Employers can take steps to minimise surprises by a well thought out pre-employment screening program

Employers are increasingly concerned about the risks associated with employees, temporary workers, independent contractors, and others who have the ability to wreak havoc on an organization from the inside. This is often referred to as “insider threat.”

There are numerous types of insider and post-hire threats that range from embezzlement, theft of trade secrets, workplace violence or active shooters, and everything else in between. Potential insider threats are not just employees but anyone with access to a business office including contractors, vendors, and temporary workers. While there are numerous tools that can be used for preventing insider threats, this article will focus on background checks.

Although pre-employment background checks are often cited as an essential element of an insider threat prevention program, background checks are just one part of an overall strategy. The identification and prevention of insider threats requires an inter-disciplinary approach that can include mental health assessments, psychological testing, physical security, internal controls, continuous evaluation of personnel, supervisor and co-worker training to recognize danger signals, identification of risk factors, sharing and analyzing information between responsible parties, and a culture of safety, reporting, and integrity. Most critically, an organization needs to have a commitment to prevent these threats, and a leadership team and professionals who are able to formulate and implement an overall strategy. 

Background Checks - A Critical Part Of The Risk-Management Toolkit

Employees are not only a significant investment and large cost, but each hire also represents a large potential risk. Every employer has the obligation to exercise “due diligence” when hiring. Employers, especially in industries with higher risk, need to be able to vouch for the integrity and honesty of their employees. Generally speaking, people with a past history of honesty are much more likely to be honest in the future. Conversely, there is evidence to suggest that if applicants are dishonest in how they obtained a job, they may be dishonest once they have the job. But it is difficult to identify potential “bad hires” just by interviews since some applicants lie so often they come across naturally as if they believe their own story.

Background screening provides a valuable and objective risk-management tool that gives employers additional protection against a bad hire. Employers utilize background checks to minimize the risks associated with workplace violence, lost customers, negligent hiring lawsuits, identity theft and fraud, embezzlement, data breaches, and high turnover. It has been estimated, for example, that the cost of a single bad hire can run from $10,000 to $100,000 given time wasted to recruit, hire, and train and then having to replace the bad hire.

Since background checks can impact employment, it is increasingly subject to more litigation, regulation and legislation
It has been estimated that the cost of a single bad hire can run from $10,000 to $100,000 given time wasted to recruit, hire, and train and then having to replace the bad hire

Background Screening - Types Of Inquiry

A pre-employment background check is conducted under a federal law called the Fair Credit Reporting Act (FCRA) that sets out specific steps, such as the need for a written disclosure and consent as well as steps necessary to ensure accuracy and to allow a consumer to ask for a re-investigation of a report. Background checks broadly cover two types of inquiry. First, a background check may verify information an applicant provides about their credentials, such as past employment and education. Secondly, a check may involve searching relevant public or private records, such as driving records, criminal matters, exclusion or sanction databases, or credit reports. A competent screening firm will have a number of tools that can help an employer depending on the nature and risk of the hire and the industry involved.

Criminal record checks in particular are often a key element of a background check since past criminal conduct can raise concerns about the propensity to repeat criminal behavior. However, employers need to be mindful of their obligations under Equal Employment Opportunity (EEO) laws and other laws such as Ban the Box rules that prohibit asking about a criminal record on an application form, to ensure that the use of criminal records is both relevant and fair and complies with an employer’s legal obligations. 

Since background checks can impact employment, it is increasingly subject to more litigation, regulation and legislation. Class action lawsuits against employers have dramatically risen for example. For that reason, background screening has become a highly regulated professional endeavor that requires legal compliance expertise and the ability to provide highly accurate information while maintaining the highest level of data security and protection. 

Do Background Checks Eliminate Future Risks?

Part of the problem for employers is that even if a person passes a background check, it is hard for employers to measure with any accuracy how an employee will react in the future to various situations, such as a need for money, a substance abuse or other personal problem, or ability to act in an ethical fashion when under orders to do something that is less than ethical by a superior. Many organizations have found that the key is to supplement pre-employment background checks with ongoing or continuous screening, and an environment of control and physical safety.

