So it is important that organisations today protect their enterprises beginning at the pre-employment stage.

To help properly safeguard against internal malicious entities a stringent screening process needs to be in place which outlines specific, well-defined, and comprehensive information security procedures when recruiting new individuals to your organisation. With today’s threat landscape we can no longer pay lip service to good screening techniques and just use ‘gut feel’ in the selection process, especially when recruiting in the areas of security.

In a Security Vibes interview on common pre-employment mistakes companies make, Stuart Okin, and a former security expert at Microsoft and now Managing Director for Comsec Consulting Ltd, a company that specialises in security consulting services, uses the acronym VITB to explain these mistakes when deciding on potential candidates.

V=Vetting
A candidate’s CV reflects their reliability and credibility, thus every section in the CV needs to be methodically validated to ensure that no component is fabricated. Over-exaggeration in some cases may be ok but out and out fabrication such as the falsification of grades that the candidate may not have got should be looked at with some suspicion.

I=Interview
Quite a few mistakes are made at the interview stage. The most common is that people often don't prepare for their interviews. For example the interviewers may bring the potential candidate in and use gut feel to try and make up their minds within the first five or ten seconds as to whether the candidate is the right person they want to employ and then try to validate that within their own mind during the interview process. Another is that interviewers don't prepare, they don't look through the CV, they don't look for any potential issues that they want to pick up on and they don't sit down with their peer group and compare which disciplines they are going to be interviewing prior to the interview.

The recruitment process should begin with at least three interviews by three separate individuals to be able to properly gauge the calibre of the individual being interviewed, looking at areas such as softer skills, technical skills and organisational skills.

T=Testing
Manual tools (such as graphology tests) and computerised/automated tools (such as psychometric, integrity and reliability tests) should be used. In-depth character assessment tests should be included for managerial and sensitive positions such as a full assessment which comprises a comprehensive, in-depth evaluation of all the parameters deemed necessary for a candidate’s success in the job. Although not a particularly “British” thing, some companies also believe that polygraph tests are more reliable than any other test.

However a common problem with testing is that there may be too much reliance on the test results. As Okin said in the interview,

“A big mistake is that people rely completely on the testing.”

Tests are good indicators of character but are not always 100% accurate and can have the adverse effect of pigeon holing.

B=Background Check
A candidate should be able to provide at least two character references from their previous employment. A company should also speak with previous employers that were not necessarily provided by the candidate as references. Background checking is often forgotten about because quite often in the UK it is typically not done until the person already has an employment contract. At a time where hackers, terrorists and foreign governments are actively placing people within organisations for internal theft purposes, this is the one component that must be adhered to preferably before the candidate begins employment.

Where possible, the background check should reference as much available data as possible. As well as references, this data may include internet information and information through connections. This will help to protect against the scenario, where a previous employer may have asked a potential candidate to leave in return for a good reference.

Okin, stresses over and over that it is important that each of the components of VITB should be taken as a whole and no one element given more importance than any other. Each component should enhance and verify the others and if something doesn’t quite add up, further investigation is required. Finally he says “If it looks to good to be true then it probably is.” Present company excepted of course

Contract and NDAs
Finally once the candidate is recruited, it is important to ensure that the contract covers all aspects of security, including an NDA, and clearly outlines grounds for breach of contract, and the legal implications of such actions (such as immediate dismissal without severance pay). There is no technological means today that can compensate for internal breaches, therefore if your staff go bad from within you need to be able to take disciplinary action immediately.

It is imperative to ensure that you are covered by the contract for any malicious activities that can compromise your company. 

References
Security Vibes Article: Polygraph Testing for Recruitment
Security Vibes Videocast: Stuart Okin on Reducing the Internal Threat
Security Vibes Podcast: Dean Jenkins - Zero Tolerance to the Internal Threat
Comsec Consulting