Despite the growing concern over external cyber-attacks against organisations, no doubt amplified by the media reporting on attacks against well-known companies such as the Microsoft Xbox, eBay and TalkTalk, the reality is that most organisations are more susceptible to inadvertent or malicious disclosure of sensitive information by employees, contractors or visitors than a cyber-attack. This is confirmed by statistics published in the 2013 IBM Global Reputational Risk and IT Study where 43% of C-Level executives were reported as saying that negligent insiders are the greatest threat to sensitive data.
Why most pre-employment checks do not work and why IT professionals could be at risk.
This article was first published in the British Computer Society ITNow Magazine, June 2016
It is therefore of vital importance that people working for, and in an organisation are carefully selected, managed and monitored to protect an organisations information resources, however in reality, most corporate pre-employment checks and processes are ineffective.
Basic Identification Checks
Most companies in the UK carry out identification checks required by law, typically by obtaining evidence of the potential employee’s identity and right to work in the UK, typically by taking a photocopy or scanned image of their passport and National Insurance Number.
Some employers will go further by carrying out a criminal records check to ensure that the person that they are employing does not have any spent or unspent convictions, however this should provide very little assurance to the potential employer, as it will not show offences carried out whilst abroad, and of much greater importance, it will not demonstrate misconduct against a previous employer. Unless the employee has committed a serious act of fraud or violence against a fellow employee, most companies will simply dismiss the miscreant rather than involve the police, therefore it is entirely possible that whilst the applicant has no criminal background, they could have carried out serious wrongdoing against an employer in the past.
Recommended Detailed Screening
Detailed screening of all potential employees against an established Code of Practice, such as British Standard BS7858, provides a far more robust and fuller picture of people that an organisation is looking to hire. These checks can be performed in-house, or more commonly, by specialist third party service providers. The check will typically cover the previous three, five or ten year’s employment history, based on the sensitivity or risk of the post being recruited for, in addition to an enhanced criminal records check and basic credit check, the organisation carrying out the check will write to all previous employers asking them to confirm that the information provided is accurate and could also highlight potential risk factors, such as long periods of unexplained absence.
Once implemented, background screening should be mandatory for all personnel within an organisation, and should be considered the norm, rather than the exception, screening should also apply to professional contractors, and staff provided as part of a service contract, such as cleaners and security officers who may have unescorted or unsupervised access to office spaces where sensitive information may be present – these people are often not subjected to the same level of checks or scrutiny as employees, but nevertheless have potential access to printed or digital sensitive material whilst working within the organisation.
Thorough screening and interviewing processes will naturally increase the quality of the people being hired as this will reduce the risk of hiring a potential “problem” employee and is the most effective way of preventing crime, however it is also possible that people may have no history or warning indicators when they commence employment.
Ongoing Monitoring and Awareness
Line Managers and heads of department should also be trained to detect changes in people’s working patterns, attitudes or behavior, which seem out of character for the employee should be recorded and monitored for potential early warning signs that something may be wrong. This could be something as simple as a perceived disparity within a team or department on working conditions, salaries, or being overlooked for a promotion, through to more concerning issues, such as coercion, or being threatened by external sources such as organised crime gangs.
The potential risk that IT professionals face
IT professionals, specifically support engineers and system administrators usually have privileged access to all corporate network or data resources may be targeted by external groups, such as organised crime gangs, or groups seeking to commit corporate or state-sponsored espionage by recruiting an existing employee to obtain data on their behalf, entry level positions (especially temporary or contract positions) such as IT system administrations typically require minimal qualifications and may be an easy route into an organisation for someone planning to attack an organisation at a later point in time.
Basic procedures and best practice can protect IT professionals and mitigate the associated risks, such as requiring IT professionals to have a separate administrative account – thereby requiring the user to make a conscious decision to login with the administrative account, segregating access to data and systems so that no one single person has full access to everything, robust change control procedures so that any configuration changes that may have an impact on security are formally checked and approved prior to implementation, regular monitoring of access logs and audit trails, as well as ensuring that people only have access to the data and systems necessary to perform their job role and function, rather than by seniority, and regularly reviewing access, revoking it when no longer necessary.