Minimizing Risks from Contractors and Temporary Employees
Businesses and government agencies see value in using temporary workers, contractors and subcontractors. Nothing could go wrong. Right?
Wrong. Things could go very, very wrong.
Ask the National Security Agency (NSA), which contracted with Dell Inc. and Booz Allen Hamilton for help. Both contractors hired Edward Joseph Snowden, who leaked classified information from the NSA. He worked as an infrastructure analyst inside the NSA. In June 2013, he disclosed thousands of classified documents that he acquired while working as an NSA contractor first for Dell and then for Booz Allen Hamilton. The negative fallout was international and continuing.
Then consider Brian Howard, a communications contracted employee assigned to a Federal Aviation Administration radar center in suburban Chicago, who set fire to the center, grounding tens of thousands of flights in Chicago and across the country, as part of plan to “take out” the center and kill himself.
Warning Ahead of Time
Just before he set the fire, Howard posted a Facebook message warning of his plans, according to an affidavit from an FBI agent filed as part of the complaint.
Even the U.S. Department of Homeland Security has temp worker, contractor and subcontractor vulnerabilities. It has scores of prime contractors ranging from the “A”s with Accenture to the “W”s with World Wide Technologies. The primes are encouraged to subcontract with small, small and disadvantaged, women-owned small, Historically Underutilized Business Zones or HUBZone-certified, 8(a) Business Development Program firms, veteran-owned small and service-disabled veteran-owned small businesses.
Background check the contractor firm and background check the workers or ensure the contractor has background checked his or her temp workers, advises Jeff Francis, co-founder and COO of Dallas-based Copper Mobile, an enterprise-centric mobile development firm that helps companies solve their business challenges with mobile solutions. Copper Mobile uses contracted talent as well as provides staff to clients at their sites. And don’t background check just once and let it go at that. Check more regularly, says Francis.
He adds that you can’t just go through the motions. Verify. Recheck your policies and procedures in place relative to temps and contracted labor. Continually inspect to make sure everything is in place. Also consider audit procedures – physical security, online security, network security and bring your own device procedures. He says that compliance can be achieved through auditing procedures. Always talk or telephone the contractor for clarifications and to hash out differences beforehand, he says.
Sources of Assistance
Concerning background checks of contractors, contracting firms and temporary workers, there are numerous sources of assistance. First off, check with others that use the contractor but don’t just rely on references provided by the contractor, advises Francis.
Security guarding firms such as Securitas, AlliedBarton and G4S, among others, have a long and deep expertise vetting their own security officers and also can offer background investigations of others.
There also are firms that specialize in background checks. For example:
Thomson Reuters has a service called CLEAR. For corporate security, CLEAR makes investigating easier by providing:
- A thorough source of public and proprietary records, with real-time data to bring up the most current information;
- Graphical connections between people, addresses and phone numbers to help verify identity;
- Integrated Web searching, including social network sites, providing information not found in public records; and
- Customized reports to create and save for later use or share with necessary parties.
Another firm, HireRight, provides:
- Criminal background checks
- Identity checks
- Drug and health screening
- I-9 and E-Verify
- Extended Workforce Screening
HireRight developed what it says is the industry's first Internet-based background screening solution and pre-integrated background screening solutions. Such solutions can include an intuitive dashboard with real-time status updates at the enterprise site with built-in legal compliance tools.
Another source, Web-based, is Intelius, an information commerce company concentrating in online people data, delivering comprehensive information about individuals, their histories and their connections to others.
Check Social Media, Too
With social media holding so much information, companies have emerged to mine that data, too. One unique service is Geofeedia which contends that monitoring keywords and hashtags isn’t enough. Two-thirds of social media activity doesn’t include them. The firm adds location-based intelligence to an enterprise’s social media data set to mitigate potential threats. Overall, the real-time, location-based social media monitoring platform helps security executives discover, engage and analyze social media data to protect assets, secure facilities, fight counterfeiting, check on contractor firms and strengthen business continuity plans.
