Insider threats are no longer just about disgruntled employees. In 2025, threat actors are recruiting from within β sometimes using underground "job boards" to find insiders willing to sell credentials, plant malware, or steal data. In this episode of Today in Tech, host Keith Shaw talks with Ryan LaSalle, CEO of Nisos, about how insider threats are evolving and how companies can detect and prevent them. π Topics covered: β’ How North Korean IT workers infiltrated U.S. companies remotely β’ The rise of βpolyworkingβ and fraudulent employment scams β’ Real-world examples of sabotage and credential brokering β’ Warning signs of insider threats: mental health, financial duress, disengagement β’ Why remote and hybrid work has made detection harder β’ Balancing employee trust with cybersecurity monitoring π’ Donβt miss this important discussion if you work in InfoSec, HR, or IT management. π Like this video, subscribe to our channel, and comment below with your thoughts or experiences! #cybersecurity #InsiderThreats #RemoteWork #ITSecurity #TodayInTech #Nisos #KeithShaw #RyanLaSalle #Infosec #DataBreach #WorkplaceSecurity
Register Now
Keith Shaw: In the world of cybersecurity, teams often focus on external threatsβhackers or nation-states trying to breach systems. Whatβs often overlooked, however, are insider threats, which can range from corporate spies to disgruntled employees or other bad actors.
On this episode of Today in Tech, we're checking in on the latest trends and tactics for identifying the bad applesβand learning how the bad guys are recruiting new help. Hi, everybody, welcome to Today in Tech. I'm Keith Shaw.
Joining me on the show today is Ryan LaSalle, CEO of Nisos. Welcome to the show, Ryan. Ryan LaSalle: Keith, great to be here. Keith: All right. So you're one of those cybersecurity peopleβyouβre probably paranoid all the time.
Is that the case, or are you able to sleep at night?
Ryan: I sleep pretty well, but I try to balance optimism and paranoia in equal measure. Keith: All right.
So, the reason Iβve got you on the show, Ryan, is that thereβs been a bunch of recent eventsβlike the discovery of North Korean nationals working remotely for U.S. companies in IT roles. We wanted to talk about this insider threat situation in 2025.
Another point you brought up before the show was how some bad actors are actively recruiting insiders. When did you start noticing this becoming a bigger issue for companies? Is this still a post-pandemic phenomenon, or is something else going on?
Ryan: Throughout my nearly 20-year career in cybersecurity, insider threats have consistently been a key issue for companies to manage. But theyβve evolved significantly. Weβve seen everything from high-visibility national security issuesβlike leakers and double agentsβto disgruntled workers laying traps in anticipation of being fired.
Then you have external hackers stealing credentials and impersonating insiders, leaving security teams to figure out whether it's the real employee or someone who has hijacked their identity.
One trend thatβs really escalated post-pandemic is what we call "poly-working fraud"βwhere people hold multiple jobs, sometimes even with competitors, without employer approval. And as you mentioned, North Korea has made headlines recently by using employment scams to launder money and circumvent sanctions.
They place fraudulent workers into remote positions and use their salaries to fund things like their nuclear weapons program.
Keith: Is that because of the flexibility introduced by remote work during the pandemic? Maybe bad actors saw remote work as an easier entry point than trying to physically infiltrate a company?
Ryan: It's much harder to pretend to be someone you're not when you have to meet people in person. So yes, remote and hybrid work environments have made it easier for these actors to exploit vulnerabilities.
Keith: One of the most fascinating things to me is how they're now recruiting. Can you talk about whatβs happening there? Itβs almost like an Indeed.com or ZipRecruiter for bad actors, right? Ryan: Absolutely.
Most insider threat programs focus on monitoring behavior and access within the organizationβwhich makes sense. But weβre seeing early signs of insiders being recruited even before theyβre on the payroll, or offering up their access for financial gain. This activity often happens in closed groups or fringe social media spaces.
