What Happens When HR & IT Don’t Talk? Insider Fraud, Credential Leaks and the Cost of Misalignment

Still think cybersecurity is “not an HR thing”? Let’s talk.

The recent Coinbase breach, where more than 69,000 users’ data was compromised due to insider threats, underscores the vulnerabilities present when HR and IT operate in silos. In this case, it didn’t start in IT, it started with hiring.

On this week’s episode of What the FTE?, Certn’s Global Head of Background Screening, Donal Greene, sits down with Darcy Healey, Certn’s APAC Market Lead. Darcy sees a big gap in how HR teams are trained in cybersecurity, which leads us to the podcast conversation. 

Darcy breaks down:

• Why the “once and done” background check model is outdated;
• How to spot insider threats before they land; and
• What happens when you let access creep go unchecked.

If your team isn’t building screening practices that match access levels, you’re not just behind – you’re vulnerable. It’s time to treat background checks like part of your cybersecurity stack, not just an onboarding formality.

Tune into the full episode: https://certn.co/podcast/

—

Your greatest security risk may already be on payroll.

With insider threats on the rise and deepfake documents easier to generate than ever, HR is becoming the front line in cybersecurity. But most HR leaders aren’t trained for the battle – and many don’t even know one is happening.

The Evolving Threat Landscape

According to Cybersecurity Insiders’ recent 2024 Insider Threat Report, 83% of organisations reported at least one insider attack in the last year.

Let that sink in.

Then there’s the Association of Certified Examiners’ occupational fraud report, which highlights that organizations lose an estimated 5% of annual revenue to fraud, with a notable portion attributed to long-term employees whose circumstances had changed post-hire.

Now layer in remote work, and the risks multiply. Distributed teams. BYOD policies. Slower background checks.

Bad actors don’t need to break in when you leave the door wide open.

On this week’s episode of What the FTE? Darcy Healey, our APAC Market Lead, shares about what’s happening in Australia, but the warning signs are global. 

He’s seeing mid-market and small and medium enterprises targeted more than ever. Why? Because they lack the infrastructure, policies, and, frankly, the cybersecurity literacy to spot the gaps before it’s too late.

💡 HR isn’t just hiring anymore. You’re the first line of defence.

If your background checks are still one-and-done, or if HR and IT aren’t collaborating, that’s your vulnerability. 

Let’s fix that.

What’s Driving Risk

The threat landscape has changed, and the riskiest behaviours may already be happening inside your organisation because hiring, onboarding and access decisions aren’t keeping up with the latest tactics fraudsters use.

Here’s what’s fueling the fire:

• Credential selling is surging on the dark web – VPN tokens go for as little as $500.
• Fake IDs and forged identity docs are easy to generate with low-code/no-code tools.
• Role creep means employees often gain more access over time than they were originally vetted for

Darcy puts it plainly: “Hiring is where the risk is. If you’re not aligning screening with access level, you’re flying blind.”

Not every threat is malicious. There are well-meaning employees who mishandle sensitive information, clicking phishing links, storing data on unsecured drives or failing to report lost devices. They’re the cybersecurity equivalent of leaving the front door wide open.

However, here are four common types of malicious insider threats:

1. The Privileged Saboteur

These are employees (often system admins or IT personnel) with elevated access who retaliate, typically after being demoted, disciplined or terminated. These insiders aren’t always malicious from day one, but they become a risk when their loyalty dissolves. If your offboarding playbook doesn’t include immediate deprovisioning, exit interviews or red flag watchlists, you’re giving them time, tools and motive to retaliate.

2. The IP Thief

Also known as the “corporate spy.” These insiders steal sensitive data, like proprietary code, product roadmaps or customer lists, to sell on the black market or hand off to competitors. Sometimes they do it on their way out the door; sometimes, they’re planted to do it.

3. Expense Fraudster

Small lies, big losses. These insiders manipulate expense systems – fudging mileage, inflating vendor invoices or submitting duplicate claims. It often starts “small,” but once they realise no one’s watching, it escalates. If your background checks don’t verify employment history or spot patterns of misconduct, you could be hiring someone who’s already done this elsewhere. Pair that with weak internal controls, and you’ve got a clear path for fraud to happen.

4. Compromise Contractor – The Credential Seller

Some insiders monetise their access. They sell credentials (like VPN tokens or admin logins) to bad actors on the dark web. These individuals often appear trustworthy on paper, but financial stress or lack of oversight pushes them over the edge.

One Check Isn’t a Strategy

In Australia, AS 4811:2022 now mandates risk-tiered workforce screening, because not all roles carry the same exposure and not all threats knock on the front door.

Globally? The red flags are waving. Just look at the Coinbase breach, where contractors with read-only access allegedly exfiltrated personal data from more than 69,000 users. The access was limited, the damage wasn’t.

Yet many HR teams still treat background checks like a checkbox, one and done. Screen at hire, then move on. 

No rescreening. 

No access review. 

No context.

That might have been fine a decade ago, but today it’s a risk you can’t afford.