Risk Types - Predictable, Unpredictable And Secret

Even with “good hires,” the potential for insider threats always exists. After getting applicants in the front door, a business must be concerned about employees with substantial authority (C-level and above), access to Information Technology (IT) or proprietary information, access to cash and accounting or access to sensitive information such customer lists and operations information. In fact, a new hire is full of risk. “Predictable risks” include employees with access to cash or assets and little internal controls. “Unpredictable risks” occur when employees develop financial issues, gamble, use drugs, or are encouraged or ordered by supervisors to perform acts of questionable honesty. “Secret risks” involve people with political agendas who use jobs to advance goals detrimental to employers.

There are also potential surprises employers can face post-hire. First, employers may obtain newly discovered information concerning an applicant such as discovering a new employee is a registered sex offender or faked an academic or professional credential. The good news is that employers can take steps to minimize surprises by a well thought out pre-employment screening program. The first step is to have in place policies, practices, and procedures to carefully select your employees in the first place through a well thought out pre-employment screening program commensurate with the risk involved.

There are numerous types of insider and post-hire threats that range from embezzlement, theft of trade secrets, workplace violence or active shooters
Experts recommend employers consider “continuous” evaluation that occurs periodically after hiring to deter employees from committing crimes after being hired

Formulating A Wise Pre-Employment Screening Program

Employers should also ensure their application forms make it clear that any material falsehood or omission can result in termination NO MATTER WHEN DISCOVERED and have language in employee manuals that deals with discovered falsehoods or omissions post-hire. Background check releases can have an “Evergreen” clause to allow future screening if needed (although there are limits to what can be done). Employers need to keep in mind that any screening program for new or existing employees should pay careful attention to the requirements of the FCRA as well as numerous applicable state laws.

There are several screening tools for detecting “insider threats”: Ongoing “continuous” evaluation (CE); Re-enactment (post-mortem) screenings; Credit Reports and asset searches; Social Media Background Checks; and Screening current workers or newly acquired workforce. It is also important for employers to know that internal “in-house” investigations can invoke the FCRA.

Employee Screening After Hiring

Some experts recommend employers consider “continuous” evaluation that occurs periodically after hiring. The argument in favour of such screening is that employees may commit a crime after being hired. It can also be a deterrence of sorts. Employers may also need to screen newly acquired employees if a merger or acquisition occurs. In addition, certain contracts may also require only screened employees.

According to the 2012 Association of Certified Fraud Examiners (ACFE) Report to the Nations, most occupational fraudsters are first-time offenders with clean employment and criminal histories

However, there are legal implications of using information acquired after hiring. Employers should not have a knee jerk reaction and carefully review all the facts and circumstances to give the employee an opportunity to be heard. It is especially important for employers to carefully document actions – especially if employee has pending employment related claim – and be careful of allegations of retaliation. In addition, many of these tools have drawbacks. For example, the use of social media sites to track threats is hampered by the fact that there is so much information online; it can be challenging to locate, identify, and utilize actionable data about a particular person, especially since a person may hide their activities behind privacy protection or use an anonymous online persona. 

Screening Without Proper Internal Controls Is Insufficient

According to the 2012 Association of Certified Fraud Examiners (ACFE) Report to the Nations, most occupational fraudsters are first-time offenders with clean employment and criminal histories. The walkaway point is that although pre-employment screening is critical to detect and deter fraud and threats, it is inadequate as a sole line of defense in the absence of proper internal controls that prevent surprises.

Bottom line: Employers must conduct due diligence before AND after hiring an employee. While this requires spending money, and the cost of background checks can be seen as a drag on the bottom line, the average cost of a screening usually equals the salary paid to employees for their first day of work. To paraphrase a well-known 1970’s marketing slogan: “You can pay (a little) now, or pay (a lot) later.”

