Five Tips to Strengthen Know Your Employee (KYE) Processes
Anton Gurov, CISO
7 Min. Read | February 8, 2024
The modern work environment creates situations unthinkable a decade ago. Today, many employees will never step foot in an office or have face-to-face interactions with colleagues. While this flexible work model offers advantages for businesses as well as employees, it also presents significant security challenges, especially when it comes to reliable identity verification.
Employee identity risk and fraud have skyrocketed in recent years. The FBI recently warned that fraudulent job applicants are using deepfakes and stolen PII to obtain remote work positions. “Bait-and-switch” schemes are also on the rise, where the person interviewed by a company is not the person who is actually hired. In the best case, companies end up hiring someone completely unsuitable for the position. In the worst case, they onboard and provide access to cybercriminals who can install malware, steal confidential and privileged information, and more.
The risks go far beyond hiring and onboarding. Just this week, a multinational finance firm revealed that an employee was tricked into making a $25 million wire transfer by deepfake video and audio. The thieves used AI-generated likenesses of the company’s CFO and other known colleagues in a live video conference with the finance worker.
Know Your Employee (KYE) ensures that your employees are who they say they are.
What Is Know Your Employee (KYE)?
Know Your Employee, commonly abbreviated as KYE, is the process of verifying the identities and backgrounds of an organization’s current workforce and prospective new employees. KYE aims to ensure that employees are who they claim to be, and do not have a criminal background that poses an undue risk.
The KYE - Know Your Employee process continues past initial hiring and onboarding. Effective KYE involves continuous monitoring and regularly updating and reviewing employee information to identify any potential risks that may arise.
KYE vs. KYC
Know Your Customer (KYC) and Know Your Employee (KYE) are two essential processes in the realm of compliance and risk management. KYC verifies customer identities to determine if they are who they claim to be and discover any potential risks, ensuring adherence to anti-money laundering (AML) and other regulations. In contrast, KYE involves verification of employee identities and thorough background checks to reduce the risk of employee fraud and theft, and address internal compliance needs.
Both KYC and KYE share the common goal of mitigating risks, upholding legal standards and preventing fraud. The main distinction is in their focus: KYC is customer-oriented, while KYE centers on internal workforce dynamics. KYC is a point in time process, while KYE should be a continuous process, throughout an employee’s tenure. Integrating both processes is crucial for a comprehensive risk management framework in business.
The Growing Importance of Know Your Employee (KYE)
Identity verification poses an ongoing challenge for organizations. In fact, 40% of IT security experts named it a top identity security challenge in the 2024 Workplace Identity Security Trends report. This is likely to climb as new attack and fraud tactics make accurate identity proofing and verification increasingly difficult. A recent report by Onfido found a 3000% increase in deepfake attempts in 2023, thanks to face-swapping apps, generative AI and other readily available fraud tools.
The risks go far beyond non-compliance. Employee fraud tactics such as interview fraud, bait-and-switch scenarios, and unauthorized outsourcing, mean that the person doing the work may not be the person you interviewed or hired. This creates massive security risks for organizations.
Moreover, identity risks persist throughout the employee lifecycle – not just at hiring and onboarding. The recent breach of MGM resorts succeeded because attackers were able to impersonate an employee and convince the IT help desk to provide them with credential access to the corporate IAM service. Robust, continuous KYE processes could have prevented the attack. In this evolving landscape, a comprehensive KYE strategy is crucial for organizations to stay ahead of emerging threats, ensuring the integrity of their workforce and safeguarding against potential malicious activities.
Tips for Implementing Know Your Employee (KYE)
While every organization will approach KYE differently depending on their specific needs and structure, there are basic principles that hold across all workplaces.
Employ Multiple KYE Verification Methods
A thorough KYE approach requires layering multiple verification methods — which ones, and when to invoke them, will depend on the risk level of the employee verification scenario as well as organizational and environmental risks at play. Verification methods include document verification, facial biometric verification, live video, chat verification, as well as passive signals such as device/endpoint and location detection.
