Last year, KnowBe4 — a cybersecurity training company, of all things — hired a software engineer who turned out to be a North Korean operative. He passed the background check. He sat through video interviews. He cleared the references. Then on his first day, his company-issued laptop started running malware against KnowBe4’s own systems.
If you’re a Calgary business owner reading this, your first reaction is probably some version of “well, I’m not hiring software engineers, so this doesn’t apply to me.” But it does, and the reason is worth understanding before we get to the rest of it.
Most IT companies don’t do all the work themselves. They use contractors — third parties who write scripts, manage infrastructure, handle after-hours support, configure equipment. Those contractors often have access to the same systems your IT provider does, which means they often have access, directly or indirectly, to your business. And because most IT companies don’t talk much about who’s actually doing the work, you usually have no idea who any of those people are.
The KnowBe4 incident isn’t really a story about one company getting fooled. It’s a story about how brittle the verification systems most companies rely on actually are — and how that brittleness gets passed down the chain to clients who never knew they were exposed in the first place.
What Actually Happened
The short version: KnowBe4 posted a remote job. They got a candidate with a polished resume and a working LinkedIn presence. They ran a background check, did video interviews, and verified what they thought was a US-based identity. The candidate cleared all of it.
What they didn’t catch was that the photo on the ID had been digitally manipulated, the US address tied to a real person was being used as a “laptop farm,” and the actual operator was working from somewhere in Asia, routing his connection through equipment shipped to that US address. The US-based identity wasn’t real. The work was being done by someone affiliated with a North Korean state operation that has, by FBI estimates, placed thousands of operatives inside Western companies using the same playbook.
KnowBe4 caught it because their endpoint detection flagged the malware on day one. Most companies wouldn’t. That’s the part of the story that should keep IT vendors up at night.
Why This Is a Supply Chain Problem
When you hire an IT provider, you’re not just hiring the people you meet during the sales process. You’re inheriting whatever decisions they’ve made about who they let into their systems. If they use offshore contractors with weak verification, that’s now part of your security posture. If they hand off after-hours work to a third party, that’s a third party with the keys to your environment whether you ever heard their name or not.
This is the part of MSP work that doesn’t come up on sales calls. Most clients have never asked their IT provider how contractor access is managed, partly because they didn’t know to ask, and partly because the answer is often uncomfortable. The standard answer, if you do ask, is something along the lines of “our contractors are vetted.” That isn’t an answer. It’s a deflection that sounds like one.
What We Changed Before This Became News
We’re going to talk plainly about how we handle this, because the only way the standard in this industry improves is if more clients know what to ask for. Some of these practices we put in place years ago, well before the KnowBe4 incident made them part of the conversation.
We do live identity verification. Anyone we contract with sits through a live video call with a real person on our team, and during that call they hold up a government-issued ID that we cross-reference against the face on camera in real time. Not a scanned PDF emailed in advance. Not a static photo on a profile. A live human, holding the document, talking to us. This is exactly what KnowBe4’s process didn’t catch, and it’s the first thing that breaks the laptop-farm model.
We validate payment routing. If someone tells us they’re in Vancouver and we’re sending payments to a bank account that routes through a different country, that’s a flag worth following up on. The North Korean operation works in part because money eventually has to flow somewhere, and that somewhere doesn’t usually match the cover identity. Watching for that mismatch costs almost nothing and catches a category of fraud that résumés never will.
We ban high-risk jurisdictions outright. There are countries we will not contract from, regardless of how qualified an individual candidate appears, because the risk profile of operating there is incompatible with the access a contractor would otherwise have. This narrows our hiring pool. We’ve decided that’s the right tradeoff.
Most importantly: we never give third-party contractors direct access to our infrastructure or to any client’s environment. Ever. If a contractor is working on something that will eventually touch a client system, the work product is handed back to us, reviewed by someone on our team, and implemented by us. The contractor never connects directly to anything that matters — not a server, not a tenant, not a network device.
And contractors never see customer data. Not for diagnostics, not for testing, not for anything. If we need a contractor to work on something that involves real-world data, that data is sanitized first — identifiers stripped, environment scrubbed — to the point where the contractor can’t tell which client it belongs to. Often they don’t even know there’s a specific client involved at all.
We didn’t put these practices in place because we expected to be specifically targeted by a state-level operation. We put them in place because the basic logic of “we’re responsible for our clients’ security, including the parts we don’t do ourselves” doesn’t allow for the kind of casual contractor access that’s standard elsewhere in this industry. The KnowBe4 story is a high-profile version of a problem that exists at smaller scales constantly.
What to Ask Your Current Provider
If you already have an IT company, three questions are worth asking. The answers tell you more than any sales pitch will.
The first: how do you verify the identity of contractors who work on our systems? “We do background checks” is not an answer. You’re looking for something specific about live verification — someone on a video call, with a real ID, in real time.
The second: do contractors have direct access to our environment, or does everything route through your team for review? If the answer is “they have access but we monitor it,” that means they have access.
The third: what can a contractor see when they’re working on something related to our account? If they can see real client names, real data, real account structures, that’s the answer to a different question than the one about whether the contractor is personally trustworthy.
If your current provider can’t answer these clearly, that’s information. It doesn’t necessarily mean you need to switch — it means the conversation about supply chain risk hasn’t happened yet, and it should.
The KnowBe4 incident is going to keep showing up in headlines, because the same operation is still active and most companies haven’t tightened their hiring in response. The good news is that the controls that catch this aren’t exotic. They’re just controls most providers haven’t been pushed to implement yet. That changes when clients start asking.