By Jodi Mardesich
In 2000, convicted hacker Kevin Mitnick started making the interview rounds, telling magazines that hiring hackers could help boost corporate security. So-called "ethical hacking," in which you pay someone to find security loopholes by breaking in, is one thing. Hiring a convicted felon is quite another.
Of course, many people believe that Mitnick was misunderstood. Now, six years later, Mitnick runs a security company. Still, even he admits that some people would never hire him because of his past. When organizations are consumed with fighting threats to data security both from outside and inside the corporate firewall, how can CIOs know whom they can trust?
One resource is the background check. This can include the standard checks for any job applicant, including past employment history, personal references, education, and drug screening. However, for security and IT personnel, screening for other factors, such as criminal record, driving history, military discharge information, and even psychological profiling are becoming more common. The majority of respondents to a CSO Research study last year said they do conduct some sort of background checks on current or incoming employees to weed out potential problems -- such as hiring a convicted hacker.
For IT and security personnel, knowing who you are hiring is more important than ever. These employees often have access to sensitive corporate information, private data from customers and employees, and they hold the keys to virtually all the important functions of the business.
"Information protection has always been a business issue," says Jonathan Penn, principal analyst with Forrester Research. "But in times like these, corporate espionage or personal data breach can be extremely damaging, if not catastrophic. Therefore, it is entirely appropriate to perform background and credit checks on IT staff and security staff."
Companies in the business of performing background checks sometimes report their findings, and the level of deception among the people they track can be alarming. An average of 8.5% of background checks turn up criminal convictions, according to Infolink Screening Services, a screening firm in Chatsworth, Calif. More than 36% of those screened falsified past employment, and 14% lied about education. Another unsettling bit of information: 4.8% of those screened didn't even have valid Social Security numbers.
Background checks provide tools for CIOs to use in the process of making hiring decisions. The vast majority of those interviewed in the CSO survey found background checks ranged from being somewhat effective to very effective in weeding out potential employees not suited for their companies. But in order for background checks to work, CIOs need a game plan that involves creating policies for checking the background of potential hires, including who should be screened, and what they should be screened for; determining who should do the checks; and determining what to do with the information gathered.
Creating policies
To be fair and consistent, CIOs should create policies around background checks. Decide who should be screened -- should it apply only to new hires, or should checks be performed on current staff as well? If a current employee is being promoted or undergoing an internal job change, consider running background checks on them if the new job will expand their access to confidential information.
Many employers check an applicant's references, work history, and education, as well as perform drug testing. But in the case of security and IT professionals, consider these extra checks:
- Criminal record If someone has been convicted of a crime, is it worth the risk of hiring them, even if they are technically brilliant or have the appropriate experience?
- Credit report If an applicant is having financial difficulty, they may have an incentive to use customer or employee information for financial gain.
- Sanctions and compliance For some companies that need to comply with state and federal laws, such as the Sarbanes-Oxley Act, the Patriot Act, and the Federal Deposit Insurance Act, it makes sense to screen applicants for sanctions or prohibitions.
Performing the screening
Organizations need to assign responsibility for doing the checks. Should processing background checks be the responsibility of the IT department, human resources, or the legal department? Of those surveyed by CSO Research, 60% said they wanted to be more involved in the process of screening employees. Only 35% said they or the security department was in charge, while half said the responsibility fell under the HR umbrella, and 2% rely on the legal department to do the work.
Background screening can be done in-house- using public records, but many of those surveyed by CSO outsource the job. While 41% outsource all screening, 44% use internal staff to manually call institutions and corporations or to research online databases. Internal staff can also use subscriptions to online services to gather information.
Using the information
After gathering the information, organizations need to have a policy for what to do with it. What constitutes a disqualifying action for a job candidate? If a crime has been committed, do the circumstances of a crime matter? Or if someone has a restraining order against them, should that necessarily bar them from employment? Some situations can be complex. Most of the respondents of the CSO survey say they have a formal written policy that states what is acceptable in a candidate's background. Yet many also allow exceptions. The majority of those surveyed by CSO have a formal process that is strictly followed, but some make exceptions on an ad hoc basis. Some won't allow any exceptions to policy, and others have no policy at all.
Part of any policy should include confirming the accuracy of background checks to be sure that the vendor doing the check has confirmed all negative information with original sources, or confirming with original sources if the check is done with an online database. Finally, managers need to decide if they will give the candidate a chance to correct a report before making a hiring decision, or whether they will share the report with the candidate.
The stereotypical IT worker shares many of the same characteristics of the cyber criminal -- they may be introverted and have so much faith in the power of technology that they can abuse it. By performing background checks, CIOs and other C-level executives can find out if current or potential employees harbor criminal records or other questionable behavior that might cause them to abuse the access they have to corporate assets.
Jodi Mardesich writes about business and technology. Her writing has appeared in The New York Times, Fortune, San Jose Mercury News, Salon, Slate, and Yoga Journal.