Estimated reading time: 8 minutes
In today’s interconnected digital landscape, businesses face significant risks that directly affect their bottom line. The emergence of remote work, global subcontractors, cloud services, and Artificial Intelligence (AI), while increasing efficiency, has also dramatically expanded the potential for cyber threats. The question of identity verification becomes paramount when considering the potential business impact of fraud and security breaches. To better understand this landscape and the threats we face, we spoke with Bojan Simic, CEO of the identity cybersecurity firm HYPR, which provides passwordless authentication solutions to help organizations secure user identities and prevent credential-based attacks.
Insider threats have always existed, but the digital age has magnified their scale and speed. “The difference now is the insiders aren’t inside anything. They are working for your company, but they’re not in your offices,” says Simic.
The Old “Inside Job” Got a New Perimeter
We used to picture the insider hauling data out on a USB stick. You saw them. You checked badges. The threat felt physical. Now the ‘inside job’ happens from a couch 6,000 miles away. Simic puts it bluntly: “Now it’s, I’ll take 10 grand to give you a password to my account, I’ll just pretend that I clicked the wrong link and it was an accident.” Remote work gives plausible deniability. Without a body in a building, intent gets slippery, accountability gets harder, and speed favors the attacker.
Face/Off, but Real-Time
The 1997 film Face/Off, in which a villain swapped faces, via surgery, with the person pursuing him, felt like sci-fi. Today, it’s less bloody and reads like product documentation. Off-the-shelf software can hijack a camera feed and project a different face in minutes. Pair that with voice cloning, instant translation, and a LinkedIn-fueled dossier, and your “colleague” looks and sounds convincing, live. The “sophistication is extraordinary,” says Simic. “Anybody can go on Git Hub download software that lets them hook into the camera stream and puts a face on the image that’s being received by the camera.”
“Combine that with open-source intelligence, and you have a very, very convincing ability to impersonate somebody,” Simic notes. The cost is low, the learning curve shallow, and the outputs good enough to beat casual checks.
Globalization Removed the Last Friction: Language
Security used to lean on culture and language as gut checks. Not anymore. A Japanese bank CISO once told Simic that social-engineered attacks didn’t target their help desk because the hackers didn’t speak Japanese. “Now with AI,” Simic says, “all those Russians speak Japanese.” Geography stopped protecting you. Culture stopped protecting you. The grift globalized.
Bureaucracy vs. Reality
Corporate processes have not kept pace. HR and vendor management still operate as if it were 2000, while impersonation tech lives in 2025. Companies stall on obvious fraud because “no one wants to be sued” for accusing the wrong person. Security ownership ping-pongs between HR, IT, and security. “Somebody detects that somebody is being impersonated, and it still takes two-three months to fire that person,” says Simic.
The result is predictable: executives fear friction, churn, and headlines, so change often waits.
The Business Cost of “Frictionless”
Leaders equate added security with lost velocity. They’re not wrong to worry. Customers hate friction. So do employees. But attackers exploit that bias. Consider the long tail after a breach: suspended services, angry customers, slowed sales, and the gradual erosion of trust and operations over time. The more we prize seamless, the more we reward the person who can most convincingly pretend to be “Bill” calling IT. Simic sees companies “stuck between a rock and a hard place”—move fast and break trust, or slow down and lose to competitors. That’s not a real choice; it’s a demand for better controls that don’t feel like punishment.
Get The Cyber Insurance News Upload Delivered
Every Sunday
Subscribe to our newsletter!
What Works Now
Continuous, event-driven verification
One-and-done identity checks are dead. “You can’t verify somebody on Tuesday and not verify them again for five years or one year,” Simic says. Verify at key moments, such as onboarding, access escalation, profile changes, and high-risk service desk requests, as well as whenever behavior appears anomalous, like their location is suddenly odd or uncharacteristic. To streamline this process, consider using a checklist for when to verify:
- Onboarding new staff or vendors.
- Changes in access privileges or roles.
- Anomalous or suspicious behavior detection, such as unexpected locations or activities.
Automate this verification process and make it routine.
Phishing-resistant, non-shareable credentials
Passwords are negotiable instruments; passkeys and hardware-backed factors aren’t. Design your auth so employees can’t share it, even if they try. They can’t click a link and expose the company accidentally, and they can’t intentionally pass their access to someone else.
Kill “trust” by phone
Many of us now treat banks with skepticism. You get a call and you pause, but we still trust internal IT interactions.
“We see it in these social engineering calls that I’ve heard,” says Simic. He painted one scenario:
Bill calls IT – “Hey, it’s Bill. I can’t log in. Help me out here.”
IT – “Sure, Bill, what car do you drive?
Bill – “Oh man, it was a Toyota…”
Then, wanting to help, IT fills in the blank “Camry?”
Bill – “Yes, Camry!” And “Bill” is in.
Simic goes on, “If that doesn’t work, I’m going to hang up, and next time I’ll say Ford.”
Flip that norm. Train the workforce to challenge every inbound request, even from “IT,” and give them a dead-simple way to verify out-of-band (via a known portal, a push prompt, or a directory-based call-back flow).
Third-party parity
Your security is only as strong as the most gullible contractor. Simic points out that “A Fortune 500 [company] has thousands [of vendors]. And every single one of those is an attack vector.” Treat vendors, BPOs, call centers, and MSPs like employees for identity and access. If they can access data or credentials, they must meet the same standard.
Telemetry for remote work
If you want anywhere-work flexibility, accept more visibility. Think least-invasive first: device health, geo-velocity checks, risky session prompts, and ephemeral access. Recordings of entire work sessions, more proof at the moment of action.
“At the end of the project, you get the screen recording with the camera of them working on your project the entire time. If it takes them two weeks, you get two weeks of recording,” says Simic. “That’s where we’re heading if you want the flexibility of being a remote employee and doing your job from anywhere.”
A far greater level of scrutiny.
Watch HYPR CEO BOJAN SIMIC ON THE CYBER INSURANCE NEWS AND INFORMATION PODCAST
Rethinking “Friction”
Not all friction is bad. Bad friction confuses users and slows revenue. Good friction appears exactly when risk spikes and disappears otherwise. That’s the design brief: make the secure path the easy path, and make risky behavior feel like the detour. The right control at the right moment isn’t a tax—it’s a guardrail.
The Past Was People. The Future Is, Too.
History helps here. From street cons to wartime deception, people manipulated trust long before deepfakes. Technology just scales the old tricks. We won’t policy our way out of human nature. But we can align incentives and eliminate tools that reward bad choices. Don’t let passwords be currency. Don’t let one interview define “who someone is” for the life of their account. And don’t outsource identity confidence to a help desk script.
The New Baseline
Leaders don’t need to make security “harder.” They need to make certainty cheaper, faster, and more continuous than the con. Start with non-shareable credentials. Layer event-driven verification. Extend controls to every third party. Build humane prompts that appear when risk spikes and vanish when it doesn’t. Then measure what matters: fewer successful impersonations, faster detection, smaller blast radius.
We engineered a world where anyone can work from anywhere with anyone. Now we must prove that anyone is a real person and not a manufactured moment. As Simic puts it, the old insider never left; they just lost their badge and gained a broadband connection. The job, as ever, is trust. Only now it has to work at network speed.
Finally, I asked Simic the obvious, 800-pound gorilla question, “In the case of a fake IT worker in North Korea, or wherever, why do they do it?”
After a pause and a chuckle, he said, “Money.”
Related Posts
