Employers can take steps to minimise surprises by a well thought out pre-employment screening program

Employers are increasingly concerned about the risks associated with employees, temporary workers, independent contractors, and others who have the ability to wreak havoc on an organization from the inside. This is often referred to as “insider threat.”

There are numerous types of insider and post-hire threats that range from embezzlement, theft of trade secrets, workplace violence or active shooters, and everything else in between. Potential insider threats are not just employees but anyone with access to a business office including contractors, vendors, and temporary workers. While there are numerous tools that can be used for preventing insider threats, this article will focus on background checks.

Although pre-employment background checks are often cited as an essential element of an insider threat prevention program, background checks are just one part of an overall strategy. The identification and prevention of insider threats requires an inter-disciplinary approach that can include mental health assessments, psychological testing, physical security, internal controls, continuous evaluation of personnel, supervisor and co-worker training to recognize danger signals, identification of risk factors, sharing and analyzing information between responsible parties, and a culture of safety, reporting, and integrity. Most critically, an organization needs to have a commitment to prevent these threats, and a leadership team and professionals who are able to formulate and implement an overall strategy. 

Background Checks - A Critical Part Of The Risk-Management Toolkit

Employees are not only a significant investment and large cost, but each hire also represents a large potential risk. Every employer has the obligation to exercise “due diligence” when hiring. Employers, especially in industries with higher risk, need to be able to vouch for the integrity and honesty of their employees. Generally speaking, people with a past history of honesty are much more likely to be honest in the future. Conversely, there is evidence to suggest that if applicants are dishonest in how they obtained a job, they may be dishonest once they have the job. But it is difficult to identify potential “bad hires” just by interviews since some applicants lie so often they come across naturally as if they believe their own story.

Background screening provides a valuable and objective risk-management tool that gives employers additional protection against a bad hire. Employers utilize background checks to minimize the risks associated with workplace violence, lost customers, negligent hiring lawsuits, identity theft and fraud, embezzlement, data breaches, and high turnover. It has been estimated, for example, that the cost of a single bad hire can run from $10,000 to $100,000 given time wasted to recruit, hire, and train and then having to replace the bad hire.

Since background checks can impact employment, it is increasingly subject to more litigation, regulation and legislation
It has been estimated that the cost of a single bad hire can run from $10,000 to $100,000 given time wasted to recruit, hire, and train and then having to replace the bad hire

Background Screening - Types Of Inquiry

A pre-employment background check is conducted under a federal law called the Fair Credit Reporting Act (FCRA) that sets out specific steps, such as the need for a written disclosure and consent as well as steps necessary to ensure accuracy and to allow a consumer to ask for a re-investigation of a report. Background checks broadly cover two types of inquiry. First, a background check may verify information an applicant provides about their credentials, such as past employment and education. Secondly, a check may involve searching relevant public or private records, such as driving records, criminal matters, exclusion or sanction databases, or credit reports. A competent screening firm will have a number of tools that can help an employer depending on the nature and risk of the hire and the industry involved.

Criminal record checks in particular are often a key element of a background check since past criminal conduct can raise concerns about the propensity to repeat criminal behavior. However, employers need to be mindful of their obligations under Equal Employment Opportunity (EEO) laws and other laws such as Ban the Box rules that prohibit asking about a criminal record on an application form, to ensure that the use of criminal records is both relevant and fair and complies with an employer’s legal obligations. 

Since background checks can impact employment, it is increasingly subject to more litigation, regulation and legislation. Class action lawsuits against employers have dramatically risen for example. For that reason, background screening has become a highly regulated professional endeavor that requires legal compliance expertise and the ability to provide highly accurate information while maintaining the highest level of data security and protection. 

Do Background Checks Eliminate Future Risks?

Part of the problem for employers is that even if a person passes a background check, it is hard for employers to measure with any accuracy how an employee will react in the future to various situations, such as a need for money, a substance abuse or other personal problem, or ability to act in an ethical fashion when under orders to do something that is less than ethical by a superior. Many organizations have found that the key is to supplement pre-employment background checks with ongoing or continuous screening, and an environment of control and physical safety.

