IT security gets personal

IT security focuses on technology that stops hacking, phishing, worms, viruses and denial-of-service attacks. But security should extend to something much more human and personal - employees. IT systems don't destroy other systems, take equipment or steal intellectual property, but people do.


IT security focuses on technology that stops hacking, phishing, worms, viruses and denial-of-service attacks. But security should extend to something much more human and personal - employees. IT systems don't destroy other systems, take equipment or steal intellectual property, but people do.
So how can your organization reduce risk? Use technology to give your hiring managers a firewall against people who could be worms in geek clothing. The need for background checks on job candidates and current employees is growing. Dynamic working environments, a regulatory and litigious atmosphere, and business risk all play a significant role.
Information is power. IT workers have access to electronic storage systems, email, data, records and personal information. Proper assessment, screening and background checking for new IT hires is absolutely critical to make sure they have the requisite qualifications and credentials, integrity, honesty and behaviors.
Preemployment background screening is a key way for employers to meet due-diligence requirements to hire safe, qualified employees and to reduce negligent hiring liability and workplace violence. But it should not stop there. Postemployment background checks or rechecks have emerged as an equally critical practice to monitor safe and legal activities and mitigate ongoing risk.

Background-checking companies estimate that between 7 percent and 12 percent of all applicants are turned away: About 5 percent to 6 percent are because of criminal issues, 2 percent to 4 percent because of false employment or education and about 1 percent to 4 percent based on motor vehicle record or credit problems.

Prescreen the bad apples

Consider this: At an unnamed company, a new IT technical support consultant had access to the entire network and most files. His criminal-background check arrived posthire and showed convictions for passing forged checks. He had lied on his application about the conviction and lied again when questioned. Needless to say, he was terminated. Once inside the company with system access, there was potential for damage to occur, because of a slow background-check turnaround time that was not an integral step of the hiring process.

Another IT employee had super-user access to a time and attendance system. He regularly changed his times to avoid being penalised. This lack of integrity and honesty cost the company thousands for hundreds of hours that he did not work. It also calls into question the quality of the work he did perform, as well as his intentions and use of the sensitive data at his fingertips.

Most companies need an improved, streamlined background-checking process. A Taleo Research survey of large companies found a majority of survey respondents believe that their organisation should be doing a better job of prehire screening:

  • 19 percent consider their current background check process very effective at weeding out candidates.
  • 27 percent of organisations experienced workplace fraud (10 percent), employee theft (10 percent) or workplace violence (7 percent) - with a screened yet convicted employee.
  • 19 percent consider their current background check process very effective at weeding out candidates.
  • Resulting impact to the company was considerable with termination or turnover (58 percent), negative media exposure (5 percent) and lawsuits, union conflicts or other impact (26 percent).
  • 29 percent have run an audit of their current screening provider to determine the quality of their screenings.
  • Two-thirds of organisations do not conduct ongoing background checks on employees.
  • Despite best efforts, screenings are often inaccurate. Sometimes the errors arise from simple mistakes in rekeying of information across job applications and other documentation. Data reentry because of separate processes for background checking, hiring and maintaining employee information can be alleviated through integrated systems and hasten background checking cycle time.

    A greater issue is the lack of accuracy and depth of the delivered background-checking information and comprehensive sources of information. National criminal repositories rely on unpredictable data from local counties. Manual searches by court runners miss records, because they are limited to a few counties of residence. There is no national sex-offender registry and state registries have lost track of as much as 40 percent of the offenders. Even the FBI's National Crime Information Centre (NCIC) is missing information, and the Justice Department relieved the FBI of its responsibility to ensure the accuracy of data in 2003.

    To test the adequacy of a billion-dollar organization's screening programme, which consisted of a seven-year, prehire background check, 12,000 current employees were rescreened with these results:

    • 198 unknown preemployment felonies and major misdemeanours, including murder, aggravated assault/battery, rape, drug manufacturing and distribution, forgery, fraud and grand theft.
    • 74 postemployment felonies and major misdemeanours, including aggravated assault/battery, rape, grand theft, forgery, drug distribution, DUIs, prostitution and fraud.

    Average of 14 new events per year
    Another organization with 8,700 employees were rescreened using FBI/NCIC screening, with these results:

    • 87 unknown preemployment felonies and major misdemeanours.
    • 13 postemployment felonies and major misdemeanours.

    Because of these information gaps, companies are being exposed to lawsuits, fines and brand damage-despite having screening programs in place. For example, FedEx was sued for negligence after a former employee with a history of child sexual abuse was charged with sexually assaulting a customer's son. Yet the company claims the background check on the employee came back clear. How is this possible? Background-check companies are partially to blame for misleading companies into thinking their databases are national, when they are not.

    Increasingly, companies have IT workers in different locations, many working remotely. To be accurate, record searches must cover all locations and even identities of an individual - such as name changes because of marriage or divorce. Rechecking also is essential. An IT employee who passed a thorough background check prehire may no longer be meeting the obligations and policies of employment.

    Advances in technology

    Poor use of data, manual steps and reporting means high costs and longer turnaround. High false positives and missed records - such as Social Security number, address history and aliases - produce inaccurate and incomplete screens.

    New methods and technology can significantly improve your IT background checking. Advanced algorithms make use of online criminal repositories for improved quality and efficiency for prehire checking and posthire policing.

    Optimizing the IT background check process can improve accuracy, shorten turnaround time and lower costs. Better-quality screening results can safeguard both employees and employers.

    Snell is vice president of Taleo Research, a specialty research division of worldwide talent management provider Taleo. She can be reached at [email protected]

    Hiring hijinks

    • Nearly 50 percent of resumes have factual errors, including employment dates, education, credentials and job titles, according to
    • Three-quarters of banking employees have stolen from their employers, as reported by US Banker.
    • Employee theft and fraud cost US retail businesses more than $50 billion annually, with the average theft at $1,525, nearly seven times more than a shoplifter, notes Ernst & Young's "Study of Retail Loss Prevention."
    • The Bureau of Labour Statistics estimates that 1.2 million to 2 million incidents of workplace violence occur each year.

    Find your next job with computerworld UK jobs

    "Recommended For You"

    How to stop fraud OPM underestimated the number of stolen fingerprints by 4.5 million