As we’ve seen, identity fraud techniques evolve rapidly — it’s critical that your KYE methods keep up. A robust KYE strategy should incorporate advanced technologies such as liveness detection to detect deepfakes and other AI-aided fraud.
Make It Easy for Your Admins and Employees
It’s human nature to circumvent processes that add an unreasonable burden. When done well, KYE - Know Your Employee processes should be fast and easy for both employees and administrators alike. This means automating processes as much as possible, requiring the right level of identity verification for the scenario, and using technologies that people are familiar with, like their smartphones. Of course security cannot be sacrificed for usability.
Continuously Monitor for Risk
Employee identity risks do not end with secure onboarding. Higher risk scenarios arise throughout an employee’s career. Resetting credentials, getting a new phone, logging in from unknown locations, gaining increased access privileges, personal financial problems, active cyberattacks — all can be situations of elevated risk. Your KYE controls should be ready to address these, taking specific measures according to risk level.
Don’t Operate in a Silo
It’s critical that your KYE processes and tools are connected and synchronized to your workforce identity security systems and HR system of record. The users accessing digital services may differ from the identities that IT believes they have. In other words, the digital identity may not match the real world identity. Your employee onboarding and identity verification procedures should be directly tied to your authentication processes, ideally using phishing-resistant, passwordless methods. As mentioned, it’s also important to invoke re-verification at certain times of increased risk. This means connecting your identity risk monitoring to your Know Your Employee (KYE) systems.
Keep Up With Current Regulations and Compliance
In the current regulatory landscape, it's not just ethical but imperative for businesses across various industries to comply with applicable statutes and standards. The incorporation of a robust "Know Your Employee" (KYE) process is a key aspect of this compliance. These checks are vital for verifying credentials, ensuring workforce integrity, and meeting legal obligations.
The consequences of non-compliance are severe, underlining the indispensability of KYE in any organization's overall compliance strategy. For example, a comprehensive KYE process is vital for Anti-Money Laundering (AML) compliance, helping identify potential risks and preventing misuse of the financial system.
Simplify and Strengthen Your KYE Controls With HYPR
HYPR Affirm is a cutting-edge identity verification solution designed specifically for large organizations to ensure trust in the identities of your workforce across the entire employee lifecycle. Utilizing AI-powered chat, video, and face recognition technologies, HYPR Affirm offers a secure and fully passwordless method for confirming employee identities. It provides IAL2 compliance and supports step-up re-proofing based on user behavior or risk.
Q: What is Know Your Employee (KYE)?
A: Know Your Employee is the process of verifying the identities of an organization’s workforce to make sure that they are who they say they are, and that they do not pose a risk to the company.
Q: Why is KYE important?
A: KYE ensures that you do not hire a fraudulent candidate and that only legitimate employees can access company data and resources.
Q: What are examples of real situations where it’s important to apply KYE processes?
A: KYE should be applied through the employee lifecycle, beginning with their first interactions with your company. This includes interviewing, at onboarding, at times of high-risk transactions, and other moments that bring an increased risk of fraud or attack.
Q: What is HYPR Affirm, and how does it facilitate know your employee (KYE)?
A: HYPR Affirm is tailored toward workforce identity verification requirements. It utilizes multiple identity proofing and verification methods, such as advanced biometrics and liveness detection, to guarantee that only authorized individuals can access corporate systems and data.
Anton Gurov currently serves as HYPR's CISO, focusing on Security, Compliance and Operations. Anton’s industry background is in mobile payments, ad tech and cloud management, with direct experience in PCI-DSS/SOC2/ISO/GDPR/CSTAR compliance in private/hybrid and cloud-native organizations. His career contributions led to 3 successful startup exits totaling $1.1B+. Anton had exposure to NIST standards and controls while pursuing FedRAMP at VMware.