Download PDF version

In case you missed it

Social Media Data Provides Security Professionals With Real-time Situational Awareness
Social Media Data Provides Security Professionals With Real-time Situational Awareness

Twitter has around 350 million active users a month, all eagerly posting 280-character “tweets” about the world around them. It’s a vast amount of data from all over the globe. Security professionals have begun to appreciate the value of mining all that data for insights to help them protect people, assets and operations. One company leveraging the Twitterverse to provide real-time situational awareness to corporate security end users is Dataminr.Dataminr assembles this information flow into a useful timeline that summarizes the ongoing sequence of events Algorithms For Actionable Security Signals The New York-based technology company has developed algorithms that comb through the full Twitter dataset to provide actionable signals to security professionals around the world about security-related events as they unfold. For corporate security, early information about an unfolding event enables them to take action faster in order to secure their people, locations and business operations.  “OMG! Just heard a loud bang on the quad,” a tweet might declare. Combined with location information gleaned from a cell phone, such a tweet could be the first indicator of an unfolding security incident. As an event unfolds, hundreds of such tweets are likely to be posted from the surrounding areas, collectively offering a running narrative of developing events. Dataminr assembles this information flow into a useful timeline that summarises the ongoing sequence of events. Many times, tweets are the first information available from an incident even before the arrival of first responders.Dataminr’s information is provided in a variety of platforms, from a web-based dashboard to a mobile app or notification via email “Early notification allows security professionals to be more proactive,” says Dillon Twombly, SVP, Corporate Sales at Dataminr. “We have a broad range of users across Fortune 1000 companies, and also including country security managers, security operations centers, and executive protection. "In retail, we provide information for security operations or loss prevention. Events sometimes have a potential to spin out of control, and we allow security professionals to react faster and get ahead of an event proactively.” Various Security Platforms Dataminr’s information is provided in a variety of platforms, from a web-based dashboard to a mobile app or notification via email. The system can be integrated with a company’s workflow, and the software interfaces with various security platforms, such as physical security information management (PSIM) systems. Another corporate use for Dataminr is in public relations, where social media could be a source of misinformation or rumors about an issue or event Dataminr addresses all regulatory and legal concerns, and it is GDPR-compliant. However, privacy is generally not a big concern because Twitter data is posted publicly, and Dataminr gleans information related to a specific event, not a specific Twitter user’s individual data. “Over the past couple of years, we have grown the security vertical,” says Twombly. “The market is receptive to the value of social media as a tool for users tasked with responding in a comprehensive way to a range of issues.”The company’s services are useful across the full range of vertical markets in the security industry Public Safety And Security In addition to security and public safety applications, Dataminr also provides services to financial companies and even media outlets. In fact, the 9-year-old company started in finance, where stock or currency traders were able to leverage breaking news notifications to make decisions faster. In the media vertical, Dataminr provides information to 500 newsrooms globally. Public safety and security uses have evolved, and Twombly currently spearheads the company’s work in corporate security, calling on his experience in the security world. Another corporate use for Dataminr is in public relations, where social media could be a source of misinformation or rumors about an issue or event.Customers can customize the kind of information they want to receive, and Dataminr algorithms use the full publicly available data set of Twitter Tracking Twitter posts enables a company to get ahead of an evolving story and help to shape the narrative. Twombly says Dataminr has “deep and broad relationships” with corporate customers and delivers information that can possibly be used by multiple departments in an organization. The company’s services are useful across the full range of vertical markets in the security industry, from transportation to major industrials to financial services to energy. In the education vertical, major universities are customers, as are local school districts. Customers can customize the kind of information they want to receive, and Dataminr algorithms use the full publicly available data set of Twitter. Twombly says the company’s software is constantly evolving and being fine-tuned in response to changing needs. Dataminr is a “strategic partner” of the social media giant and works closely with them on product development, he adds.

