Employers can take steps to minimise surprises by a well thought out pre-employment screening program

Employers are increasingly concerned about the risks associated with employees, temporary workers, independent contractors, and others who have the ability to wreak havoc on an organization from the inside. This is often referred to as “insider threat.”

There are numerous types of insider and post-hire threats that range from embezzlement, theft of trade secrets, workplace violence or active shooters, and everything else in between. Potential insider threats are not just employees but anyone with access to a business office including contractors, vendors, and temporary workers. While there are numerous tools that can be used for preventing insider threats, this article will focus on background checks.

Although pre-employment background checks are often cited as an essential element of an insider threat prevention program, background checks are just one part of an overall strategy. The identification and prevention of insider threats requires an inter-disciplinary approach that can include mental health assessments, psychological testing, physical security, internal controls, continuous evaluation of personnel, supervisor and co-worker training to recognize danger signals, identification of risk factors, sharing and analyzing information between responsible parties, and a culture of safety, reporting, and integrity. Most critically, an organization needs to have a commitment to prevent these threats, and a leadership team and professionals who are able to formulate and implement an overall strategy. 

Background Checks - A Critical Part Of The Risk-Management Toolkit

Employees are not only a significant investment and large cost, but each hire also represents a large potential risk. Every employer has the obligation to exercise “due diligence” when hiring. Employers, especially in industries with higher risk, need to be able to vouch for the integrity and honesty of their employees. Generally speaking, people with a past history of honesty are much more likely to be honest in the future. Conversely, there is evidence to suggest that if applicants are dishonest in how they obtained a job, they may be dishonest once they have the job. But it is difficult to identify potential “bad hires” just by interviews since some applicants lie so often they come across naturally as if they believe their own story.

Background screening provides a valuable and objective risk-management tool that gives employers additional protection against a bad hire. Employers utilize background checks to minimize the risks associated with workplace violence, lost customers, negligent hiring lawsuits, identity theft and fraud, embezzlement, data breaches, and high turnover. It has been estimated, for example, that the cost of a single bad hire can run from $10,000 to $100,000 given time wasted to recruit, hire, and train and then having to replace the bad hire.

Since background checks can impact employment, it is increasingly subject to more litigation, regulation and legislation
It has been estimated that the cost of a single bad hire can run from $10,000 to $100,000 given time wasted to recruit, hire, and train and then having to replace the bad hire

Background Screening - Types Of Inquiry

A pre-employment background check is conducted under a federal law called the Fair Credit Reporting Act (FCRA) that sets out specific steps, such as the need for a written disclosure and consent as well as steps necessary to ensure accuracy and to allow a consumer to ask for a re-investigation of a report. Background checks broadly cover two types of inquiry. First, a background check may verify information an applicant provides about their credentials, such as past employment and education. Secondly, a check may involve searching relevant public or private records, such as driving records, criminal matters, exclusion or sanction databases, or credit reports. A competent screening firm will have a number of tools that can help an employer depending on the nature and risk of the hire and the industry involved.

Criminal record checks in particular are often a key element of a background check since past criminal conduct can raise concerns about the propensity to repeat criminal behavior. However, employers need to be mindful of their obligations under Equal Employment Opportunity (EEO) laws and other laws such as Ban the Box rules that prohibit asking about a criminal record on an application form, to ensure that the use of criminal records is both relevant and fair and complies with an employer’s legal obligations. 

Since background checks can impact employment, it is increasingly subject to more litigation, regulation and legislation. Class action lawsuits against employers have dramatically risen for example. For that reason, background screening has become a highly regulated professional endeavor that requires legal compliance expertise and the ability to provide highly accurate information while maintaining the highest level of data security and protection. 

Do Background Checks Eliminate Future Risks?

Part of the problem for employers is that even if a person passes a background check, it is hard for employers to measure with any accuracy how an employee will react in the future to various situations, such as a need for money, a substance abuse or other personal problem, or ability to act in an ethical fashion when under orders to do something that is less than ethical by a superior. Many organizations have found that the key is to supplement pre-employment background checks with ongoing or continuous screening, and an environment of control and physical safety.

