Security Screening of Employees
Is it Really necessary?
Countering corporate espionage has much more to do with your business culture than bars in the windows, more firewalls, or checking the locks after hours. Given that espionage is mainly perpetrated by insiders, an effective security program hinges on your employees and their buy-in of the security culture.
A common myth is that security screening is an expensive and complicated process – this could not be further from the truth. Implementing a security screening program can be added to your policy and good management practices in a cost-effective manner. Depending on the size of your company, it is just an added step for the management of your human resources department, and may not require additional funding. Medium or large companies might consider assigning this responsibility to the Chief Security Officer, who also handles the renewal of Security Clearances with the government.
What is the value of a screening policy? Research has shown that 85-90% of all spy cases and major information leaks were done with the assistance (intentional or not) of an insider, a person that had legitimate access to the information. So if “the wolf is in the barn”, how do you protect the chickens?
FrontLine readers will recall the recent case of Canadian Navy Lieutenant Jeffrey Delisle – this trusted officer sold secrets to the Russians for more than three years before being caught. Another case involved Quing Quinton Huan, a Lloyd’s employee who tried to sell secret information to China about Canada’s frigate program.
In retrospect, it was very clear that red flags were up, but nobody took the time to connect the dots.
Money issues, career problems, big (or bruised) ego, and emotional distress, are some of the many “red flags” in these cases, so how – and why – had nobody noticed? Simple, because they weren’t looking!
So how do we go about protecting our organization better? Believe it or not, some lessons and best practices could be learned from the federal government. They have been in the business of security screening for a long, long time, and we can modify some of these lessons for the private sector with good results. Some general steps can be easily applied to private industry:
Get Management Onboard
“Easier said than done.” Not true again. Implementing a security program is always difficult if presented as an expense rather than a strategic investment. Demonstrate that you are contributing to the profitability of the company by showing how you add to the bottom line. Demonstrate the cost of losing intellectual property or trade secrets. Show potential savings through the implementation of appropriate (and not always costly) policy, practices and programs. Develop a solid “game plan” that shows the benefits and costs but also the savings from avoiding a crisis.
Engage HR from the Beginning
In Canada, over 3 million people have a criminal record, but it is important to remember that not all bad people have a criminal record and not all people with a criminal record are bad people.
An effective security program starts before the hire is completed. The best place to begin is in drafting the job posting – let potential candidates know that a criminal background check will be conducted, or that a satisfactory security clearance is mandatory for the winning applicant. By advising applicants ahead of time that a security background check will be conducted or requested, you can save yourself time and a potential problem. This does not waive the need to ask probing questions during the interview process.
Mistakes happen, as the saying goes, and the more serious mistakes, such as a Criminal Code conviction will require serious consideration. When you have full disclosure, it is up to you to decide if you still want to hire that person (at least you know who you are “going to bed” with). Someone who has something to hide can be subject to blackmail, so be proactive and request full disclosure. Surprisingly, the strongest push-back may come from your own HR people invoking human rights, privacy protection, and other arguments… they are wrong. Criminal convictions are public record.
If finally you decide to hire the person, make sure they sign a Confidentiality Agreement. Some might argue it is not worth the paper it is written on, but you are conveying your seriousness and, if an incident does happen, at least you had set the table for your legal team.
These measures will send a positive signal and your investors will recognize that you are serious about protecting their money. Suppliers and business partners will also take note, but ultimately, your employees will immediately understand that you take security – and their safety – seriously. By incorporating these simple conventions into your planning, you take the first steps towards the cardinal objective of building a solid security program and a better business culture.
Identify strategic sectors or employees
In any organization, not everyone needs the same level of access to sensitive information, nor do they need the same security clearance. Be wise about it. Conduct a serious Threat and Risk Assessment (TRA) based on simple principles: Threat To + Threat From = Vulnerability Assessment. How does it work? Simple. First you need to identify what is really crucial to your company (intellectual property, key individuals, corporate secrets, etc.). That is “Threat To”. Then, move on to identify who is, or could have, interest in those sensitive elements. Now you have “Threat From”. When you overlap the findings of both, you will get a solid perspective on your real vulnerabilities. Not only will that dissipate false perceptions, it gives you a chance to optimize your budget allocated for security by focusing on the real vulnerabilities rather than “perceived” threats. In addition, don’t forget that, just like in the government where you have confidential, secret and top secret levels, any organization can have different levels of access. This can be easily granted and managed with your IT manager, access control system, or employee awareness program.
Train all management levels & develop awareness program
All security specialists know that the weakest link in any security plan will always be the human factor. That said, those same people are the ones who will implement your security strategy, so you need to enlist your management and all employees by developing a good business culture. Develop reflexes. Train them to watch for “red flags” (without becoming paranoid) and to care about fellow employees. Concern for the personal well-being of all employees is part of a good management practice (beware of the difference between nosy and truly caring).
Proceed to regular review
In a human environment, the only constancy is change. Even with all the best protections in place, remember that a regime of regular re-verification throughout the career of each employee can save your company from being caught in the web of espionage. For example, you bring a young engineer in at 24, and by 29 he or she might have been married, had children, gotten divorced, and is now struggling to pay child support… or maybe they have developed a gambling habit… is having an affair… is burdened by health issues, or a severe accident in the family requiring hours of unexpected care… there are many, many scenarios that can lead to a compromising situation. The point is, your security program needs to have regular checks. The easiest way is to include that process in the annual performance review where you usually meet with your employee to discuss their situation and interest in the company.
Don’t forget the executives
Too often companies will neglect to conduct the same level of review or support with Directors and the C-suite. Several studies have demonstrated that breach of security incidents often come from executives – they may be travelling, working long hours, and susceptible to an invitation of an easier, faster way to make money. Problem is, with their often full access to the most sensitive data and information, they can cut corners and circumvent security protocols, unlocking the sensitive network in ways that may go undetected. Make sure they too are part of the regular reviews and awareness programs.
None of this has to be complicated or expensive – the KISS principal ("keep it simple, stupid") will always have a place in security. Awareness, good stewardship and effective leadership can direct the process towards appropriate security practices. And when applied, people will see the benefits and will buy-in. You will soon recognize changes in your organization’s business culture, and the implementation of your new security measures will be validated.
Michel Juneau-Katsuya, a 36-year veteran of CSIS and author of the book, Nest of Spies, is a well-known authority on espionage.
© FrontLine Security 2014