How To Make School Security Effective And Unobtrusive For Students
How To Make School Security Effective And Unobtrusive For Students

Schools today are charged to provide an environment that is both safe and conducive to learning, which can be difficult considering the range of security incidents and challenges they face, including bullying, fights, graffiti, theft and more. In addition to working within often tight budgetary constraints, a main challenge is to provide the highest level of security in an aesthetically pleasing way that doesn’t make students feel as if they are in prison. While these two needs may seem mutually exclusive to some degree, that doesn’t have to be the case. School security can be achieved without building 20-foot walls or putting barbed wire around the perimeter. The key to balancing the security and learning environment can be found in the four pillars of a good school security strategy, namely people, practices, technology and physical environment. A mobile app or text notification system could be used to alert students and staff of potential problems Situational Awareness One of the most effective measures to take is to educate staff and even students to learn to be aware about their surroundings and adopt the 'If you see something, say something' mentality. In an emergency, time is of the essence, so the speed of response becomes critical. Educating staff and students to recognize potential problems and report them is a good first step. Augmenting this with mobile apps and/or texting capabilities, for example, that allow someone to send a photo to school security or law enforcement for quick assessment and evaluation, can speed response even more. A mobile app or text notification system could also be used to alert students and staff of potential problems and provide instructions on what steps to take in order to remain safe. By providing real-time situational awareness about potential responses, these types of technologies can reduce the number of armed guards or resource officers needed to patrol a school or campus, which also makes students more comfortable and able to learn in a non-prison-like environment. Security Best Practices Every school should establish a set of security policies and procedures and ensure that staff and students understand what to do if they suspect a problem or if an incident should unfold at the school. However, too often, schools may not know where to start when seeking out best practices. And once these policies are in place, there may be confusion about how to audit them to ensure people are properly educated. The NFPA has begun work on a school security standard that would address a range of issues schools face on a daily basis A number of organizations are available to aid with this process, such as the Partner Alliance for School Safety a group founded in cooperation with SIA (Security Industry Association), which provides resources and tools to help schools and security professionals evaluate and establish the best security protection for their buildings. These guidelines and best practices are designed to help schools spend their often limited funds on the right security solutions. Safe and Sound Schools provides downloadable school security toolkits, and the National Fire Protection Association (NFPA) has recently released the NFPA 3000 Active shooter response guidelines and has begun work on a school security standard that would address a range of issues schools face on a daily basis. The key takeaway is that the information is out there, and the organisations mentioned above are excellent resources for helping schools create safe, secure and learning-conducive environments. Technology In School Security The second thing that needs to be considered is how technology can be brought to bear to contribute to school security. Video surveillance with video analytics can be deployed to monitor areas at certain times of day. For example, once school starts, there shouldn’t be a lot of activity in the parking lot or in particular areas around the school. For these situations, intelligent cameras with video analytics can be used to detect activity in those areas of interest to alert school security that something may need their attention. This might be a vehicle entering a lot or driving against the normal traffic flow, which may simply be a parent arriving to pick their child up early, or it could be something worth following up on. Radar detection is ideal for perimeters, where a device can be set up unobtrusively to alert when someone enters a particular area In any case, this is something that should be brought to the attention of someone who can quickly assess the situation and determine what, if any, response is needed. Because the goal in a potentially dangerous situation is speed response times. The faster you’re able to detect something using technology, the faster you’re able to respond. Therefore, being able to identify something happening in a parking lot and alert school resource officers could provide 30 seconds or a minute head start for response, which can get the school into a lockdown situation and get first responders on site more quickly.Facial recognition systems and providing access through smartphones could help create a more welcoming and secure environment for students, staff and parents After-Hour Monitoring Solutions Monitoring buildings and facilities after hours presents a different set of challenges. For sporting events, the National Center for Spectator Sports and Security (NCS4) at the University of Southern Mississippi provides best practice guidance for sporting facilities and events not only just for universities but even including those at high schools. It’s been shown that using lighting at night can deter crime. However, it can be expensive to keep a building and grounds illuminated all night, every night. To mitigate these concerns and potential costs, there are video cameras available with extreme low-light capability that allows them to see in near-dark or in some cases complete darkness. This allows a school to save money by turning lights off while achieving a level of surveillance performance similar to daytime deployments. Radar Detection Another technology for effective school security, both during and after school hours, is radar detection. This is ideal for perimeters, where a device can be set up unobtrusively to alert when someone enters a particular area. Radar can be deployed with a single PTZ camera, which can track whatever has been detected to provide real-time situational awareness for a school resource officer or law enforcement to investigate to determine the potential threat, if any, related to the perimeter breach.Following the four pillars of school security can ease the process while improving the effectiveness and efficiency of securing educational facilities More often than not, schools are faced with issues that are not necessarily the worst-case scenario everyone fears, such as how to identify parents and others who are authorized to pick a child up from school early. In this instance, facial recognition systems and providing access through smartphones could help create a more welcoming and secure environment for students, staff and parents. Lighting And Landscaping In addition to technology, one of the things that can contribute to a safer school environment is environmental design. CPTED provides four basic principles, one of which is natural surveillance, which follows a 'see and be seen' philosophy. In other words, when people know they can be seen, they are less likely to commit a crime. The main points in this general principle are lighting and landscaping. For example, a school doesn’t want to block potentially vulnerable areas with landscaping, so the height and thickness of any potential landscaping elements should be carefully considered. In general, openness and visibility should be the guiding factors. Securing Physical Environment Another aspect of the physical environment is maintenance. If a window gets broken but isn’t fixed right away, that tends to invite vandalism. These are just two of the guidelines CPTED offers for creating a more secure environment that doesn’t feel like a prison. In general, finding the right mix between maintaining security and providing a welcoming, aesthetically pleasing and learning-conducive environment can seem like a difficult – if not impossible – task. Following the four pillars of school security can ease the process while improving the effectiveness and efficiency of securing educational facilities.