In the last quarter alone, we saw several companies targeted by recruiters seeking insidersβpeople with access willing to provide credentials, install malicious software, or steal data. Sometimes, these groups even advertise whole rings of insiders and actively try to recruit more people.
Itβs very much like a matchmaking service between attackers and insiders.
Keith: And theyβre doing this pretty openly, right? Theyβre not even trying to hide it?
Ryan: Not exactly openlyβtheyβre not posting on X or Facebook. But they are active in hard-to-find forums. You need to know where to look. Still, theyβre not being subtle. Theyβll name the companies theyβre targeting outright.
Keith: So, if I wanted to sabotage a company from the inside, I wouldnβt find these opportunities on FacebookβIβd have to dig deeper. And these arenβt small-time targets either. Amazonβs one of them, right?
Ryan: Yes, we wrote about Amazon. But weβre also seeing this with retailersβparticularly around chargeback and payment fraud. Any company with critical systems is a target: telecoms, cloud providers, managed service providersβyou name it.
Keith: And theyβre offering bonuses and other incentives to do this? Ryan: Yes.
Itβs financially motivated. But the payments arenβt huge. People arenβt retiring to the beachβitβs more like a side hustle.
Keith: Do you or your team ever talk directly with insider actors to understand their motivations?
Ryan: Some of our open-source investigators and intelligence professionals do. To do their job effectively, they need to understand the ecosystem and motivations involved. So yes, under different personas, our team will engage with these actors to gather intelligence. I donβt personallyβbut the experts on my team do.
Keith: Insider threats often stem from disgruntled employeesβespecially during layoffs or firings. I saw a story where an IT worker sabotaged a system after being laid off and ended up in jail. Are we seeing more of this kind of thing, or are those just headline-grabbers?
Ryan: Itβs noteworthy but not necessarily more frequent. Disgruntlement is a major motivation, but there are othersβlike financial distress. When people are under pressure, they make bad decisions. Another factor is disengagementβafter a reorg, people might feel isolated and unsupported, and that makes bad decisions more likely.
Mental health and wellbeing are increasingly concerning too. During the pandemic, companies emphasized grace and care. Now, thereβs been a shift back to harder corporate cultures, which may leave some employees feeling unsupported. If companies care less, they may see a rise inβletβs call itββdisgruntledness.β
Keith: Iβm not blaming companies, but clearly, if they care less about employee wellbeing than they used to, that could fuel more insider threats. What signs should companies look for?
Ryan: Different companies will have different risk profiles, but some common indicators are: Declining performance Changes in demeanor or behavior Social isolation The only way to catch these is through strong relationships between management and staff.
This also helps detect fraudulent employeesβlike North Korean operativesβwho might slip through if no oneβs paying attention. Another area is family duress. Take Chinaβs "Thousand Talents" programβChinese nationals working in strategic U.S. industries might be pressured by the CCP through their families. It puts good people in impossible situations.
Companies need to be aware of this riskβbut without becoming xenophobic. Thatβs part of what makes insider threat management so complex.
Keith: Before the show, you also mentioned the difference between malicious and non-malicious insider threats. Can you expand on that, especially how employers might distinguish between the two? Because if my performance dips, it might just be personal issuesβnot that Iβm planning something harmful.
Ryan: The difference is intent. A malicious insider is deliberately trying to do harm, while a non-malicious one is making mistakesβaccidentally sending sensitive data, clicking phishing links, etc.
For the accidental insiders, training and good security design can helpβmake it easy to do the right thing and hard to do the wrong thing. But you canβt train away malicious intent. For both types, you need strong data monitoring to detect when controls are failing or being bypassed.
But the prevention strategy is differentβnon-malicious insiders need education, while malicious ones need detection and response.
Keith: Should companies assume they already have insidersβor that they might, even if their employees seem happy? Ryan: Absolutely.
