By screening current employees, organizations can prevent costly data and security breaches.
￼￼By Raj Ananthanpillai
In response to the data deluge, organizations are collecting and analyzing more sensitive, valuable, digital information than at any time in history. In fact, IDC predicts that the amount of data being generated will grow to a whopping 44 zettabytes by 2020. The good news is that this phenomenon is making companies smarter and more efficient. The bad news is that there is no shortage of unethical employees looking to access this sensitive information for personal gain. While many organizations take extensive measures to protect their IT networks from data breaches, they fail to devote the same amount of resources to protecting against threats that are just as dangerous: their employees, contractors, and supply chain participants.
Insider threats often pose the greatest risk to organizations whether it’s stealing sensitive data, exposing corporate secrets, or acting in a way that ruins corporate reputations. This type of behavior is making headlines. Recently, Morgan Stanley revealed that a former employee had stolen information about 350,000 of its wealthiest clients, much of which was posted
online for resale. Insider threats plague nearly every industry, but particularly those that handle extremely sensitive information, including financial services, healthcare, and critical infrastructure. Even more troubling is the fact that 88 percent of IT professionals believe this risk will increase or remain steady over time, according to a recent study by Ponemon Institute. And it’s not just employees. Partners, suppliers, and third-party vendors pose similar risk. In fact, a recent Accenture survey found that 76 percent of companies believe supply chain risk management to be important or very important for their organization. What’s At Stake? Organizations have a responsibility to protect their personnel, their assets, and their reputations from an insider threat risk because the statistics reveal a challenge that’s only increasing:
- Occupational fraud. The Association of Certified Fraud Examiners has found that organizations lose roughly 5 percent of their revenue to occupational fraud each year—potentially equaling $3.7 trillion in global losses. This could include anything from asset misappropriations to corruption and financial statement fraud.
- Lawsuits. The average cost of a negligent retention lawsuit is $1 million, according to Human Resources Management, and the highest award to date is $26.5 million.
- Workplace violence. Roughly 9 percent of all workplace deaths are due to homicide, according to a study by The Occupational Safety and Health Administration, FBI, and U.S. Bureau of Labor Statistics.
So how can companies spot a potentially-risky employee before it’s too late? Most companies today screen employees one time before they are hired. Employees may have posed limited risk to a company prior to being hired, but factors such as poor performance reviews and stressful life events, like filing for bankruptcy or divorce, can change that in an instant. People are dynamic, and so are their motivations, which requires companies to perpetually evaluate risk factors as they evolve.
Today’s background checks are also limited in the data they evaluate, focusing mostly on criminal records and failing to incorporate financial records, human resources documentation, internal files they’ve been accessing, and/or suspicious online activity. Plus, crimes committed before someone is hired may not show up in public records data for months, reducing the accuracy and value of pre-hire background checks even further. It’s time for organizations to get proactive about managing insider threat risk by implementing continuous identity screening by automating the process of monitoring changes in employee/contractor risk throughout an individual’s tenure.
Technology has matured to the point where this can be done easily and cost effectively. Identity data from relevant sources can be automatically gathered and analyzed, alerting HR to potential risk. Rather than scanning one time, or on a regular schedule of every five years), these tools deliver sophisticated analytics that perpetually evaluate changes in risk in real-time.
For instance, a truck driver receives a DUI charge. Many employers would not be aware of that until a regularly scheduled background screen, if at all. They would rely on that employee to self report the charge. Continuous screening can immediately catch the new charge and send an alert to the organization, prompting the company to investigate and possibly take action.
By bringing together identity data from both external sources, like criminal and financial records, and internal sources, like network activity and personnel reviews, organizations can reduce the risk of insider and supply chain threats. They can also maintain compliance through a legally defensible audit trail designed to meet critical regulations such as FCRA, FTC, and EEOC.
Don’t settle for a risk assessment model that isn’t working. The one-time, pre-hire background check aren’t built for today’s environment. Traditional checks leave managers with outdated information that does not equip them to monitor risk over time, leaving their companies vulnerable to threats like fraud, IP and profit loss, workplace violence, and more.
It’s time to take a proactive approach, continuously scan employee data to spot and thwart any nefarious activity before it’s too late.
Raj Ananthanpillai is CEO of InfoZen.