Canadian Security Magazine

News
Check, please!

In the scramble to quickly replace a departing employee, private sector firms may be letting their security standards slip and hiring someone they know nothing about.


January 14, 2008
By Neil Sutton
Neil Sutton

It’s a common scenario, says Dan Fallows, manager of pre-employment
screening at Garda. “The marketplace being what it is, there are jobs
out there that people want filled. They want a warm body in the desk.”

But the rush to fill vacant seats comes with a price: Sometimes large
corporations are not even doing the most cursory checks like calling
references, says Fallows, meaning that the only information you have to
confirm the identity of the person you just hired was supplied by the
person themselves.

A resume will provide information on education, job history,
achievements, perhaps hobbies. An interview will tell you how that
person presents themselves — how they dress, speak and respond to a
little pressure.

Many private sector firms will hire based on these criteria alone. But
what they may be getting is a black and white sketch when what they
really need is a full colour illustration.

Advertisment

“The main difference between (a public sector) environment and the
private sector is that the private sector is not subjected to good
security awareness on a day-to-day basis,” says Jim Bailey, principal
at Carleton Security Consultants, based Ottawa.

“It’s only after the fact that they realize, ”˜Geez, this guy isn’t who he said he is.’”

What’s missing from the private sector is the atmosphere of trust
that’s developed by putting in the research hours before a person is
hired, says Bailey, who worked in CSIS and the RCMP before starting his
own consulting company.

CSIS has perhaps the highest standard of integrity in background checks
through necessity. The organization requires its people to be exposed
to national secrets and information that could compromise national
security should it fall into the wrong hands.

Within CSIS there are three levels of clearance: confidential, secret
and top secret. CSIS performs these background checks for its own
personnel and for other government departments that require very high
levels of security like the Department of National Defence. The only
government body CSIS doesn’t work with is the RCMP; they manage all of
their background checks internally.

Depending on the level of clearance required, CSIS will conduct an
investigation on a potential government employee, says Manon Berube, a
spokesperson for CSIS.

“We conduct a field investigation and normally do a records check; we
do interviews of friends, neighbours, employers and sometimes with the
applicant,” she says.

The department will review its own databases to determine any links to
questionable organizations. If anything comes up, or if a criminal
record is evident, CSIS will contact the individual to gather more
information and allow them to explain themselves. Based on this
fact-finding mission, CSIS will make a determination as to the
trustworthiness of that individual and then make recommendations to the
department to which the job candidate is applying.

“It’s a culture of sensitivity, of awareness and protecting national
interests,” explains Bailey, who adds that if a person is granted
clearance by CSIS, you can be almost 100 per cent certain that they can
be trusted.

Security within government has become more heightened since 9-11, he
says, but overall the process hasn’t changed that much since the 1970s.
When interviewing a candidate you’re looking for anything that could be
construed as a weakness, such as a drinking problem, or anything that
could be exploited or blackmailed, like having an extra-marital affair.

Once a person is hired on, there are also ongoing checks and balances
in place to make sure that sensitive documents remain safe.

“It’s about integrity: mislaying a classified file isn’t necessarily
grounds for a firing, but if you mislay a file and do nothing about it,
or worse yet, attempt to cover up your mistake, that could land you in
the hot seat,” says Bailey.

“You’re not going to lose your job because (you lost the file), you’re
going to lose your job because your actions have shown you don’t have
the integrity that warrants security clearance.”

Obviously, not all private sector companies can be held to the same
standard as CSIS. The information they handle could impact customers,
shareholders and individuals who work in the company, but it’s not
about to start a war. The problem with some companies, though, is that
they lose sight of good security in the name of expediency, says
Fallows.

 “When it comes to different standards, I would say (the public sector)
would tend to be more on the in-depth side than a private sector
company would,” says Fallows, who adds that about 15 per cent of his
business is performing checks for provincial and federal government
bodies.

“That could include going further back in a person’s history. Instead
of the last two employers, you might be looking at every employer the
person has on their resume. Education-wise, instead of looking at
the highest level achieved, you might be looking at all post-secondary
education, accreditation, that kind of stuff.”

Making sure those checks are in place could prevent embarrassing exposure to your company down the road.

According to an article that was published recently by U.K. online new
service The Register, the Wikipedia Foundation, the company responsible
for the website of the same name, hired a convicted felon to manage
its accounts.

The organization’s chief operating officer Carolyn Bothwell had a
criminal record in three states when she was hired by the company,
including theft, petty larceny, DUI, and wounding her boyfriend by
shooting him in the chest. Bothwell left the company before Wikipedia
was even aware of her criminal background, according to sources that
were quoted in The Register.

Most of the time, situations like this never come to the public’s
attention, says Bailey. Private sector companies rarely press charges
against an employee who has committed accounting fraud or performed a
criminal act because they don’t want the negative publicity.

Bailey recognizes that the private sector can’t be held to the same
standard as CSIS, but all background checks should at least be
appropriate to the position being filled.

Within government, for example, a DUI conviction might not keep you out
of a job, provided it doesn’t require driving. But “if you’re convicted
of fraud, yeah, we’re probably not going to put you in charge of the
bankroll,” he says.

“It falls down to logic. All security does anyway.”

The private sector needs to foster a culture of better security, he
says, and follow a model more akin to the public sector in terms of
attitude, if not in terms of stringency.

For example, in high security government areas, there is someone
responsible for making sure there aren’t laptops or files left lying
around when an office is vacant.

“If you happen to leave something on your desk, you’re going to be
written up for it,” he says. “It doesn’t mean you’re going to fined a
$100 or chastised, but if you were to have security violations on a
regular basis, they’d be calling you in for a little refresher on
security awareness.”

Fallows says only the area of the private sector that is consistently
up to par on background checks is financial institutions. Where
companies really need to be careful is when they outsource work or
allow third parties to represent them, such as delivery companies or
home installers.

“One area that I’m really shocked by is the people that you let into
your home,” he says. “It’s surprising the amount of people that aren’t
doing checks for that.”


Print this page

Related



Leave a Reply

Your email address will not be published. Required fields are marked *

*