Most companies think about cybersecurity after someone has already been hired.

That is too late.

By the time a new employee has a laptop, email account, payroll profile, VPN access, file shares, customer records, and a manager who is eager for them to “hit the ground running,” the business has already made a security decision. Maybe it was intentional. Maybe it was just the path of least resistance.

HR security is about making those decisions deliberately.

It does not mean treating every applicant like a criminal. It means recognizing that hiring, onboarding, access, training, contracts, and offboarding are all part of your security program. If an attacker can get hired, impersonate a candidate, intercept a laptop, or talk their way into admin access, they do not need to break in.

You invited them.

The Hiring Process Is a Security Control

The first question is simple:

Are applicants who they say they are?

For in-person hiring, that question is usually easier to answer. For remote roles, contract roles, IT roles, finance roles, and anyone with access to customer data, the risk is much higher.

Fake applicants are no longer just a theoretical problem. U.S. law enforcement has repeatedly warned that overseas IT workers have used stolen identities, fabricated resumes, fake websites, U.S.-based facilitators, and “laptop farms” to obtain remote jobs at American companies. In some cases, company-issued laptops were shipped to one location and then remotely accessed by someone in another country.

That should change how businesses think about remote hiring.

Good applicant validation includes:

  • Live video interviews with the same person across the process
  • A documented identity verification step before access is granted
  • Background checks appropriate to the role
  • Employment, education, license, or certification verification where relevant
  • Reference checks using independently verified contact information
  • Technical assessments that are hard to outsource in real time
  • A review of inconsistencies across resume, interview, location, payroll, tax, and shipping information
  • Extra scrutiny for roles with access to source code, finance systems, customer data, patient data, infrastructure, or intellectual property

Be careful here. Screening must be legal, consistent, and job-related. If you use a third-party background check company in the United States, the Fair Credit Reporting Act has specific disclosure, authorization, and adverse action requirements. Criminal history screening also needs to be handled carefully to avoid discriminatory impact.

The goal is not to create a hiring process based on suspicion. The goal is to create a hiring process that is consistent enough that scammers cannot simply talk their way through it.

Watch for Fake Applicant and Remote Worker Red Flags

No single red flag proves anything. People move, use nicknames, have weak internet, and make honest mistakes. But patterns matter.

Pay attention when:

  • The candidate refuses live video or repeatedly has camera problems
  • The person in the interview does not appear to match the identity documents or public professional history
  • Different people appear at different interview stages
  • The candidate’s resume, LinkedIn profile, GitHub profile, portfolio, or references appear recently created or unusually thin
  • References only respond through personal email accounts or cannot be independently tied to a real employer
  • The candidate pushes hard for remote access before identity or employment eligibility steps are complete
  • The shipping address is a freight forwarder, coworking space, mailbox store, unrelated residence, or otherwise inconsistent with the employee’s claimed location
  • Payroll, tax, IP geolocation, address, and identity information do not line up
  • The candidate asks to use personal devices for sensitive work when company equipment is required
  • They ask for unusual payment arrangements, crypto, third-party bank accounts, or payroll changes early in employment

These indicators should trigger review, not automatic rejection. Your process should give HR, legal, IT, and the hiring manager a way to pause and validate before the company ships equipment or grants access.

Secure Credential Transfer Before the First Day

One of the easiest ways to create unnecessary risk is to send credentials badly.

Do not email a password. Do not put a password in the laptop box. Do not text a permanent password. Do not ask the employee to reuse a personal password. Do not create a shared “new hire” account.

Use a controlled process:

  1. Verify the employee’s identity before account activation.
  2. Create the account in your identity provider, such as Microsoft Entra ID, Google Workspace, Okta, or another SSO platform.
  3. Require MFA enrollment before the account can access business systems.
  4. Use a temporary activation flow that expires quickly.
  5. Deliver any temporary secret through a separate verified channel.
  6. Force password reset at first login.
  7. Require the first login from the managed device when possible.
  8. Confirm successful login during a live onboarding call for remote employees.

If you use a password manager, invite the employee after identity verification and MFA setup. Shared credentials should be stored in the password manager with role-based access, not sent through chat or email.

For high-risk roles, consider delaying sensitive access until after the employee has completed live onboarding, security training, acceptable use acknowledgement, and device posture checks.

