Ross Bale MBCS discusses why most pre-employment checks do not work and why IT professionals could be at risk.

Despite the growing concern over external cyberattacks against organisations, no doubt amplified by the media reporting on attacks against well-known companies such as Microsoft Xbox, eBay and TalkTalk, the reality is that most organisations are more susceptible to inadvertent or malicious disclosure of sensitive information by employees, contractors or visitors than a cyberattack.

This is confirmed by statistics published in the 2013 IBM Global Reputational Risk and IT Study where 43 per cent of C-Level executives were reported as saying that negligent insiders are the greatest threat to sensitive data.

It is, therefore, of vital importance that people working for, and in, an organisation are carefully selected, managed and monitored to protect the organisation’s information resources. However, in reality, most corporate pre-employment checks and processes are ineffective.

Check limitations

Most companies in the UK carry out identification checks required by law, typically by obtaining evidence of the potential employee’s identity and right to work in the UK, by taking a photocopy or scanned image of their passport and National Insurance Number.

Some employers will go further by carrying out a criminal records check to ensure that the person that they are employing does not have any spent or unspent convictions. However, this should provide very little assurance to the potential employer, as it will not show offences carried out whilst abroad, and it will not indicate whether there are other areas of concern not covered as part of the criminal records check.

This latter point is of much greater importance to potential employers as the criminal records check will not show cases of misconduct against a previous employer. In most cases, unless the employee has committed a serious act of fraud or violence against a fellow employee that constitutes a criminal offence, most companies will simply dismiss the miscreant rather than involve the police, therefore it is entirely possible that whilst the applicant has no criminal background, they could have carried out serious wrongdoing against an employer in the past.

The criminal records check also does not take into account potential warning indicators of the employee’s financial background which could render them more susceptible to bribery or coercion from external third parties, such as organised crime groups.

Fuller checks

Detailed screening of all potential employees against an established Code of Practice, such as British Standard BS7858 (or Baseline Personnel Security Screening in the public sector), provides a far more robust and fuller picture of the person that the organisation is looking to hire. These checks can be performed in-house, or more commonly, by specialist third party service providers.

The check will typically cover the previous three, five or ten year’s employment history, based on the sensitivity or risk of the post being recruited for, in addition to an enhanced criminal records check and basic credit check. The organisation carrying out the check will write to all previous employers asking them to confirm that the information provided is accurate and it could also highlight potential risk factors, such as long periods of unexplained absence.

Once implemented, background screening should be mandatory for all personnel within an organisation, and should be considered the norm, rather than the exception.

The same level of screening should extend to professional contractors, especially staff provided as part of a service contract, such as cleaners and security officers, who may have unescorted or unsupervised access to office spaces where sensitive information may be present - these people are often not subjected to the same level of checks or scrutiny as employees, but arguably have the same if not greater access to printed or digital sensitive material whilst working within the organisation, as they are often working when there are fewer employees to monitor what they are doing.

Thorough screening and interviewing processes will naturally increase the quality of the people being hired as this will reduce the risk of hiring a potential problem employee and is the most effective way of preventing crime. However it is also possible that people may have no history or warning indicators when they commence employment.

Ongoing monitoring and awareness

Line managers and heads of department should also be trained to detect changes in people’s working patterns, attitudes or behaviour, which seem out of character for the employee.

These observations should be recorded and monitored as potential early warning signs that something may be wrong - this could be something as simple as a perceived disparity within a team or department on working conditions, salaries, or being overlooked for a promotion, through to more concerning issues, such as being overly secretive or withdrawing from a team dynamic, which could indicate coercion, or being threatened by external sources such as organised crime gangs.

The potential risk for IT professionals

IT professionals, specifically support engineers and system administrators usually have privileged access to all corporate network or data resources and hence may be targeted by external groups, such as organised crime gangs, or groups seeking to commit corporate or state sponsored espionage by recruiting an existing employee to obtain data on their behalf.

Entry-level positions (especially temporary or contract positions), such as IT system administrations, typically require minimal qualifications and may be an easy route into an organisation for someone planning to attack an organisation at a later time.

Basic procedures and best practice can protect IT professionals and mitigate the associated risks. This could include such procedures as requiring IT professionals to have a separate administrative account - thereby requiring the user to make a conscious decision to login with the administrative account; segregating access to data and systems so that no one single person has full access to everything; robust change control procedures so that any configuration changes that may have an impact on security are formally checked and approved prior to implementation; regular monitoring of access logs and audit trails; as well as ensuring that people only have access to the data and systems necessary to perform their job role and function, rather than by seniority, and regularly reviewing access, revoking it when no longer necessary.