What Forward-Thinking Teams Are Doing

The insider threats Darcy covers aren’t just an Australian problem. They’re a global wake-up call, and smart HR teams are answering it by rethinking how screening fits into the bigger picture of risk and readiness. 

With mega-breaches grabbing headlines and regulations tightening, any process that touches personal data, including background screening, is under the microscope. 

There’s a cybersecurity truth we don’t talk about enough in HR: your company is only as secure as the people you’ve hired.

“You don’t need to be a single security expert, but there needs to be an understanding of how people become the weakest link. As I said earlier, the first line of defence is a person, but they’re also the biggest vulnerability, and hiring is where the risk is, so lock it down from the outset.”

Practical Strategies for HR Leaders

Beyond educating and training teams with short, sharp refreshers quarterly, not just once a year, here’s how the most future-fit leaders are getting ahead of the curve:

✅ Risk-Based Screening Matrices

Gone are the days of one-size-fits-all checks.

Progressive teams are mapping screening depth to access level, regulatory exposure, and business impact:

• Entry-level admin role? Stick to the basics.
• Moving from IC to leadership? That’s a rescreen trigger.
• Finance manager with access to PII and payment systems? You’re going deeper: identity verification, credit history, global sanctions, maybe even adverse media.

Your matrix becomes your security playbook, so hiring stays fast but smart, and every check is fit for purpose. This is how you move from “check the box” to “cover your bases.”

🔁 Rescreening Schedules That Actually Make Sense

Pre-hire checks are just a snapshot. Risk evolves. Your screening should too.

Forward-thinking organisations are implementing rescreening schedules like:

• Every six months for high-risk, high-access roles (finance, infosec, healthcare)
• Every 12–18 months for mid-level or dynamic roles where access can shift quickly
• At moments of change – like promotions, internal transfers, or expanding system privileges

This isn’t about being paranoid, it’s about being prepared. Think of it like updating your antivirus software… for people.

🤝 HR + IT = Risk Reduction Dream Team

Still treating HR and IT like separate planets? Time to build a bridge.

Cross-functional teams are closing the gap with joint oversight of onboarding, offboarding, and access controls, because:
1. HR knows who people are and what they need access to; and

2. IT knows how they access it, and where the vulnerabilities live.

Together, this creates a continuous loop of visibility and protection: screening, provisioning, flagging, deprovisioning. No loose ends. No surprise back doors.

Key Takeaway: Treat background screening like you treat firewalls: essential infrastructure. Once the breach is internal, it’s already too late.

Let’s dig into each of these strategies a bit more…

Use of Standards and Accreditation

Traditionally, background checks were a one-time pre-employment event. This is also changing.

Australia’s updated workforce screening standard, AS 4811:2022, emphasises a risk-based approach to employee screening and reflects what smart HR leaders already know: risk doesn’t stop after day one. It evolves. So your screening strategy should too. 

Here’s what the AS 4811:2022 pushes for:

• Risk-tiered screening based on role sensitivity
• Identity verification and right to work checks verified against authoritative sources
• Ongoing monitoring for roles with elevated access or influence

And it’s not happening in a vacuum. 

Across the board, we’re seeing regulatory schemes and risk management best practice push for continuous monitoring becoming the expectation, not the exception. As Darcy details, we’ve seen APRA enforce annual checks for bank executives, WWC systems moving to continuous monitoring and SOCI guidelines urging ongoing monitoring​.

Regulators sometimes cite these standards approvingly​. Adopting such standards internally can both improve your process and serve as evidence that you took “reasonable precautions” to comply with legal obligations.

The message is clear: One-and-done is a liability.

What This Looks Like in Practice

Let’s say a trusted employee commits a serious offence after they’re hired. If that offence would’ve disqualified them from the role originally, and you don’t know about it? That’s not just bad optics. That’s a legal and reputational landmine.

Smart orgs are now:

• Asking employees to self-report charges or revocations
• Requiring annual declarations (e.g., “I haven’t been charged, lost credentials, etc.”)
• Periodically rerunning key checks, like police or credit reports, based on role sensitivity

This creates a culture of always vetted, not just “vetted once and forgotten.”

Implement Role-Based Screening (Risk-Based Approach)

Over-screening burns time, budget, and trust. Under-screening opens the door to serious risk. Smart HR leaders know: calibration is everything. A role-based (AKA risk-based) screening approach ensures you’re not flying blind… or overcorrecting. 

Here’s how:

1. Low-risk roles (think: entry-level, no system access) may only need ID verification, work rights, and reference checks.
2. High-trust roles (finance, IT, leadership) should trigger more in depth checks – police, credentials, even financial background.

Map this in a simple screening matrix. It turns your process into policy and helps your team apply it consistently.

This kind of calibration doesn’t just make business sense, it shows regulators you’re living up to privacy principles like proportionality (only collecting what’s necessary). It also gives you a solid defence against bias claims: checks are tied to risk, not vibes.

As Darcy mentions in the episode, don’t set it and forget it. As roles evolve, so does risk. Review your screening tiers regularly to keep pace with your org and the law.

