The necessity of robust and consistent pre-employment screening practices during the recruitment process is well documented; however, the issue of periodically re-screening candidates throughout their employment is one that is rarely touched upon by companies looking to shore up existing screening practices. In reality, re-screening candidates, particularly when they are being moved to more risk-laden roles within a company is of crucial importance to the security of the business.
In a business environment where advances in technology make information transfer faster and easier than ever before, many organisations spend their energy ensuring that their critical systems are protected from external intruders, but completely overlook the threat of insiders with full, working access. In the wake of the high-profile Manning and Snowden cases, insider threats, and the damage they can cause an organisation, legally, fiscally or reputationally is demonstrably high. Periodic re-screening can highlight the very red-flags that could save an employer the fallout of costly fraud, or the malicious release of sensitive data, trade secrets or private personal information.
Why is re-screening so important?
There are a number of reasons that re-screening may be adopted by a company, including, but not limited to:
- Industry-specific legislative compliance;
- Fraud and corruption prevention & detection;
- Internal promotion risk management;
- Site access for new or existing projects; and
- Creation of robust security practices.
Failure to re-screen candidates opens an organisation to a number of risks from internal employees that would otherwise be highly preventable.
The 2014 Global Fraud Study indicates that new employees are not the biggest perpetrators of fraud: “The largest group of fraud perpetrators (41%) had been employed by their targets between one and five years before committing their crimes. Less than 7% committed fraud within the first year of employment with the victim.” Behavioural red-flags might not be so apparent at the point of employment, but may manifest later in the employee’s service to the company.
About Fraud Prevention
The 2014 Global Fraud Study indicates that early fraud detection is crucial to mitigating damages to an organisation “One-quarter of the frauds in our study were detected in the first six months of their occurrence; for those cases, the median loss was limited to $50,000.” While this may still seem quite high, exponentially higher damages are incurred the longer a fraud is allowed to continue. Having seen that most frauds occur between one and five years after an employee is hired, vigilance in behavioural monitoring throughout employment is just as important as a robust pre-employment screening procedure.
Furthermore, employees holding positions of authority should not be exempt from re-screening procedures. The 2014 figures show that more than half (55%) of frauds are committed by employees in management or executive positions, and that these frauds have a higher median duration than those committed by lower level employees. This ultimately means the victim company incurs higher overall damages. Equally concerning are the culture implications amongst the senior ranks. The 2016 Global Fraud Study found 36% of CFOs and 46% of finance team members are willing to justify unethical behaviour when under financial pressure. This unethical behaviour considered was to meet internal financial targets, help the company survive economic downturn and win or retain business.
The CERT Guide to Insider Threats published by Carnegie Mellon University advises to “institute periodic enterprise-wide risk assessments” as its first recommendation in its “Common Sense Guide to Mitigating Insider Threats”. While a high ranking employee’s service and good standing with a company should be acknowledged and appreciated, responsible screening procedures should occur at every level of a company.
About Insider Threats
An insider threat is an employee or former employee who has or once had access to the company’s systems, secrets or information, and then uses this access to negatively impact that company or its customers. The 2011 CyberSecurity Watch Survey, conducted by the U.S. Secret Service, the CERT Insider Threat Center, CSO Magazine, and Deloitte noted that “43% of respondents had experienced at least one malicious, deliberate insider incident in the previous year”. The Survey also highlighted that insider threats can occur across all industries, but are most common in the Banking and Finance, and Information Technology sectors. This unauthorised use of information can culminate in financial fraud, disclosure of sensitive company information, breaches of client and customer personal information, and damage to company systems.
According to a 2017 survey conducted by Lawyers Weekly and InfoTrack, another industry leaving themselves open to internal crime is that within the legal sector.
The report surveyed 216 Australian Legal Professionals, and despite many stating pre-employment screening is important, the statistics are alarming. 32% revealed that either their law firm or a clients’businesses have been the victim of crime committed by someone internally, largely of a financial nature, including theft, fraud and misappropriation of funds.
Further, 57% of respondents agreed that the biggest impact when crime occurs internally is felt to the firm’s reputation, followed by revenue at 12%.