Government Institutions Should Utilize VSaaS For An Integrated Video Surveillance System
Government Institutions Should Utilize VSaaS For An Integrated Video Surveillance System

Video surveillance as a service (VSaaS) is not just for commercial organisations. Federal, state and local governments can also realize benefits from the technology—and use it to deliver an integrated video surveillance system that addresses some of their unique security needs. Video Surveillance as a Service (VSaaS) What is VSaaS? Simply stated, it’s a cloud-based video surveillance solution that is packaged and delivered as a service over the internet. The price varies depending on the features of your plan (i.e. number of cameras, amount of storage, software features, etc.), and you pay a monthly subscription price to use it. How does it work? Internet Protocol (IP) cameras are installed at site locations, and the video is captured and streamed to a service provider’s data center via an internet connection. The video management software (VMS) runs on backend infrastructure provided by the service provider’s cloud. All video processing is done in the cloud, and all that is required to view the footage is an internet-connected device and a web browser. Retail, health care, education, and transportation all benefit from the flexibility and architecture of VSaas Growing VSaaS Providers Solution providers such as Axis Communications, Genetec, and G4S among many others offer VSaaS solutions, and the market is growing. According to IHS Markit, the market is expected to reach $2.3 billion in 2021. VSaaS is a solution with cross-industry appeal. Retail, health care, education, and transportation all benefit from the flexibility and architecture of the solution. But how does VSaaS address the surveillance needs of government institutions? Geographic Coverage And Access To protect cities and towns, law enforcement must watch over widespread geographic areas. Their work involves monitoring and policing many different neighborhoods, buildings, garages, parks, and walking paths—basically anywhere there is property or people to protect. They rely on video surveillance to help them keep these environments safe. But it’s more than local law enforcement officers who use video footage. From local city officials to federal and state law enforcement agencies, many other people, at times, need access to video footage captured by city surveillance cameras. Centralized Remote Monitoring How does VSaaS help? VSaaS enables the installation of cameras throughout cities and communities and stream footage to a central location via the Internet. Because the system is centralized, it eliminates the need to manage a lot of different standalone DVRs or NVRs, which enables organizations to monitor a large area from a remote command center. VSaaS enables the installation of cameras throughout cities and communities and stream footage to a central location via the Internet Plus, anyone with proper credentials can access the footage from an Internet-connected device—whether that be a smartphone, laptop, desktop, or tablet. That makes it easier for multiple agencies to work together, which in turn can improve communication and response time to incidents. Budget Concerns And Flexibility Tight budgets are normal in government. As a result, it’s often a challenge to procure capital for new technology purchases—and that sometimes leads to underfunded projects and difficulty upgrading old technology. VSaaS changes the expense model. It allows you to shift from a capital expenditure (CapEx) model, where large capital funding is required to purchase equipment, to an operational expenditure (OpEx) model, where the costs of the solution become an operating expense. Since the cameras, installation, storage, and software are packaged into a service, you don’t need a large capital outlay up front—you simply pay a predictable expense every month. VSaaS provides the capability for you to increase storage capacity when you need it Feature