Not every company has a malicious insider at all times, but insider risk is always present. Itβs like the old saying: there are two types of companiesβthose that have been breached and those that donβt know it yet. Even accidental mistakes can expose data or cause reputational harm.
Many organizations struggle with the cultural shift from βwe trust everyoneβ to βwe trust, but verify.β And these risks arenβt limited to cybersecurity. The same dynamics apply to things like financial fraud, workplace harassment, and more.
Keith: But thereβs also the other extremeβcompanies that spy on employees 24/7. How do you strike that balance? How do you communicate βwe trust youβ while still putting safeguards in place?
Ryan: Itβs about transparency and trust. In regulated industries, people already assume their communications are monitoredβitβs a legal requirement. Most employees should expect that anything done with company resources is subject to monitoring.
That said, thereβs a difference between monitoring your corporate Teams usage and snooping through your Gmail on a personal phone. The goal is to protect the business while respecting boundaries. Keith: Right.
I get that, having covered this space for a long time. But the average employee may not realize that their work emails or Slack messages can be monitored. You also look at public social media. Should companies be doing that too?
Ryan: Letβs start with the cultural partβtrust is key, even while monitoring. How you conduct investigations sets the tone. If you assume bad intent from the start, youβll erode trust. If you approach it with curiosity and care, people feel respected.
Thatβs why HR should always be a partner in insider threat programs. They bring the human perspective and help ensure respectful handling of issues. This builds trust instead of paranoia.
Keith: And what about monitoring external social mediaβshould companies do that themselves or outsource it? Ryan: It depends.
Some companies have the talent in-house; others work with firms like ours. Youβre looking for βindicators of concern,β like: Collusion Inappropriate access Too many privileges From the outside, it could be things like financial duress, criminal activity, or foreign intelligence ties.
Sometimes employees donβt realize theyβre exposing themselvesβor the companyβby who they associate with. So itβs also about helping them understand that risk.
Keith: But do people really post that kind of thing? Like, I wouldnβt share that Iβm in debt on social media. So how do companies even find that stuff?
Ryan: Usually, it starts with internal indicatorsβlike unusual behavior or access patterns. That prompts us to investigate further. Then we might find criminal activity, espionage, money laundering, malware sales, etc. These arenβt visible on mainstream platformsβtheyβre happening in closed or underground forums.
But yes, we look to see if individuals are participating in those communities.
Keith: So when you talk about social media, youβre really talking about dark web forums or fringe spacesβnot Instagram or Twitter? Ryan: Correct.
The big platforms still have issues, but they're actively fighting things like illicit drug trade and child exploitation. If your employee is involved in that, you'd want to know. But most of the recruiting and malicious behavior happens in harder-to-access forumsβon the deep or dark web.
Keith: And the bad guys use those same spaces for recruitment, right? Itβs like a constant battle. Ryan: Exactly.
Itβs an arms race. Defenders are always trying to gain an advantage and catch threats before they cause real damage.
Keith: Whose job is all this? Is it the CISO, or someone else on the IT team?
Ryan: It usually falls under information security or corporate security. Often there's an insider threat team or protective intelligence group, working independently or with external partners like us.
Keith: What does the future hold? Are insider threats going to increase? Or could things level off with better policies?
Ryan: Insider threats will always be an issue. The tactics and motivations will evolve β North Koreaβs employment scams are a great example. And with AI and deepfakes, things will get even harder to detect.
Just like in broader cybersecurity, weβll see a few companies manage this really well, a few ignore it, and most fall somewhere in the middle β trying to mature their capabilities. As this risk vector grows, more companies will respond, trying to contain the damage to a manageable level.
Keith: Ryan LaSalle, thanks again for joining the show and shedding light on this important topic. Great stuff. Thatβs all the time we have for this weekβs episode. Be sure to like the video, subscribe to the channel, and drop your thoughts below if youβre watching on YouTube.
Join us every week for new episodes of Today in Tech. Iβm Keith Shaw β thanks for watching.
Sponsored Links