Risk Types - Predictable, Unpredictable And Secret

Even with “good hires,” the potential for insider threats always exists. After getting applicants in the front door, a business must be concerned about employees with substantial authority (C-level and above), access to Information Technology (IT) or proprietary information, access to cash and accounting or access to sensitive information such customer lists and operations information. In fact, a new hire is full of risk. “Predictable risks” include employees with access to cash or assets and little internal controls. “Unpredictable risks” occur when employees develop financial issues, gamble, use drugs, or are encouraged or ordered by supervisors to perform acts of questionable honesty. “Secret risks” involve people with political agendas who use jobs to advance goals detrimental to employers.

There are also potential surprises employers can face post-hire. First, employers may obtain newly discovered information concerning an applicant such as discovering a new employee is a registered sex offender or faked an academic or professional credential. The good news is that employers can take steps to minimize surprises by a well thought out pre-employment screening program. The first step is to have in place policies, practices, and procedures to carefully select your employees in the first place through a well thought out pre-employment screening program commensurate with the risk involved.

There are numerous types of insider and post-hire threats that range from embezzlement, theft of trade secrets, workplace violence or active shooters
Experts recommend employers consider “continuous” evaluation that occurs periodically after hiring to deter employees from committing crimes after being hired

Formulating A Wise Pre-Employment Screening Program

Employers should also ensure their application forms make it clear that any material falsehood or omission can result in termination NO MATTER WHEN DISCOVERED and have language in employee manuals that deals with discovered falsehoods or omissions post-hire. Background check releases can have an “Evergreen” clause to allow future screening if needed (although there are limits to what can be done). Employers need to keep in mind that any screening program for new or existing employees should pay careful attention to the requirements of the FCRA as well as numerous applicable state laws.

There are several screening tools for detecting “insider threats”: Ongoing “continuous” evaluation (CE); Re-enactment (post-mortem) screenings; Credit Reports and asset searches; Social Media Background Checks; and Screening current workers or newly acquired workforce. It is also important for employers to know that internal “in-house” investigations can invoke the FCRA.

Employee Screening After Hiring

Some experts recommend employers consider “continuous” evaluation that occurs periodically after hiring. The argument in favour of such screening is that employees may commit a crime after being hired. It can also be a deterrence of sorts. Employers may also need to screen newly acquired employees if a merger or acquisition occurs. In addition, certain contracts may also require only screened employees.

According to the 2012 Association of Certified Fraud Examiners (ACFE) Report to the Nations, most occupational fraudsters are first-time offenders with clean employment and criminal histories

However, there are legal implications of using information acquired after hiring. Employers should not have a knee jerk reaction and carefully review all the facts and circumstances to give the employee an opportunity to be heard. It is especially important for employers to carefully document actions – especially if employee has pending employment related claim – and be careful of allegations of retaliation. In addition, many of these tools have drawbacks. For example, the use of social media sites to track threats is hampered by the fact that there is so much information online; it can be challenging to locate, identify, and utilize actionable data about a particular person, especially since a person may hide their activities behind privacy protection or use an anonymous online persona. 

Screening Without Proper Internal Controls Is Insufficient

According to the 2012 Association of Certified Fraud Examiners (ACFE) Report to the Nations, most occupational fraudsters are first-time offenders with clean employment and criminal histories. The walkaway point is that although pre-employment screening is critical to detect and deter fraud and threats, it is inadequate as a sole line of defense in the absence of proper internal controls that prevent surprises.

Bottom line: Employers must conduct due diligence before AND after hiring an employee. While this requires spending money, and the cost of background checks can be seen as a drag on the bottom line, the average cost of a screening usually equals the salary paid to employees for their first day of work. To paraphrase a well-known 1970’s marketing slogan: “You can pay (a little) now, or pay (a lot) later.”

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

Are Privacy Concerns Stifling Innovation in Security?
Are Privacy Concerns Stifling Innovation in Security?

