How to avoid the hidden costs of onboarding

Over the past year, a series of indictments and threat intelligence reports uncovered a sophisticated program to place North Korea-affiliated operatives into remote IT jobs around the world. In January, the U.S. Justice Department indicted five men for operating one such scheme that profited nearly $900,000. North Korean operatives, using deepfakes, laptop farms, and stolen identities to pose as U.S.-based job candidates, have been hired at numerous Fortune 500 companies, creating enormous insider risk and compliance threats while generating hundreds of millions of dollars to fund North Korea’s weapons programs.

From an IT perspective, initial credentialing (also known as credential delivery or account provisioning) is a company’s last chance to stop these and other threat actors from getting in the door. Once a new employee or contractor sets their password, they are inside the castle, and removing them becomes extremely difficult. Onboarding just one threat actor can make a company liable to sanctions violations, stolen data and secrets, a system-encrypting ransomware attack, and a badly damaged public reputation – all of which can be disastrous for the organization’s market cap.

Monetary costs: cutting corners raises security risk

The financial cost of onboarding is quantifiable: According to the Society for Human Resource Management (SHRM), the cost of hiring just one person averages $4,700. Onboarding and training alone run between $1,000 to $1,420 per employee. There is also the risk of refused access for legitimate employees. If the company can’t verify a new hire, they may have to start the hiring process all over again. While this cost cannot compare to the amount an organization stands to lose in a ransomware attack, it adds up quickly for fast-growing companies onboarding hundreds or thousands of employees and contractors per year.