And Storage Capacity Upgrade Features VSaaS also makes it easier to upgrade old technology. When new technology becomes available, you can upgrade to it as part of the service. You no longer have to stick with old technology because of capital budget restrictions. Instead, you can upgrade to better cameras and management software features as they become available. The same is true for storage capacity. As camera resolution increases, the amount of data captured also increases. In addition, with the evolution of smart city technology and big data analytics, video data has become more valuable. As a result, there is a need not only to store more data but also to keep that data accessible for a longer period of time. VSaaS provides the capability for you to increase storage capacity when you need it. You can scale to accommodate growth, and since the storage is delivered as part of the service, you can leverage the “pay for use” model to manage your costs. On-Premise Storage Or Hybrid Where should surveillance video be stored? It’s an important question. After all, government entities must always comply with data privacy laws and handle data properly to ensure it can be used as evidence if needed. As a result, officials may prefer to be selective about where they store video data. In fact, the concern over regulatory requirements and security and privacy issues, according to Gartner, will lead governments to implement private cloud at twice the rate of public cloud through 2021. The provider’s ability to store large amounts of data cost-effectively makes VSaaS possible That’s not necessarily a show-stopper when it comes to video surveillance. Some VSaaS providers offer hybrid options. Plus, one of the things that makes VSaaS possible is the provider’s ability to store large amounts of data cost-effectively. Because service providers can manage their storage infrastructures economically, they can offer their service at an attractive price. Multi-Tier Storage Infrastructure In a way, government institutions (as well as commercial organizations) can do the same thing. If a government entity—for example, a small municipality—wanted to store their data on-premise or implement a hybrid configuration, they could solve some of their video storage challenges by implementing a multi-tier storage infrastructure similar to what a VSaaS provider might use to provide the actual service. A multi-tier storage infrastructure uses different storage media—disk, object storage, tape, and cloud—and combines them to deliver the total capacity needed while balancing performance and cost. The diagram below is an illustration of a multi-tier infrastructure: As the diagram shows, storage capacity grows using lower cost forms of media as volume and long-term retention requirements change. Files are moved between tiers based on user-defined policies. When the policies are met, the files are moved to a lower cost tier. Some file systems allow for multiple copies be written at ingest which not only minimizes the traffic of moving files across the network, but also provides much needed data protection through a second copy on a lower-cost tier. This scenario enables you to optimize the amount of high-performance media in your infrastructure and lower the long-term cost of retaining files. VSaaS offers many benefits for government institutions and commercial organizations alike Choice Of Implementations VSaaS offers many benefits for government institutions and commercial organizations alike. But not every implementation has the same needs or requirements. The good news is, when it comes to video surveillance solutions, you have options. You can leverage the benefits of VSaaS, in either a public cloud or hybrid scenario, depending on the service provider. Or if your needs dictate, you can achieve some of the same capacity and cost-saving benefits you would get from a VSaaS solution by implementing an on-premise solution based on a centralized VMS system and multi-tier storage. The choice is yours.