Shipping Laptops Without Feeding a Laptop Farm

Remote work changed the asset handoff problem.

Shipping a laptop is not just a logistics task. It is a security decision.

Before shipping:

  • Confirm the employee’s identity and start date
  • Confirm the shipping address through a documented process
  • Avoid shipping to mail drops, hotels, coworking spaces, freight forwarders, or unrelated third-party addresses unless there is a legitimate approved reason
  • Require direct signature where practical
  • Record serial number, tracking number, recipient, and delivery confirmation
  • Pre-enroll the device in MDM or endpoint management
  • Encrypt the device before shipment
  • Install EDR before shipment
  • Block local admin rights by default
  • Require MFA and device compliance before business app access
  • Disable remote desktop tools that are not explicitly approved

At first login:

  • Have the employee join a live onboarding session
  • Confirm the device serial number
  • Confirm that the user can sign in with their own account
  • Verify that endpoint protection, disk encryption, patching, and MDM check-in are working
  • Require security training before granting access to sensitive systems

The laptop should arrive as a controlled endpoint, not as a blank check.

Onboarding Should Be a Security Workflow

Most onboarding checklists are built around productivity:

  • payroll
  • benefits
  • equipment
  • email
  • team introductions

Those are necessary, but incomplete.

Security onboarding should include:

  • Acceptable use policy
  • MFA setup
  • Password manager setup
  • Phishing and social engineering awareness
  • Data classification basics
  • Customer data handling
  • Patient data handling, if applicable
  • Confidential information and trade secret expectations
  • Remote work expectations
  • How to report suspicious activity
  • How to report lost devices
  • How to request access
  • How to escalate security concerns without fear of embarrassment

Make this practical. New employees do not need a two-hour lecture full of acronyms. They need to know what data they can access, where it can be stored, what tools are approved, who to ask, and what to do if something feels wrong.

Start With Least Privilege

New employees should not receive broad access just because someone wants to avoid future tickets.

Access should be based on:

  • role
  • department
  • manager approval
  • business need
  • data sensitivity
  • system risk

Create standard access profiles for common roles. For example:

  • Sales development
  • Account management
  • Finance
  • HR
  • IT help desk
  • Developer
  • Executive assistant
  • Contractor

Each profile should define what the role gets on day one and what requires separate approval.

For sensitive access, use a second approval step. This includes:

  • financial systems
  • payroll
  • HRIS
  • production infrastructure
  • source code
  • domain administration
  • customer databases
  • electronic health records
  • security tools
  • backup systems

Admin access should be separate from daily user accounts. Privileged access should use MFA, logging, just-in-time approval where possible, and periodic review.

The goal is not to slow everyone down. The goal is to keep a new hire, compromised account, or bad actor from immediately doing business-ending damage.

Validate That People Are Not Sharing Trade Secrets

You cannot protect trade secrets only with an NDA.

Contracts matter, but trade secrets also require actual protection. If every employee has access to everything, files can be downloaded without logging, and customer lists can be exported to personal email, the business may have a hard time proving it treated that information as secret.

Practical protections include:

  • Limiting access to confidential information based on role
  • Using data classification labels
  • Blocking personal email forwarding
  • Restricting personal cloud storage
  • Logging access to sensitive repositories and customer records
  • Monitoring unusual downloads or mass exports
  • Using DLP for email, cloud storage, and endpoints
  • Watermarking sensitive reports where appropriate
  • Requiring approval for exports of customer lists, source code, pricing models, or patient data
  • Reviewing access when employees change roles
  • Removing access immediately during offboarding

Be thoughtful with monitoring. Employees still have privacy rights, and overly aggressive surveillance can create legal and culture problems. Focus on business systems, business data, and clear policies that employees have acknowledged.

Contracts and Policies You Should Discuss With Counsel

This is where HR, legal, and security need to work together.

For employees who can access customer data, patient data, source code, financial data, trade secrets, sales pipelines, pricing, or internal systems, consider counsel-reviewed agreements and policies covering:

  • Confidentiality and nondisclosure
  • Trade secret protection
  • Intellectual property assignment
  • Acceptable use
  • Remote work
  • Bring-your-own-device restrictions
  • Security awareness and incident reporting
  • Conflicts of interest
  • Outside employment
  • Customer and employee data handling
  • HIPAA obligations, if applicable
  • PCI obligations, if applicable
  • Return of company property
  • Post-employment confidentiality
  • Non-solicitation, where lawful and appropriate
  • Invention assignment, where appropriate

Be especially careful with noncompetes. The federal FTC noncompete rule is not currently enforceable, and state law varies. Minnesota also restricts most new post-employment noncompete agreements entered into on or after July 1, 2023, with limited exceptions. That does not mean businesses have no protection. It means you should rely on properly drafted confidentiality, trade secret, IP, customer data, conflict-of-interest, and non-solicitation provisions where legally appropriate.