The bottom line is to treat temps and contract workers just like in-house employees, observes Francis. That includes electronic card access controls and visibility as to what they are doing while on site or on the network. Set expectations through documentation. Continuously remind, train and retrain.
One example of a diverse temp and contractor workforce: cargo terminals. The Manchester Terminal in Houston, Texas, blends an integrated security center with identification credentials and thermal cameras for strict perimeter security at gates, docks and railways.
When it came down to selecting the new IP security solution, Manchester Terminal’s team relied on the knowledge of highly qualified engineers and consultants. They also engaged integrator Preferred Technologies, which suggested a unified platform and, according to Vinny Pilegge, executive committee member of the Manchester Terminal, “We ran with it.”
On the access control side, an IP-based system [Synergis from Genetec] manages several access control readers; five of which secure the entries and exits of their main operations facility, while the remainder are TWIC-compliant access control readers from Innometriks installed at the main gates. Instead of doing basic manual verifications of credentials, Manchester Terminal has taken things a step further by automating the authentication process with these high tech readers. This streamlines the flow of traffic while only allowing authorized individuals onto their property.
TWIC or the Transportation Worker Identification Credential process includes checking of documentation of individuals as well as fingerprinting as part of a background investigation.
Pref Tech also developed a custom integration between a Genetec Security Center and TWIC-compliant handheld readers with identification and biometric matching software from IdSoftware. With hundreds of trucks coming and going, these handhelds allow the security officers to process credentials and inspect trucks that are lined up beyond the fixed TWIC readers, keeping the flow of traffic moving. The handhelds also allow them to go to the ship docks and check credentials for people coming off ships and spot check compliance around the facility.
The flexibility and openness of the total system also gave Manchester Terminal the ability to easily integrate an Asterisk Voice-over-IP (VoIP) intercom system, which is linked to its VoIP phone system. This intercom integration lets operators make calls to VoIP intercom stations to directly address patrons who require assistance or who do not have the proper credentials to enter the facility. The system will also automatically associate the audio recording with the video device that is capturing the discussion.
With their unified security platform in place, Manchester Terminal is not only keeping their facility operating at peak efficiency while better managing temps and contractors coming and going on site but also going beyond requirements outlined in their Facility Security Plan.
Simplifying day-to-day tasks has also been extended to the operation teams. Manchester Terminal has been able to significantly reduce the amount of manual logging and paperwork when keeping track of trucks, contractors, visitors and employees. Now, key personnel can automatically generate electronic reports for quick review, saving them considerable time. With future plans to expand their security system by adding devices and capabilities, Manchester Terminal is confident in their choice: “Having a unified platform with both video and access control affords us the ability to make more accurate and quick decisions. Today, we have a very robust security system with the flexibility to grow. It was a great long-term investment for our facility,” concludes Pilegge.
Use a Registration Engine
Verifying identity, mobility and flexibility were among the goals at the Port of Wilmington, Delaware, the leading North American importation site for fresh fruit, bananas and juice concentrate. It was also the first seaport to use the TWIC card, beginning with the TWIC Technology Phase pilot program in October 2003.
By using pivCLASS Registration Engine, which was deployed on mobile Datastrip readers as well as a desktop computer, port officials are now able to register TWIC holders throughout the port and transmit that information to the Pro-Watch system. These cards can then be read at the fixed card readers located at various entrances and access points throughout the port.
TWIC credentials are required for entry to the port by longshoremen, truck drivers, temps, contractors, surveyors, agents, chandlers, port chaplains and laborers who access secure areas. Tenants who have their offices at the port, such as produce giants Chiquita and Dole, are also required to be enrolled in TWIC.
Patrick Hemphill, retired manager, port security and facility security officer at the Port of Wilmington who led this project, says the mobile readers have been taken to local union halls to enroll longshoremen before they arrive at the port.
