Why background screening is vital for IT security

Which security controls are the most important in thwarting cyber crime against businesses? Anti-malware? Physical security? According to a recent survey, people are a main concern.

When asked about what security controls should be used to protect businesses from cyber threats, a survey of business professionals placed employee background screening at the top of the list, even above the use of anti-malware programs and physical security. The survey, from background screening firm First Advantage, polled a variety of professionals including human resources, risk management and C-suite executives about their attitudes toward internal and external security threats.

Sixty percent of respondents said employee background screening is the most important security control that can be put in place to protect organizations. Anti-malware was ranked second, favored by 53 percent. Physical security and physical access controls ranked third at 39 percent.

When asked about the importance of background screening of new employees in preventing security risks, 98 percent agreed that it was at least “somewhat important”. In fact, 57 percent said it is “extremely important” to do background checks.

Not only were background checks of new employees deemed essential, but the process of doing background checks periodically on existing employees also received high marks. Thirty-five percent said the process is “somewhat important,” 17 percent chose “very important” and 19 percent said that employee rescreening is “extremely important.”

Yet despite the priority that rescreening employee backgrounds seems to have, when asked how often employees are rescreened, a clear majority (61 percent) said that the practice is never done at their workplace. By comparison, just 13 percent of respondents rescreen annually. Ten percent do so every other year.

“The lack of ongoing, periodic background screening of existing employees that occurs is in stark contrast to its recognized importance by the same organizations,” said Mark Silver, CSO at First Advantage. “The fact is that an initial background check does not protect an organization in perpetuity. In order to better protect against potential insider-driven breaches, periodic rescreening should be done. Fortunately, technology now allows for groups of employees to be rescreened at once – for a fraction of the cost of the original background check.”

Other findings:

  • When asked to identify specific external security threats that are most concerning, respondents indicated that professional hackers (55 percent), former employees (35 percent) and phishing schemes (31 percent) topped the list.
  • Regarding the importance of background screening of vendors, respondents were less enthusiastic compared to the need for employee screening. However, 55 percent still noted that it is “extremely” or “very” important. Fifteen percent said that vendor screening is not important.
  • Most cite the hit to company reputation as the top impact of a confirmed cybersecurity incident, followed by costs from potential litigation and loss of customers.
  • Exposure of personally identifiable information (PII) was cited by 47 percent of respondents as the most at-risk assets, more than credit and payment data, authentication credentials, intellectual property or physical inventory.