Facial recognition is the latest technology to be targeted because of concerns about privacy. If such concerns cloud the public perception, they can be harmful to technology markets. Whether the concerns are genuine or based on misinformation is often beside the point; the practical damage has already been done. But beyond market demand, what is the impact of privacy concerns on technology innovation? We asked this week’s Expert Panel Roundtable: Are privacy concerns stifling innovation in security and related markets? 

Building Security: How Audio Tells the Whole Story
Building Security: How Audio Tells the Whole Story

Every building starts with the entrance. A solid enterprise risk mitigation and security strategy include protecting that entrance. Often, risk mitigation strategies protecting the entrance have included high-resolution video surveillance cameras, video management systems, and access control solutions. But that strategy and set of security solutions only tells part of the story. Imagine a security guard who is protecting a facility after hours, when an individual approaches the entrance and seeks to gain access. The security guard can pull up the video surveillance feed and see the individual and his movements, which appear to be suspicious. But he also needs to hear him in order to decide the next decisions and actions. Does he escalate the situation, calling for backup and for first responders’ response, or does he allow the individual access to the building because he works there and is authorized to enter?   Meet high-definition voice What the security guard needs is to be able to hear and to communicate with that individual. All enterprise security systems need three primary components in order to successfully protect the entrance and to mitigate risk – access control, video surveillance, and the ability to hear and communicate. Each component plays an integral role in supporting a unified security system, and without all three, the security system is not complete. Access control can be thought of as the brains of a security system by holding data and permissions. It serves as the arms and hands of the system; it can either keep someone out or invite them in. IP video allows a security team to remotely position a set of eyes anywhere an IP camera can be placed on a network. With a video management system, security teams can see what is happening and decide how to respond. However, with remote viewing, the event may be over by the time security physically responds.  Audio adds interactivity That three-component enterprise security system – comprising IP video, access control, and high-definition voice working together mitigates risks and provides value. It also means that security is interactive. Security teams talk and listen to the person that’s seen on a video surveillance system, no matter where the location or how remote. If the person is lost or simply needs assistance, security personnel can talk to them and provide direction and reassurance. Even more, in an emergency, an interactive solution becomes a critical life-saving tool, as it provides data that can be shared between security, police, emergency services, and more. Audio can also detect voices, noises, breaking glass, or other sounds that are not within direct view of a video camera. An interactive security system creates an informed response, by providing real-time situation awareness management. Post-event, it supports forensics and investigations to mitigate future security incidents.  Audio and COVID-19 We are living in extraordinary times. As businesses begin to reopen and stay open, they are looking for any tools that can help them overcome the enormous challenges they face. In buildings and facilities, the COVID-19 pandemic has created a new security perimeter, one that demands contactless access with entry and exit, and that has also created a new duty of care for security professionals. Now more than ever is the need to interact and communicate with individuals moving in and out of doors and spaces without physical intervention. Intelligent communications, integrated with contactless access control, can help a business to comply with pandemic safety guidelines and ultimately, reopen for business and stay open.  COVID-19 has also increased the need for clean-room isolation and quarantine spaces, sometimes in areas not originally intended for that use, where risk of infection is high, and equipment must be easily disinfected between patients. Here, purpose-built cleanroom intercoms, providing clear touchless communications despite the noisy environment, have emerged as critical tools for enabling patient care while reducing the need to enter the contaminated space. For example, voice communication can enable hospital staff to verify identity and to communicate with patients without entering the isolated and infectious environment, which can save on personal protective equipment (PPE) and reduce the amount of exposure to the virus. In non-emergency healthcare facilities, such as medical centers, voice can effectively relay information to building occupants and visitors for screening purposes. Visitors can be seen and heard. For example, a patient who seeks access to a medical center for an appointment can hear important instructions from a nurse via the intercom solution. Seeing the person that you talk to is one thing but hearing them conveys a much better sense of closeness, making it possible to maintain a high level of security and customer service.  The whole story Today’s security systems should no longer simply involve video surveillance cameras generating feedback and images to a security guard. Instead, a new ecosystem for enterprise security and risk mitigation has emerged, and it’s one that involves video surveillance, access control, and high-definition voice. That ecosystem can ensure well-rounded and responsive information management and security platform, all communicating with each other and offering actionable insight into risks and potential physical breaches. Audio is the new value hub of the connected and intelligent school, campus, building, correctional facility, and more. Simply put, a silent security system cannot be an effective security system. In every situation, it is crucial for all security professionals to mitigate risk, no matter what they are protecting. This emphasizes the need to hear, be heard, and be understood in virtually any environment.  