“This saved us a lot of time,” explains Hemphill. “We met with union leaders and set aside two two-hour periods on pay days. The members were made aware of the need to know their PIN, and we were able to enroll the majority of (union) members during those two days without interrupting their work schedule.”
Eric Schaeffer, president of Advantech Inc., the port’s systems integrator on the TWIC project, says one of the deciding factors in using this software was the ability to test the software in-house before making a commitment. He wanted to ensure that it would integrate with the existing Pro-Watch system.
SIDEBAR: Checking Up Makes Business Sense
Can background checks be conducted on independent contractors and other contingent workers? Sure, say the hiring experts.
In an effort to reduce potential risks and liabilities related to staffing practices, employers conduct background checks on their workers. Some employers are required under federal laws, state laws or local laws to conduct background checks as well. Employers are not prohibited from conducting background checks on all individuals performing work on their worksites. This includes their employees and all contingent staff, such as staffing agencies’ temporary employees, internally hired temporary employees, consultants, independent contractors and subcontractors, according to the Society of Human Resource Management (SHRM).
When determining if an employer should conduct background checks on independent contractors and other contingent workers, employers should rely on their internal policies based on state background checking laws, client relationships, government contract requirements, the employers’ industries, the U.S. Equal Employment Opportunity Commission (EEOC), the Fair Credit Reporting Act (FCRA) and for some service employers, the population with which they work and interact, according to a report from SHRM.
The FCRA, which governs the use of background checks, lists “employment purposes” as an appropriate use for obtaining a consumer report on an individual. The act also defines a “consumer” as an individual and “employment purposes” as “used in connection with a consumer report means a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.” Since independent contractors are not included when defining the use for “employment purposes” under the act, the Federal Trade Commission, the agency responsible for the enforcement and interpretation of the FCRA, has issued an opinion letter stating that the term “employment purposes” should include independent contractors.
The EEOC, which also provides guidance for employers on the use of background checks, does not prohibit employers from applying their background checking practices to contingent workers, including independent contractors. The EEOC requires that when making hiring decisions, employers demonstrate that their employment decisions applied to the use of background checks are job-related for the position in question and consistent with employers’ business necessity.
Agreeing with Jeff Francis, co-founder and COO of Dallas-based Copper Mobile, an enterprise-centric mobile development firm, SHRM states that employers who choose to conduct background checks should apply their policies consistently to their employees, candidates for employment, independent contractors, consultants and other contingent workers to prevent potential claims of discrimination, to mitigate security risks and to ensure compliance with all federal, state and local laws.
SIDEBAR 2: Managing the Contractor BYOD Headaches
According to a TechRepublic.comarticle by Will Kelly, who focuses on enterprise mobility, Bring Your Own Device (BYOD), and the consumerization of IT, “some statistics claim 40 percent of America's workforce will be freelancers by 2020.
Contractors may or may not be part of an overall BYOD initiative but at some level and in some ways should be. The contractor BYOD scenario, no doubt, is going to become increasingly common over the years. Some firms now are installing software on a contractor’s device which is a corporate section separate from the personal device. Some others are issuing phones, tablets or laptops but which are configured specifically to handle an enterprise’s network policies and procedures.
Israel Lifshitz, CEO of Nubo Software, has solid BYOD security advice, available at www.securitymagazine.com. Just search for BYOD for that and other articles on the topic. Among his observations: Minimize the amount of data on devices. He writes that the more mobile our workforce becomes and the greater the reliance on mobile app access, the need to focus security of corporate data away from devices is becoming clearer. Mobile security becomes more straight-forward when the most important asset needing protection – sensitive corporate data – is separated from the myriad of personally-owned devices and operating systems that connect to the enterprise network. Inherently the weakest link in security, smartphones and tablets require constant patching to deal with malicious attacks and vulnerabilities. Virtualized enterprise mobility approaches have emerged which enable data management from a secured data center.