Security Services: Plugging Hiring Holes
You’ve protected your computer systems against hackers. You’ve improved the physical security of the perimeter of your building. You control entry into your building. But one point of access for intruders and terrorists still remains - the hiring process.
Insider threat is a recognized vulnerability that can negatively impact an organization’s people, physical assets, computer systems and proprietary information, thus threatening economic security, according to PriceWaterhouse Coopers’ Economic Crime Survey and Trends in Proprietary Information Loss. Insiders include anyone with legitimate access to physical or computer facilities, such as current and former employees, on-site contractors, vendors and temporary employees.
The threat of terrorism is usually perceived as a homeland security issue, although it also can affect a company’s economic security. “Ensuring security while protecting applicants’ and employees’ Constitutional rights constitutes a paradox for both human resources (HR) and security staff,” according to James Outtz, president of Outtz and Associates, a Washington, DC-based selection consulting firm.
One vulnerability has received little attention but relates to both insider threat and homeland security: the vulnerability of the hiring process to terrorists. Although insiders have carried out no major terrorist incident, several attempts have been made.
Key U.S. facilities were warned by the government in early 2003 to check for possible infiltrators among employees. Critical industries and key infrastructure and installations were warned to take steps to guard against potential terrorist attacks. Planning may begin months or years before an actual attack, according to the warning.
Hiring requirementsEmployment laws focus on ensuring fair hiring practices rather than security. Typical current hiring requirements include the Federal I-9 employment eligibility form. Organizations often do not conduct background checks on lower level employees, although they have access to facilities and may have access to sensitive data.
Even with the increased scrutiny to obtain legal identification, such as driver’s licenses, passports or Social Security cards, it is still fairly easy to obtain fraudulent documents or to falsify job applications. In New Jersey, 40 felons were arrested for falsifying applications for security guard jobs, according to mid-2005 media reports.
Further, human resources, unlike security, typically doesn’t realize the security issues related to hiring. According to Amotz Brandes of Chameleon Associates, a security consulting firm, “Every HR manager should wear the hat of the aggressor for a few hours and simulate penetration into the organization in order to realize the magnitude of this problem.” This exercise will give HR managers insight into the aggressor’s perspective. However, personnel with expertise on specific aggressors, such as security staff should perform vulnerability assessments.
Warning signsPossible indicators that may pinpoint an area for further investigation include:
- The job applicant provides written recommendation letters and states that telephone contact cannot be made with his/her references. Providing the names of companies that are no longer in business – such as Compaq, PanAm or TowerAir – is a suspicion indicator, according to Brandes.
- The job applicant has lived at his/her present address for a short time period.
- Work history and education do not fit with the proposed job. Although common for foreign nationals to apply for U.S. jobs for which they are overqualified, the applicant should be asked to explain any incompatibility between qualifications and prospective job.
- The applicant does not seem to care about the pay or the position and only seems interested in the accesses or work location, says Brandes.
Once hired, warning indicators may consist of requesting assignments where the employee can spend time alone (e.g., night shift), requesting frequent schedule changes, or serving as the sole reference for his/her friends who apply for jobs with the company.
Enterprises and the security and HR team need to put considerably more thought into their overall hiring approach. They may need to re-evaluate the hiring structure, according to Outtz. Companies select employees based on job-related factors that affect performance. But in today’s environment, additional factors, such as honesty and integrity, may have risen in importance from secondary to primary factors for certain positions.
Further, companies must revise their policies for how suspiciousness indicators are identified and dealt with. “The organization has an obligation to lay a foundation,” Outtz stated, “for ensuring that employees’ rights are not violated.” Brandes concurs, noting that “government/private cooperation in the field of screening is important.”
The focus should be on identifying suspicious behaviors, and then investigating them until they have been reasonably explained. Brandes stated that a predictive profiling approach has been used successfully to identify suspicion indicators based on known terrorist attack methods and observable behaviors. Then, the suspiciousness indicator is investigated until it is determined that it is not a threat. Any indicators that cannot be ruled out must be considered to be a threat. This approach, according to Brandes, will not violate Constitutional rights because it focuses on correlating observable behavior with known terrorist methods; it does not identify based on race, gender, or religious affiliation.
Side bar: The Dangerous InsiderRather than plan an attack from the outside, placing members on the inside of a company has many advantages:
- Learn the physical layout. To conduct surveillance from the inside of a physical facility, noting the layout and location of entrances, emergency exits, non-public areas, and building infrastructure. From a terrorist’s perspective, it is safer to photograph, videotape, or sketch layouts and structural designs as an insider.
- Observe security procedures. Security procedures and routines also can be more easily observed, such as identification requirements for the public versus company employees, daily variations in crowds or security routines, and special event arrangements.
- Prepare for and conduct an attack. To assist in perpetrating a terrorist operation, including carrying explosives or other weapons (or their components) into a building, providing vehicle access, or providing distractions. Depending on the structure of the terrorist cell, the terrorist insider could provide information to an attack team or could wear both a planning and operations hat.
Sidebar: Genetic Testing Next Hiring Step?Not for some enterprises. But some other organizations, which see ever-rising healthcare costs, already are insisting that employees not smoke and are randomly testing for it.
The opportunity to improve life through genomics-driven personalized medicine and preventive care will only be realized fully if individual genetic privacy is protected, according to Harriet Pearson, vice president and chief privacy officer at IBM. That firm has expanded its human resources policies to become the first major corporation in the world to commit not to use or require genetic testing in making employment decisions. IBM has been a pioneer in ensuring that other human attributes such as race, gender, age, disability or sexual orientation are not used in employment decisions.
Privacy issues are a legitimate sensitivity when it comes to hiring practices, according to IBM’s Harriet Pearson.