Do not download a generic agreement and assume it solves the problem. Employment contracts are one of those places where “cheap” can get expensive quickly.

Overemployment: Treat It as a Policy, Performance, and Conflict Issue

Overemployment means someone is trying to hold multiple full-time jobs at the same time, usually in remote roles, while hiding that fact from one or more employers.

The security concern is not that someone has a side project. Many employees do. The concern is when undisclosed outside work creates:

  • conflicts of interest
  • divided attention during business hours
  • use of company devices for another employer
  • exposure of confidential data
  • missed security responsibilities
  • access by another person in the home
  • work for a competitor
  • false time reporting
  • inability to respond during incidents

Handle this directly in policy.

A good outside employment or conflict-of-interest policy should explain:

  • whether full-time employees may hold other jobs
  • whether approval is required
  • what kinds of outside work are prohibited
  • expectations for availability during working hours
  • prohibition on using company devices, accounts, or data for outside work
  • confidentiality expectations
  • reporting obligations for conflicts

Then manage the employee based on measurable expectations. Missed meetings, unavailability, poor output, policy violations, suspicious device use, and conflicts of interest are actionable. Vague assumptions are not.

Do Not Forget Contractors, Agencies, and Vendors

Many companies apply more scrutiny to employees than contractors, even when contractors have the same or greater access.

That is backwards.

Contractors, fractional executives, outsourced developers, MSP technicians, recruiters, bookkeepers, marketing agencies, and consultants may touch sensitive systems or data. They need controls too.

At minimum:

  • Identify who the actual human users are
  • Prohibit shared vendor accounts
  • Require MFA
  • Require named accounts
  • Limit access by scope and time
  • Require contractual data protection obligations
  • Confirm whether subcontractors are allowed
  • Require notification before personnel changes
  • Remove access when the engagement ends
  • Review vendor access periodically

If a vendor manages your systems, they can become an attacker’s easiest path into your business.

A Practical HR Security Checklist

Use this as a starting point.

Before offer:

  • Define role risk level
  • Decide what screening is job-related
  • Use consistent interview and verification steps
  • Validate employment, licenses, or credentials where needed

After conditional offer:

  • Complete background screening legally
  • Complete identity and employment eligibility steps
  • Validate shipping address before sending equipment
  • Prepare contracts, policies, and acknowledgements

Before day one:

  • Create identity provider account
  • Require MFA
  • Enroll device in MDM
  • Install EDR
  • Assign only baseline role access
  • Prepare password manager invite
  • Schedule live security onboarding

During week one:

  • Confirm device posture
  • Complete security training
  • Review data handling expectations
  • Review acceptable use and remote work rules
  • Confirm access is sufficient, not excessive

Ongoing:

  • Review access after 30 to 60 days
  • Monitor unusual data movement
  • Review privileged access regularly
  • Reconfirm conflicts of interest when roles change
  • Test offboarding process

At termination or resignation:

  • Disable accounts promptly
  • Revoke tokens and sessions
  • Recover devices
  • Remove password manager access
  • Review recent sensitive data access
  • Preserve logs if there is a concern
  • Remind the employee of continuing confidentiality obligations

Useful Resources

Here are a few places to start:

Final Thought

HR security is not about making hiring hostile.

It is about making trust earned, documented, and appropriately limited.

A good process protects the business, protects customers, protects patients, protects employees, and protects honest applicants from being mixed in with preventable fraud. The best time to build that process is before the offer letter goes out.

Once the laptop ships and the account is active, the clock is already running.

If you are not sure whether your hiring, onboarding, access control, or offboarding process would catch these issues before they become expensive, it is worth taking a closer look.

Get a cybersecurity review

MN Risk & Cybersecurity Advisory Cybersecurity guidance for small & mid-sized businesses Local. Independent. Vendor-neutral.