Crucial to understanding insider threats is the abolition of the misconception that insider threats are perpetrated by people with a “fixed personality” that has a propensity to undertake criminal activity for personal gain; motivations might not be as straight forward as greed, arrogance or entitlement. Rather, it is important to realise that incidences of insider misconduct are often preceded by some form of personal strife that has forced a psychological shift in the person responsible, and a feeling of helplessness that sees this behaviour perpetuated. Often, this is personal tragedy, (grief, financial trouble, relationship breakdown) and is highlighted by behavioural red-flags in the employee’s conduct to which the organisation should be particularly sensitive.
Common red flags were identified in 92% of fraud cases examined in the 2014 Global Fraud Study, and in 64% of cases, the perpetrator displayed more than one behavioural red-flag. Those studied were said to be “living beyond their means”, “experiencing known financial difficulties”, and many were suffering visible stress from “recent divorce or family problems”. For this reason, “open door” policies, thorough annual reviews and ongoing re-screens that include criminal and financial background checks are crucial to mitigating risks from insider threats.
Some things to consider
Adopting re-screening in addition to standard pre-employment screening may mean that not all of the checks conducted at the pre-employment stage need be repeated for the re-screen. For example, if a standard pre-employment screening package consisted of a Qualification Validation, Police Check, Employment Validation and Bankruptcy check, the Qualification and Employment Validation need not be completed again as this was sufficiently verified the first time. However, re-checking a candidate’s criminal history and bankruptcy might reveal important adverse changes since they were last screened. The process is usually much quicker than the initial screening (and requires much less information) from employees to proceed.
When promoting a candidate into a new role that includes higher levels of risk or greater access to critical information, the checks they received in their entry level pre-employment screening may no longer satisfy the security requirements of their new role. For example, consider an entry level candidate who undertook a Police Check upon employment to an organisation as part of standard recruitment procedure for entry level positions. The candidate is then internally promoted to a role that requires access to company funds, and they might now require financial background checks in addition to a revised Police Check to ensure that no relevant information is missed, and that they have been sufficiently screened for this higher risk role.
Re-screening is also common in industries that have client facing requirements. Many organisations require a certain level of screening of contracting company employees prior to employees working on-site or on sensitive company information. This means background checking is an essential part of certain commerical contracts.
Some industries and many government departments have specific legislative compliance procedures surrounding rescreening. Australian sectors that involve work with children, the disabled, elderly or other vulnerable groups require re-screening every three to five years depending on the state. Similarly, the New Zealand Vulnerable Children Act (2014) requires employees who come into contact with children to undergo re-screening as an industry standard every three years. APRA Fit and Proper standards dictate that annual fit and proper assessments must be conducted for persons in responsible roles, though industry best-practice may dictate that this should extend to a wider range of employees.
As more and more companies from all industry types embrace the importance of pre-employment screening, many more are realising the benefits of re-screening to protect company assets from internal fraud. Re-screening is a quick and cost effective strategy that seeks to detect changes in employee circumstances that may trigger threats of employee fraud.
For more information on how PeopleCheck can assist with re-screening for your organisation, please contact us via phone on +612 4023 0603 or email us at firstname.lastname@example.org.
Cappelli M. and Moore, P. (2008). Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks. Carnegie Mellon University Software Engineering Institute CERT Program.
Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T. and Flynn, L. (2012). Common Sense Guide to Mitigating Insider Threats 4th Edition. Carnegie Mellon University Software Engineering Institute CERT Program.
Association of Certified Fraud Examiners (ACFE). (2014) 20145 Global Fraud Study: Report to the Nations on Occupational Fraud and Abuse. Texas: United States.
Charney, D. (2010). “True Psychology of the Insider Spy,” Intelligencer: Journal of U.S. Intelligence Studies Fall/Winter 2010: 47-54.
Australian Government (2015). Managing the Insider Threat to your Business: A Personnel Security Handbook. Canberra: Australia.
CERT (2015). The Insider Threat. CERT – Software Engineering Institute, Carnegie Mellon University. Available from: http://www.cert.org/insider-threat/
2016 EY Global Fraud Survey – http://www.ey.com/Publication/vwLUAssets/ey-global-fraud-survey-2016/$FILE/ey-global-fraud-survey-final.pdf
Internal crime perpetrating through law firms – Lawyers Weekly, 06 July 2017 – https://www.lawyersweekly.com.au/biglaw/21419-internal-crime-perpetrating-through-law-firms
The information contained in this paper is the opinion of PeopleCheck Pty Ltd and does not form the basis of legal advice.