Inclusion and Diversity in the Security Industry: ‘One Step at a Time’
Inclusion and Diversity in the Security Industry: ‘One Step at a Time’

Historically, concerns about inclusion and diversity have not been widely discussed in the security market. In the last couple of years, however, the Security Industry Association (SIA) and other groups have worked to raise awareness around issues of diversity and inclusion. Specifically, SIA’s Women in Security Forum has focused on the growing role of women in all aspects of security, and SIA’s RISE community has focused on “rising stars” in an industry previously dominated by Baby Boomers. The next generation of security leaders There is a business case to be made for diversity and inclusion, says a report by McKinsey & Company. According to the management consulting company, gender-diverse companies are 24% more likely to outperform less diverse companies, and ethnically diverse companies are 33% more likely to outperform their less diverse counterparts. Furthermore, the “next generation of security leaders” – employees under 30 – are particularly focused on diversity and inclusion. Diversity refers to the traits and characteristics that make people unique A panel discussion at ISC West’s Virtual Event highlighted aspects of inclusion and diversity, starting with a definition of each. Diversity refers to the traits and characteristics that make people unique. On the other hand, inclusion refers to the behavior and social norms that ensure people feel welcome. “We are all on a journey, and our journey takes different paths,” said Willem Ryan of AlertEnterprise, one of the SIA panelists. “There are opportunities to improve over time. We can all change and increase our ability to have a positive impact.” Industry responsibility The industry has a responsibility to the next generation of industry leaders to address issues of inclusion and diversity. Forbes magazine says that millennials are more engaged at work when they believe their company fosters an inclusive culture. So the question becomes: How do we unify and create opportunities to work with and champion tomorrow’s leaders? SIA is driving change in our industry to achieve that goal. More women are active in SIA than ever before. The SIA Women in Security Forum now has 520 members, said Maureen Carlo of BCD International, the SIA Women in Security Forum Chair and another panelist. Also, more women than ever are chairing SIA committees and serving on the SIA Board of Directors. More women than ever are chairing SIA committees Overcoming unconscious bias Former SIA Chairman Scott Shafer of SMS Advisors, another of the panelists, noted that SIA awarded the Chairman’s Award to the Women in Security Forum in 2019, and to the RISE community steering committee in 2020. “There are lots of ways we are seeing the elevation of women and ethnic groups in the security industry,” said Shafer. One topic of interest is the problem of “unconscious bias,” which can be overcome by looking at something through some else’s lens. Ryan suggested use of the acronym SELF –  Slow Down, Empathize, Learn, and Find commonalities. Ryan recalled the value of being mentored and having someone shepherd him around the industry. “Now I want to give back,” he said. “We need to look at the things we can change in ourselves, in our company, in our communities, and in our industry. Change comes from the bottom and the top.” Increasing representation “It takes all of us to increase representation everywhere,” said Kasia Hanson of Intel Corp., another panelist. “We have in common that we are all human beings. Let’s make sure the next generation all have opportunities.” Diverse companies can attract better talent Moving forward, the panelists urged the industry to get involved and create opportunities because inclusion drives diversity. Diverse companies can attract better talent and attain a competitive advantage. Awareness of unconscious bias, and working to eliminate it, is an important element of change. Despite the progress the security industry is making, change continues to be incremental. As Ruth Bader Ginsburg has said, “Real change, enduring change, happens one step at a time.”