Perimeter defences are fine for keeping out hackers, but what about employees that want to do your company harm? With legitimate access to corporate systems, the rogue insider often needs nothing more than a USB memory stick or a webmail account to steal confidential information and potentially wreck your organisation's reputation.
Data leakage prevention (DLP) and log management systems can help to control what information finds its way out of your organisation. But as in the recent case of Daniel Houghton , a former MI6 worker who tried to sell secrets to Dutch intelligence services, even the most security-minded organisations aren't making effective use of the technology. And even when technological defences are applied, a malicious employee may still find a way to bypass them.
So how do you ensure employees are doing the right thing? You can put them through awareness courses, of course, but companies are increasingly realising it's better to spot dangerous or dishonest people before they join the organisation.
The way to do this is to carry out proper background employment screening on job applicants before making them a firm job offer, rather than trusting every impressive detail of a CV.
According to Chantelle Norman, head of business development for Kroll Background Worldwide Ltd., pre-employment vetting has been slow to take off in the UK, although the practice is already well established in the US. "Financial services have long been obliged to carry out checks, but just in the last year, we have begun to see an upturn in screening in other industries, such as IT and manufacturing," she said.
There are good reasons for this increased interest. According to Kroll's data, provided exclusively to SearchSecurity.co.uk, applicants are now much more likely to lie on their job applications than they were two or three years ago.
For example, 21% of screenings undertaken by Kroll in the first quarter of 2010 identified a flaw in the information provided by a candidate. "These incidents of discrepancies are becoming more and more frequent, and in Q1 2010 we saw occurrences of lying [on resumes] rise a staggering 71% over the same period in 2008," Norman said.
Many of the lies might be considered trivial, such as exaggerating the responsibilities of a job role, or making existent educational qualifications look more impressive than they are, but, as Norman points out, these small lies should make the employer suspicious. "It may not be important that someone says they have A Levels when they don't, but it may say something about that person that they are prepared to lie on their CV. What else would they lie about whilst working for you?"
A typical basic screening will cost around £60 and will validate the candidate's employment references, educational qualifications, criminal record and credit status. Further checks can be made on candidates' identity documents -- checking, for instance, that a passport is not forged -- and also his or her permission to work in the UK.
The checks can often uncover devious tricks. For instance, candidates may give the name of their previous employer, but supply the phone number of a relative who will pretend to be the employer and give them a good reference. Others may alter their employment dates at a company to disguise a prison sentence.
How prospective employers deal with the information, Norman said, is a matter of judgement. "We advise our clients to look at the whole picture, because so many people have credit problems at the moment, and if someone is trying to pay back their debts, then they may well be a loyal and hard-working employee."
Similarly, a criminal record for a teenage misdemeanour may have little bearing on the trustworthiness of a thirtysomething candidate. And, as Norman adds, a tight job market may tempt some people to be slightly economical with the truth in order to get an interview. "If people are struggling to get a job, it can be tempting to invent a qualification or try to cover up gaps in their employment history," she said.
And vetting need not be confined to the recruitment stage. Norman said that some companies now see the value of doing regular re-screening of existing employees. These checks may uncover criminal convictions acquired since their employment began, or quite often, financial difficulties that could influence them to sell corporate information they might not have been willing to before.
Norman cited a recent case where an outsourcing company was required to re-screen its employees for a contract at a bank, and found that 30% of them were rejected. Some had financial problems, while others had undeclared criminal convictions.
Screening, she readily admits, will not guarantee the future honesty of any employee, but it will certainly reduce the risk. "If you do it with everybody, there is no doubt you will have a better-skilled, loyal and more trustworthy workforce," she said. "A check may cost £60 to £100, but that is absolutely nothing compared to the damage the wrong person can do to you ."
One word of warning came, however, from Kim Roberts, an employment law specialist at Nabarro LLP, who said that any vetting needs to be confined to the requirements of the job and be in-line with the Employment Practices Data Protection Code.
For instance, employers who regularly check social networking sites to gather information about candidates might find themselves in breach of the Data Protection Act. "You may check to make sure someone's information is correct. But if you routinely check those sites to get an idea of someone's personal life, then that is not allowed," Roberts said.
The same applies for the candidate's criminal and medical history, where employers can only ask questions that are relevant to the job involved.
As for re-screening, Roberts advised that employers be open about their policies, and make sure employees know that checks will be made. "You'd need to make it a condition of employment to carry out regular checks. And you must be able to justify the level of intrusion because of the environment in which [the employees] work, and the nature of the information they handle," Roberts said. "You can't just pry into someone's private life."