"Understanding the details and facts about someone's identity when recruiting can support your efforts in managing insider threat," writes Jim Steven, head of data breach services at Experian Consumer Services in a recent blog post.
Unfortunately, employee data theft is a huge risk in the workplace today.
Two-thirds of respondents in the 2016 Experian/Ponemon paper, Managing Insider Risk through Training and Culture, said employees are the weakest link in a strong security posture. Over half (55%) blamed a malicious or negligent employee for at least one security incident.
The total cost of fraud in the 2016 ACFE Report to the Nations on Occupational Fraud and Abuse was more than $6.3 billion. The median loss for each company in the report was $150,000 with almost a quarter of victims incurring losses of $1 million or more.
Here is how different screening processes can help protect an organization against insider fraud and employee data breach incidents.
- Pre-screening a new employee can help identify applicants who may pose a threat to information assets. Pre-screening can include past employment verification, criminal background checks, credit checks, education verification, drug screening, and reference checks. Develop an internal process that complies with on laws and includes consents. In the United States, for example, the Fair Credit Reporting Act regulates background checks on job applicants.
- Pre-screening all new employees is critical. According to Experian, about 60% of U.K. companies do background checks during recruitment. While most perform checks on executives, directors and managers, only half screen contract workers and one quarter screen volunteers.
- Pre-screening works with other anti-fraud controls (controlled access to information, job rotation, mandatory vacations, and physical safeguards such as secure disposal of paper documents) to set up the foundation for a safe and secure workplace.
- Risk assessments during the course of employment are important because most occupational fraudsters are first-time offenders. Only 5.2% of perpetrators in the ACFE report had been convicted of a fraud-related offense.
- Screen employees regularly in order to flag stressful life events (bankruptcy, divorce, etc.). Research has shown that these hardships are associated with fraudulent behavior. Consider that the longer an employee is at an organization, the more likely they have a higher level of authority – and more access to confidential information.
- Screen employees regularly to flag anyone who may have gotten through pre-screening because their criminal and employment history is unclear. Since 40% of fraud cases in the ACFE study were never referred to law enforcement, there may be no record of fraud-related conduct.
- Schedule on-going security awareness training so employees are alert to fraudulent behaviors. Provide an anonymous tips line with incentives to report security issues.
- Use general fraud risk assessments and fraud audits to identify workplace vulnerabilities.
VETTING THIRD PARTIES
- In some cases, insider threats can come in the form of contractors, vendors, suppliers and partners that access sensitive corporate information. Implement a vetting process to make sure these companies comply with privacy laws and address data privacy. Reporting policies and mechanisms should extend to them too.
Find out why secure information disposal is one of the most important security strategies in the workplace.