C (14:26)

And what these Personas can do is they're not just your voice and likeness, they also know who you are. They know where you work in the company, they know the org chart, they know your coworker's names, they know your job. They can get all this information from LinkedIn, from other data brokers, public sources, and they can have a very coherent conversation with you that really, you know, gets to the point and can get past a lot of your typical controls when you when you are ascertaining whether or not it's actually the individual. So I think that's what's changed. And that's available to everyone now, right? Anyone from an 8 year old to an 80 year old can do it. And it's really cheap now too. It used to be very expensive, but now it's super cheap.

D (15:10)

And we are back on the show floor at RSAC 2026 and it is my pleasure to be joined by Brian Long. He is the CEO and co founder of Adaptive Security. Brian, thanks so much for joining us.

C (15:23)

Hey, thanks for having me.

D (15:25)

So we are going to talk today about this problem that I think is relatively new in the industry, which is these folks trying to scam their way into becoming employees at our companies.

C (15:39)

Yes.

D (15:39)

Can we start off, just rewind a little bit and get a little bit of the history of how this even became a thing?

C (15:45)

Yeah, yeah. Well, you know, we've been worrying about insider risk for a few years now and AI has made insider risk really redefined to be a risk around deepfakes and impersonation job applicants and ultimately people applying to jobs and getting jobs who may not exist at all. Right. So we've seen a huge increase in the volume of job applicants that are actually not real people. They'll find someone's LinkedIn profile, they'll find their picture, their background and they'll pretend to be them and they'll get a job at the company. And now because the vast majority of companies actually employ remote employees, they never meet the person. Right. So it's growing at an astonishing rate.

D (16:27)

Tell us about that process. You know, I'm an HR person. I'm working with my team to try to onboard a new hire. What does this look like to me? Does it look normal? Like where, where do my red flags start going up?

C (16:41)

Yeah, look, HR people under a lot of pressure to find great applicants, particularly for maybe an engineering type of role or something that's highly sought after. So sometimes applicants can be a little quirky and you know, an applicant might go through the process and say, you know, oh no, I can't do it on site. You know, I, I just want to finish the process remotely. But hey, they did amazing. Their profile is amazing. We really need this hire. Let's just hire them. Most companies do not have controls in place that force someone to do an in person meeting for a remote based role. Right. It also costs money for the company. You know, they're going to fly the person in, they got to spend a bunch of time, put them in a hotel, etc. So it's a lot easier for companies to just hire remotely. But what's kind of crazy is that Gartner estimates that by 2028, one in four job applicants will be Impersonation applicants. So isn't that crazy? So almost 25% of applicants will not be real people. And you can see, once they get the job, they get access to all the systems, Then they can cause all sorts of havoc.

D (17:43)

Well, so let's dig into that aspect of it. What are they after here? Why. Why all this effort to pull one over? The HR staff?

C (17:51)

Yeah, well, look, once you're an employee at the company, a lot of companies do provide significant access to almost every employee, to all systems. Right? So, you know, sometimes if it's a very large company, maybe they're a bit smarter about that. But we've even seen in our own large, you know, sensitive government documents for a while that folks had access to everything, right? Like, one analyst would have access to, like, every wire that the US Government sends. So this. This issue of least privileged access is one that I think we're going to see grow greater and greater because we need to ensure that not every employee has that access. Some people are going to get these jobs regardless. And number two, we have to change the controls so that folks can't just get a job without meeting someone. What I'm worried about is that for that final step, they pay an actor to go in, you know, pretend to be the person, whatever, and they're not the person. Yeah, yeah.

D (18:42)

Is the fake person doing the work that's. That's required of them?

C (18:47)

Well, you know, look, they don't have to be in the job very long in order to get everything that they need. You know, plant ransomware, pull a bunch of confidential data and download it and grab it. You know, whatever they might want to do. They only need to be employed for like a day to do it. Now, there may be sleeper agents that keep the job for months or years and just slowly pull data out. I think that's happening right now at a lot of organizations as well. But that's probably more like a state actor who would do something like that rather than someone who is doing it for pure financial motives.