Ditch “One-and-Done”: Why Ongoing Screening Is Becoming the Norm

Pre-hire checks are only part of the story. Risks don’t disappear after onboarding, they evolve. That’s why more companies are moving to continuous background screening for high-risk roles.

We’re talking about services that monitor public records, media mentions or credit alerts and flag major issues like criminal charges after hire. Useful? Absolutely. But it’s not plug-and-play.

Before you roll out post-hire monitoring, get your legal team in the room. You’ll need to:

• Navigate workplace surveillance laws
• Align with privacy regulations
• Get clear on what’s fair, legal and necessary

And if you’re storing background check data? Lock it down. That means:

• Encrypted databases
• Role-based access controls
• Retention schedules that don’t keep data longer than needed

You can’t claim to be serious about trust if your compliance game is sloppy.

Choose Screening Partners Who Have Your Back

Not all background check vendors are created equal, and their mistakes become your liabilities. Whether it’s verifying international degrees, running criminal history checks, or contacting references, you’re trusting that vendor to get it right. 

✅ Look for accreditations (e.g., ACIC in Australia for criminal checks)
✅ Make sure data stays secure – and onshore, unless you’ve signed off
✅ Ask if they proactively update workflows to match evolving laws

A credible partner doesn’t just run checks, they help handle compliance, adapt to legal updates (like privacy reforms), and provide the audit trails you need to prove due diligence. Additionally, background screening vendors are offering more compliance-focused solutions – e.g., ISO 27001 certified platforms for data security and audit trails that show each step of a check was properly completed with consent. 

It might be worth conducting a compliance audit of your background check process with your legal or risk team, benchmarking against these standards, especially as 2025 reforms kick in. Such an audit could reveal, for example, that you need to update your consent forms language or add an extra step to verify contractor checks.

If your background check strategy hasn’t changed in five years, it’s time to rethink what “safe” really means. Certn can help you build a scalable, role-aware, compliance-friendly screening program, one that evolves as fast as your workforce does.

Preventing Fraud 

As I mentioned in my last article, Is That Candidate Even Real? How to Deepfake-Proof Your Hiring Process, identity fraud is a growing threat in recruitment. There have been cases of imposters using someone else’s name to get a job. With more remote hiring, HR can’t always rely on face-to-face document checks.

Social Engineering: The Oldest Trick, Still the Easiest

Social engineering is the art of manipulating people into giving up confidential information or performing actions that compromise security without ever hacking a line of code.

In a hiring landscape shaped by speed and scale, social engineering remains the low-hanging fruit for threat actors. It’s cheap, it’s fast, and it works, especially when hiring teams rely on visual inspection alone.

What Social Engineering Looks Like in HR

In the context of HR and hiring, social engineering might look like:

• Forged documents that pass a visual sniff test (fake IDs, degrees, reference letters).
• Candidates impersonating others, using real identities to get hired under false pretenses.
• Phishing recruiters or HR team members to gain access to internal systems or candidate data.
• False references or coordinated backchanneling to present a fake employment history.

Why It Works

Because people trust too easily. We like to believe the person in front of us is who they say they are. And hiring is often fast-paced and high-pressure, which creates the perfect storm for manipulation. 

Furthermore, most ID verification tools aren’t built for fraud detection, they’re built for onboarding speed. Many platforms still depend on human judgment – a recruiter eyeballing a passport image and checking a name.

As Darcy and I discuss, you don’t need to be a hacker genius to fake documents anymore. The tools are cheap and the skill barrier is low. With no-code deepfake generators, almost anyone can spoof a government ID or employment record.

What to Do Instead

1. Invest in biometric identity verification solutions that match government-issued IDs to a live selfie using liveness detection.
2. Demand direct-source verification from your screening partner. (No middlemen. No delays.)
3. Run random spot checks on high-turnover roles or temp workers.
4. Train your TA team to recognise red flags like identical formatting across different resumes or references that never answer the phone.

You don’t need to fear fraud, but you do need to face it. 

In a world where identity can be faked with a few clicks, trust needs to be verified, not assumed. Overall, robust identity verification at the hiring stage underpins all other checks. You can’t rely on a criminal history check or other checks if you didn’t verify the person’s ID properly in the first place.

Final Word – HR’s Role in Cybersecurity Isn’t Optional

If your screening strategy hasn’t evolved since 2018, you’re not securing your business, you’re exposing it. Smart CHROs and TA leaders are already operating like CISOs: treating trust as an asset, risk as a metric, and screening as core infrastructure.

It’s not about paranoia, it’s about preparedness. As insider threats get smarter and compliance stakes get higher, HR teams that step up screening, tighten IT alignment and commit to continuous risk management won’t just reduce exposure. They’ll raise their strategic value inside the business.

Don’t hesitate to email me if you have any questions about vendor selection or how to secure your hiring process. You can also connect with me on LinkedIn.

—

Want to see how Certn helps companies fraud-proof hiring? Request a demo.