How to Avoid Hiring Fraudsters6 Tips to Help Screen the Crooks Before You Give Them the Keys
- The CFO had lied about his experience and credential in the resume -- he was not a Certified Public Accountant as he had claimed;
- He had listed three business references -- one was dead; one did not exist; and when the last reference was called, he said, "Are you kidding me, I wouldn't hire that guy for anything."
"If this company had only done their due diligence, they would not have hired him -- it's a shame," says Springer. The ex-CFO is still missing.
This case exemplifies the risk of insider fraud, and it also serves as a cautionary tale: Be careful whom you hire. Better to catch the fraudsters before they get in the door than to chase them down after they've committed their crimes and run away.
Jose Granado, is the leader for Ernst & Young's information security practice for the Americas. He finds three common fraudulent behaviors specific to security professionals:
- Misusing access to retrieve company's critical information and/or to view restricted information like pornographic material;
- Engaging with co-employees on a side online business and deleting logs, activities and at times deliberately failing to monitor required systems;
- Overstating security credentials and experience.
"The common theme with security professionals committing fraud is exchange of some favor -- I'll help you with this if you give me access to [that]," Granado says.
According to a new report by the Association of Certified Fraud Examiners (ACFE), about 5 percent of an organization's revenue is lost annually to organizational fraud, mostly by employee theft. That translates into a potential total loss approaching $3 trillion a year.
"In today's day and age, organizations need to make sure they have their reputation protected by having a proper hiring procedure in place," says Springer. "People don't have 'fraud' written on their resumes, but hiring managers need to ensure they don't get embarrassed."
The risks to an organization caused by a bad hire in information security is huge, says Granado. For example, a password system can be in place to protect valuable information, but if the security professional divulges a password, the system is compromised, and the sensitive and confidential information that the password system should be protecting becomes vulnerable.
Among the warning signs to look for when hiring security professionals:
- Candidates who do not stay in a job over a year;
- Someone who is not interested in benefits, but instead just wants to get in. They may have malicious intent in terms of exploiting the system for critical data;
- One who does not provide accurate information on their current state of certifications including CISSP, CISM, GIAC;
- Lack of business references;
- Person is uncomfortable performing 'hands-on' tests and exercises to demonstrate skill;
- Someone who is listed and associated with underground hacker groups;
- Anyone experiencing financial problems.
"Hiring managers that hire a convicted felon or murderer have clearly not done their due diligence and are fully responsible for any reputational damage to the organization," says Springer.
6 Recruiting Tips
- Establish Sound Procedures for Hiring -- And let potential employees know up-front about background screening and drug testing. This will deter convicted felons from attempting to join the organization. Also, draw guidelines as to what you might find acceptable and not acceptable as far as hiring security employees is concerned. "Treat this process as a component of risk management," says Lee Kushner, president, L.J. Kushner and Associates, LLC, an executive search firm dedicated exclusively to the information security industry and its professionals. "There is a different level of anticipated trust within information security professionals because the nature of their work is to protect information and mitigate risk, and this calls for a higher level of scrutiny."
- Background Checks Must be Cost Effective -- Know what level of background screening to pursue for a certain level of candidate based on how sensitive the position is, as well as the information to which the potential candidate have access, says Granado. For example, when hiring a junior level security analyst, the company can resort to a less extensive check than for a senior position, i.e. the security manager or senior database administrator.
- Scrutinize the Candidate's Resume -- Look for discrepancies such as:
- Was the candidate with any other company that they didn't disclose? They may tell you that they worked in four companies, but what if a fifth organization fired them?
- Work tenure at each organization to ensure there are no overlaps;
- How long the candidate typically holds a position and get into details of their reason to leave a job;
- The candidate's academic and professional credentials;
- Do a 'Google' search and check online profiles on social media sites to find out more details about the candidate. Look for online activity and group associations, says Granado -- find out if they are connected with an underground hacker association, has the candidate ever developed a vulnerability, and where do they spend their time online?
- Verify the candidate's business references by calling each one listed, then get deeper into the candidate's behavior in your conversation.
- Look for Controversial Media Attention -- Especially within information security, one needs to ensure that a candidate has the integrity to handle the sensitive demands of the position and is not engaged in unnecessary public talk about technology, current employer, job details and functions that may put both employer and the employee at risk and cause reputational damage.
- Get Details on Financial Stability -- Find out if there are claims, judgments or bankruptcies filed against the candidate by running credit checks on them. Organizations need to check if any of their potential employees are having financial problems, and ask them up front: "How did you get into this financial hole?" Individuals experiencing financial difficulties are extremely vulnerable to committing fraud to meet an immediate, pressing financial need. According to the ACFE report, the most common red flags displayed by perpetrators in occupational fraud were employees living beyond financial means and/or experiencing financial difficulties.
- Ask for Work Demonstration -- It is extremely common for developers and security application programmers to copy source codes from the internet and present them in interviews as their own, says Granado. Organizations should ask potential candidates to demonstrate their programming and security skills during the interview.
Based on ACFE's recent report, high-level perpetrators cause the greatest damage to their organizations. Frauds committed by owners/executives are more than three times as costly as frauds committed by managers, and more than nine times as costly as employee frauds. Also, executive-level frauds take much longer to detect.
Advanced checks include getting deeper into the candidates profile by hiring a private investigator and getting details on personal assets, personal relationships, FBI criminal files, nationwide wants and warrants, civil searches, affiliations with groups and associations, international contacts.
As part of all background screening, organizations should invest in finding out if the candidate sued former employers, business partners or lenders, and conversely were they sued by a former employer for mis-management, fraud, breach of contract or sexual harassment, says Springer.