Are people really your biggest cyber security risk?

by NZ Lawyer28 Oct 2015
Once the domain of IT, cyber-security has now cemented itself as an HR issue and it’s no surprise – in a recent survey, business professionals pointed to employees as the biggest potential risk.

Employee malice v. anti-malware 

The 2015 First Advantage survey saw a variety of professionals, including HR leaders and C-suite execs, share their thoughts on internal and external security threats. 

Surprisingly, some 60% said employee background screening is the most important security control that can be put in place to protect an organisation – ahead of firewalls and anti-malware programs.

“The survey in many ways confirmed that despite the technological sophistication so often associated with information theft and security issues, there’s a fundamental layer that relates to human resources and people management,” Mark Silver, First Advantage’s Chief Security Officer, said.

“It can be easy to focus heavily on IT solutions like firewalls and anti-malware, which are important, but there should be no mistaking the fact that data breaches also have a lot to do with people making either bad decisions or mistakes,” he added.

When asked about the importance of background screening of new employees in preventing security risks, 57% said it is “extremely important” and 98% agreed it was at least “somewhat important.”

Trojan horse hiding within

Re-screening was also high on the agenda – 35% said the process is “somewhat important,” 17% said it is “very important,” and 19% claimed it is “extremely important.”

Despite the high importance many professionals placed on the practice, it seems most are failing to follow through – the vast majority (61%) admitted it is never done at their workplace. Just 13% of respondents revealed the rescreen annuals and 10% do so every other year.

“It is a concerning trend,” said Silver. “Many organisations take solace in the fact that they screen their employees prior to them being hired, yet they turn more of a blind eye when it comes to follow-up screening. They seem to inherently know they ought to do background check-ups on candidates, but the gap between knowing and doing can be significant.”

Silver insists that if organisations don’t perform periodic re-screening, they’re opening themselves to breaches, where confidential or sensitive information could soon find its way into the wrong hands.

“If an employer misses the fact that an employee has committed fraudulent acts subsequent to their appointment and is later compromised by that individual, they have a tough job in front of them in terms of explaining the circumstances to their stakeholders,” stressed Silver. “For example, having a known and convicted embezzler as a senior finance executive should send clear alarm bells to not only top management, but also the board.”

Overcoming obstacles 

Compliance is clearly an issue when it comes to rescreening and employers are still trying to navigate their way through best practice and risk mitigation but Silver says it’s not an impossible task.

“One of the most significant, but not difficult, hurdles to overcome is the lack of an appropriate policy framework,” he said. “What do you do if you suddenly find a top executive has been smoking marijuana? Or using other substance? Or what if one of your drivers has been convicted of a DUI, and you are involved in a transportation business?” he asks.

“The lack of a policy that states what is and is not acceptable is vital to making re-screening a viable activity,” he explains. “Maybe it’s okay for your executives to smoke marijuana, but it’s not okay for your drivers to have multiple DUIs. When you decide what is okay and what is not, re-screening should not be a burden for organisations.”