D (19:22)

Okay.

C (19:23)

Yeah.

D (19:23)

Well, let's talk about solutions. Putting those access controls in place. What is. What should the standard be these days? How do organizations protect themselves?

C (19:33)

Look, I would simplify it down to two core things, right? Number one is awareness. So most people, you know, we live in a bit of a tech bubble, right? We all live and breathe this every day. So this doesn't sound crazy to you and I, but the average person finds this to be totally insane. The idea that someone's going to impersonate someone else to get a job and get a remote job at their company sounds insane. So I think first getting that message out to everyone so they understand how big of a problem this is today is number one. Number two is controls. You should not be hiring someone if you have not met them in real life. And when you meet them in real life, you should verify it's really them. You know, talk to them about, you know, what they did. Do they actually have that information? Does it match the picture, the full background, et cetera, and make sure that indeed that is who they're pretending to be.

D (20:27)

Where do you suppose we're headed with this then? I mean, it seems to me like this is kind of a recalibration of almost where HR sits within the organization. Is that accurate?

C (20:38)

It is a recalibration, but I think the other reality is that now we're beginning to talk about digital co workers, right? We're talking about agents doing jobs. So I think it's not dissimilar from some of the controls that are needed to deal with access controls for agents and people. Those also need to account for these new type of threat situations that are happening with, you know, real hires as well. So a lot is changing very quickly and the modern workforce is going to have to adjust. Frankly, the workforce I'm most worried about is mid market to large mid market companies because I think that large businesses, tens of thousands of people, you know, particularly in areas like finance or tech, you know, they're going to be on top of this, they're going to deal with these changes quickly because they understand the threat and frankly, they have a much bigger security budgets. Right. So they can buy a bunch of the leading cutting edge security tools that are finding these issues and taking care of them. It's, you know, the millions of companies globally that have anywhere from 100 people to 10,000 people that are not ready for this at all and that we need to educate and put controls and also give access to reasonably priced cybersecurity software to protect them.

D (21:49)

What are your recommendations for organizations who feel as though they want to start this journey? Maybe they're feeling a little intimidated by the process. What's the best way to begin?

C (22:01)

Yeah, look, I think the best way to begin the journey is just to start to learn the basics. And if you do go to adaptivesecurity.com we do have a lot of free materials that you can access within our white papers. Also available at free adaptivesecurity.com is a bunch of free trainings that you can take targeted for older adults or for children and parents to teach them on the basics. And then if you want to roll things out customize to your organization, you can sign up to get a demo@adaptivesecurity.com all right.

D (22:30)

Brian Law Brian Long is the CEO and co founder of Adaptive Security. Brian, thanks so much for taking the time.

C (22:36)

Hey, thanks for having me. Appreciate it.

B (22:44)

There's a lot more to this conversation than we have time to share here, so please check out the full unedited interview. You can find a link to that in our show. Notes. Foreign. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfiguration configurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. And finally, in late 2024, federal cybersecurity reviewers examined Microsoft's Government Community Cloud high and came away with what might politely be called concerns, and less politely, something closer to despair. According to ProPublica. After years of requesting basic documentation about how sensitive data moves and is encrypted inside the system, reviewers still lacked enough visibility to judge its security posture with confidence. Unfortunately for everyone involved, the product was already widely deployed across agencies like justice and Energy, making rejection awkwardly impractical. So Fedramp authorized it anyway, attaching what amounted to a proceed with caution label and hoping for the best. The decision followed years of incomplete diagrams, stalled reviews, and mounting pressure from agencies already committed to the platform. Critics now warn the process looks less like rigorous oversight and more like paperwork theater, especially as staffing cuts leave fewer people around to verify what exactly was approved in the first place. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.