Risk Types - Predictable, Unpredictable And Secret

Even with “good hires,” the potential for insider threats always exists. After getting applicants in the front door, a business must be concerned about employees with substantial authority (C-level and above), access to Information Technology (IT) or proprietary information, access to cash and accounting or access to sensitive information such customer lists and operations information. In fact, a new hire is full of risk. “Predictable risks” include employees with access to cash or assets and little internal controls. “Unpredictable risks” occur when employees develop financial issues, gamble, use drugs, or are encouraged or ordered by supervisors to perform acts of questionable honesty. “Secret risks” involve people with political agendas who use jobs to advance goals detrimental to employers.

There are also potential surprises employers can face post-hire. First, employers may obtain newly discovered information concerning an applicant such as discovering a new employee is a registered sex offender or faked an academic or professional credential. The good news is that employers can take steps to minimize surprises by a well thought out pre-employment screening program. The first step is to have in place policies, practices, and procedures to carefully select your employees in the first place through a well thought out pre-employment screening program commensurate with the risk involved.

There are numerous types of insider and post-hire threats that range from embezzlement, theft of trade secrets, workplace violence or active shooters
Experts recommend employers consider “continuous” evaluation that occurs periodically after hiring to deter employees from committing crimes after being hired

Formulating A Wise Pre-Employment Screening Program

Employers should also ensure their application forms make it clear that any material falsehood or omission can result in termination NO MATTER WHEN DISCOVERED and have language in employee manuals that deals with discovered falsehoods or omissions post-hire. Background check releases can have an “Evergreen” clause to allow future screening if needed (although there are limits to what can be done). Employers need to keep in mind that any screening program for new or existing employees should pay careful attention to the requirements of the FCRA as well as numerous applicable state laws.

There are several screening tools for detecting “insider threats”: Ongoing “continuous” evaluation (CE); Re-enactment (post-mortem) screenings; Credit Reports and asset searches; Social Media Background Checks; and Screening current workers or newly acquired workforce. It is also important for employers to know that internal “in-house” investigations can invoke the FCRA.

Employee Screening After Hiring

Some experts recommend employers consider “continuous” evaluation that occurs periodically after hiring. The argument in favour of such screening is that employees may commit a crime after being hired. It can also be a deterrence of sorts. Employers may also need to screen newly acquired employees if a merger or acquisition occurs. In addition, certain contracts may also require only screened employees.

According to the 2012 Association of Certified Fraud Examiners (ACFE) Report to the Nations, most occupational fraudsters are first-time offenders with clean employment and criminal histories

However, there are legal implications of using information acquired after hiring. Employers should not have a knee jerk reaction and carefully review all the facts and circumstances to give the employee an opportunity to be heard. It is especially important for employers to carefully document actions – especially if employee has pending employment related claim – and be careful of allegations of retaliation. In addition, many of these tools have drawbacks. For example, the use of social media sites to track threats is hampered by the fact that there is so much information online; it can be challenging to locate, identify, and utilize actionable data about a particular person, especially since a person may hide their activities behind privacy protection or use an anonymous online persona. 

Screening Without Proper Internal Controls Is Insufficient

According to the 2012 Association of Certified Fraud Examiners (ACFE) Report to the Nations, most occupational fraudsters are first-time offenders with clean employment and criminal histories. The walkaway point is that although pre-employment screening is critical to detect and deter fraud and threats, it is inadequate as a sole line of defense in the absence of proper internal controls that prevent surprises.

Bottom line: Employers must conduct due diligence before AND after hiring an employee. While this requires spending money, and the cost of background checks can be seen as a drag on the bottom line, the average cost of a screening usually equals the salary paid to employees for their first day of work. To paraphrase a well-known 1970’s marketing slogan: “You can pay (a little) now, or pay (a lot) later.”

Download PDF version

In case you missed it

Changing Regulations Promote Better Care Of Consumer Digital Privacy
Changing Regulations Promote Better Care Of Consumer Digital Privacy

