"Understanding the details and facts about someone's identity when recruiting can support your efforts in managing insider threat," wrote Jim Steven, head of data breach services at Experian Consumer Services in a recent blog post.
Unfortunately, employee data theft is a huge risk in the workplace today.
Two-thirds of respondents in the 2016 Experian/Ponemon paper, Managing Insider Risk through Training and Culture, said employees are the weakest link in a strong security culture. Over half (55%) blamed a malicious or negligent employee for at least one security incident.
Globally, the total cost of fraud in the 2016 ACFE Report to the Nations on Occupational Fraud and Abuse was more than £5.2 billion. The median loss for each company in the report was £122,000 with almost a quarter of victims incurring losses of £818,000 or more.
Here is how different employee screening processes can help protect an organisation against insider fraud and employee data breach incidents.
- Pre-screening a new employee can help identify applicants who may pose a threat to information assets. Pre-screening can include past employment verification, criminal background checks, credit checks, education verification, drug screening, and reference checks. Develop an internal process that complies with employment and privacy legislation.
- Pre-screening all new employees is critical. According to Experian, about 60% of UK companies do background checks during recruitment. While most perform checks on executives, directors and managers, only half screen contract workers and one quarter screen volunteers.
- Pre-screening works with other anti-fraud controls (controlled access to information, job rotation, mandatory holidays, and physical safeguards such as secure disposal of paper documents) to set up the foundation for a safe and secure workplace.
- Risk assessments during the course of employment are important because most occupational fraudsters are first-time offenders. Only 5.2% of perpetrators in the ACFE report had been convicted of a fraud-related offence.
- Screen employees regularly in order to flag stressful life events (bankruptcy, divorce, etc.). Research has shown that these hardships are associated with fraudulent behaviour. Consider that the longer an employee is at an organisation, the more likely they have a higher level of authority – and more access to confidential information.
- Screen employees regularly to flag anyone who may have passed through pre-screening because their criminal and employment history is unclear. Since 40% of fraud cases in the ACFE study were never referred to the police, there may be no record of fraud-related conduct.
- Schedule ongoing security awareness training so employees are alert to fraudulent behaviours. Provide an anonymous tips line with incentives to report security issues.
- Use general fraud risk assessments and fraud audits to identify workplace vulnerabilities.
VETTING THIRD PARTIES
- In some cases, insider threats can come in the form of contractors, vendors, suppliers and partners that access sensitive corporate information. Implement a vetting process to make sure these companies comply with privacy laws and address data privacy. Reporting policies and mechanisms should extend to them too.
Find out why secure information disposal is one of the most important security strategies in the workplace with this guide.