing to hold multiple full-time roles simultaneously. Individually, any one of those might look like a normal edge case. It is the pattern, in context, that tells you something is wrong. Seeing those patterns consistently, at scale, is hard to do from inside a single company with a single view of the world.

What you can do about it.

We provide analyst-led employment fraud detection and pre-employment vetting with specific coverage for organized fraud, including nation-state activity. We also look beyond the point of hire to identify fraud inside the existing workforce. The goal is to help HR, security, and legal teams see the signals that a standard background check will never surface.

I’ll be speaking in depth about this at Planet CyberSec on June 3rd in Santa Monica, where I’ll walk through practical TTPs for identifying and preventing fraudulent remote employment. If you can’t make it to Santa Monica, drop “TTPs” in the comments on my LinkedIn post and I’ll send them directly to you.

If you want to understand how this risk might be showing up in your own pipeline today, reach out to our team to talk about Employment Shield and related human risk services.

Dutch