There are two types of people in the world as it relates to privacy. Those that care about their privacy and sadly, those that don't. This divide continues to be further separated with the constant flood of cyber security breaches that we hear about. We, as consumers, can no longer get a cheap hamburger without hearing that once again, the information we want to be kept secret, has been breached. The old phrase of "you can lead a horse to water but you cannot make him drink" rings true as we approach helping consumers take charge of their digital and personal privacy. Governmental Regulations For Privacy Law makers have started taking up the charge to help protect the privacy of consumers Law makers have started taking up the charge to help protect the privacy of consumers. This has been executed with the newly European General Data Protection Regulation (GDPR) which went into effect on May 25th, 2018. The core premise is the consumer owns their data. Despite any company which uses, stores, or profits from a consumer's data, the consumer still owns it. This is a major shift in how the business are forced to protect the consumer's data. Even though many of us have likely heard about GDPR, it is not the only privacy law that's taking the world's stage. In fact, in California there is a new law called the California Consumer Privacy Act of 2018 which is focused around the same principles GDPR. This new California law goes into effect in 2020 and goes one step further by considering privacy as an alienable right for all consumers. Encouragement for consumers to take charge of their digital and personal privacy is becoming ever more important  Taking Ownership Of Privacy Despite the new regulations due to a corporation's lack of controls around consumer privacy data, the truth is that even though these regulations provide consumers with a mechanism to take ownership with how their personal data is used, doesn't mean they will. It's at this point we, as the security industry, need to step back to consider how we can improve the problem. Just because laws have paved a way, we still need to help consumers travel down the road to better privacy. For the privacy of consumers to truly be considered an inalienable right, we need to stand up for our rightsThere are two further mechanisms that we still need, governmental social programs and continued passionate discussions from the security industry. Governmental social programs will help provide free or low-cost classes for consumers to learn about how they can protect their privacy. However, governmental programs can only go so far and this by itself will not be enough. History has shown that social progress accomplished by a passionate minority that stands up against the oppression of human rights. For the privacy of consumers to truly be considered an inalienable right, we need to stand up for our rights. Not only do we need to exercise the capabilities new GDPR laws has created for us, but we should tell the important people in our lives. We need to stand up for our privacy because if we don't, we'll end up losing even more of our privacy. 

What Is The Value Of Remotely Monitoring A System's Health And Operation?
What Is The Value Of Remotely Monitoring A System's Health And Operation?

When is it too late to learn that a video camera isn’t working properly? As any security professional will tell you, it’s too late when you find that the system has failed to capture critical video. And yet, for many years, system administrators “didn’t know what they didn’t know.” And when they found out, it was too late, and the system failed to perform as intended. Fortunately, in today’s technology-driven networked environment, monitoring a system’s health is much easier, and a variety of systems can be deployed to ensure the integrity of a system’s operation. We asked this week’s Expert Panel Roundtable: How can remote monitoring of a security system’s health and operation impact integrators and end users?

Importance Of Establishing Security Standards For K12 School Security
Importance Of Establishing Security Standards For K12 School Security

As we approach National Safe Schools Week (October 21-27), it is appropriate for a conversation to begin regarding establishing standards for K12 school security. Currently no standards exist for assisting schools navigate the complexity of understanding what they need, how much it will cost and how they will secure their learning environments. Security Industry Experts The Partner Alliance for Safer Schools (PASS) is one of the organizations at the forefront of establishing security standards for schools. In 2014, the Security Industry Association (SIA) and the National Systems Contractors Association (NSCA) formed PASS, which brought together a cross functional group of members including school officials, safe schools’ consultants, law enforcement and security industry experts to collaborate and develop a coordinated approach to protecting K-12 students and staff. School administrators are often contacted repeatedly by organizations with multiple safety and security products PASS has provided valuable insights regarding an ‘All Hazards’ approach to school safety and security. In fact, PASS suggests that school administrators are challenged with two decisions: Determining what they need to do How to prioritize Safe School Environment School administrators are experts in running schools and providing education. However, most are not security experts and do not understand the complexity of implementing a comprehensive physical security and safety program across their districts. Still, they are often contacted repeatedly by organizations with multiple safety and security products. School administrators are experts in running schools and providing education, but most are not security experts  Some of these organizations recognize their products are just pieces of a safe school environment puzzle and how they fit in, whereas others focus on specific applications and do not understand how their specific solutions may affect life safety codes and Americans with Disabilities Act law. (Note: Many ‘barricade devices’ fall into this latter category and actually introduce liability concerns with the unintended consequences of their use.)Schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis Even for experts, the plethora of options and disparate systems required to integrate a safety and security approach at schools is daunting. The ongoing challenge is integrating access control, video, mass notification, and/or visitor management products into a single, effective, and appropriate system the owner can understand, utilize, and afford and that meet local codes and ADA laws. In the absence of standards, schools are likely to amass a collection of devices that do not constitute a comprehensive solution. Lack Of Consensus In years past, the our industry and commercial buildings adhered to legacy codes – like Building Officials and Code Administrators International Inc. (BOCA), Uniform Building Code (UBC), Southern Building Code Congress International Inc. (SBBCI), and International Conference of Building Officials (ICBO) – which have traditionally been revised every three years, while local jurisdictions decided what versions to adopt and enforce. Currently, however, there is a move toward the International Building Code (IBC), which is published by the International Code Council (ICC) and includes standards and guidance for commercial buildings on doors, windows, and other openings. A risk assessment is the next step toward developing a comprehensive security plan, and begins with developing a trend analysis Still, despite this migration of codes from a patchwork of local decisions to global guidelines, there remains a lack of consensus around school security. The current fragmented approach causes confusion regarding how new schools are designed and how to retrofit existing school buildings, whose average age is 45+ years. Right Protection Equipment One can point to the fact that there hasn’t been one student lost in a school fire in over 50 years as testament to standards like NFPA 80 and NFPA 101 being referenced in model building codes. Additionally, schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis. It’s not just having the right protection equipment in the building, it’s also having a procedural layer in place to make sure everyone knows their roles and responsibilities in the event of fire. The stress of the actual event can limit ones’ ability to think clearly. Practice makes perfect. Why would we approach school security any differently? School security is a team effort, and it is important to understand all the areas security impacts and involves School security is a team effort. It is important to understand all the areas security impacts and involves. PASS suggests starting with a basic team consisting of: Security Director Local Law Enforcement School Administrator Integrator Door and Hardware Consultant IT Director Comprehensive Security Plan Quantifying and mitigating risk are the jobs of security professionals and school administratorsA risk assessment is the next step toward developing a comprehensive security plan. This often begins with conducting a trend analysis requiring the collection of data from a variety of public and private sources. The challenge is to pull these pieces into a usable and easily understood format that provides a guide for current and future risk concerns. Risk assessment and mitigation can never eliminate risk. Quantifying and mitigating risk are the jobs of security professionals and school administrators. Data from the following sources can help measure risk: Campus: Review incident report trends for at least the past 36 months. Area and city: Review crime data from local law enforcement for the surrounding neighborhood and city. Screening procedures: How is hiring conducted? Anonymous tip reporting systems: Enabling students, staff members, parents and the community to anonymously alert administrators to perceived and actual threats. Social media monitoring: such monitoring can provide important information that can be used to identify risks. Monitoring social media could help measure risk for school safety Delay Adversarial Behaviors These assessments can then be incorporated into the best practice approach of Layered Security. Layered security combines best practice components within each layer that effectively deter, detect and delay adversarial behaviors. Layered security works from the outside in. As one layer is bypassed, another layer provides an additional level of protection. The asset being protected is at the center of the layers – students, staff and authorized visitors. PASS defines five layers of Security:As one layer is bypassed, another layer provides an additional level of protection District Wide Property Perimeter Parking Lot Perimeter Building Perimeter Classroom/Interior Perimeter Appropriate Tier Target Each layer can be broken down into Tier levels with Tier 1 being basic and Tier 4 being the highest level of security. It is important to understand that the demographics of individual school buildings varies, even within the same district. Security experts will quickly point out that ‘if you’ve seen one school, you’ve seen one school’. The assessments will determine the appropriate Tier target. Figure 1 Each layer includes essential protective elements, or components, of security. Every layer does not necessarily include all seven of these common components, and a layer may include additional components unique to that particular layer. Safety And Security Components Policies & Procedures People (roles & training) Architectural Communication Access Control Video Surveillance Detection and Alarms Layered Security While components are not listed in a priority order, three components included in all layers are policies and procedures, the roles and training of people, and communication. These components often perform a function in every layer and every tier in each layer. Three tools come together in the PASS approach as outlined in the new 4th Edition of the PASS Guidelines (Figure 2) - the Layers are established and defined, a Checklist/Assessment breaks down each layer into tiered best practices which then tie into the guidelines where a narrative explains each best practice in more detail. Figure 2  Schools need not reinvent the wheel when it comes to school security planning. Following the best practices of Risk Assessments and Layered Security will ensure that every school building in a district will have a unique and comprehensive plan that is tailored to their individual needs.