Background Checks - effectively ineffective(!)

Background Verification (a.k.a. BGV) or Background Checks are carried out by all employers in the private or public sector. The rigor takes this check to a higher level for a government department, especially Defence or Intelligence or Ministry level and this is a must. If a highly in-depth, pervasive BGV is not done for such sensitive positions, then it is an invitation for disaster.

However, there is a lot which comes with a regular BGV and a lot that is desired, so let's take a look at the practice. BTW, all security standards / Frameworks, as well as HR manuals uphold the virtues of BGV and have put it in the "mandatory" category.

Case in point - Recently the Indian Govt came up with the brilliant idea of lateral hiring to fill senior administrative positions. This was withdrawn as soon as it came up, citing reasons relating to reservations and caste considerations which had "not been considered" before the announcement was made.

Then of course the government hires a lot of cybersecurity professionals for free of for a fee to work in various departments like Cyber Police Stations, Forensic Labs, Intel agencies, NCIIPC, NTRO etc.

This sort of hiring happens at state and central level and can be via tenders or direct hires.

The question is whether the hiring is based on background verification.

I am sure every department will respond with an empathic YES, but then I have a follow up question which is bound to stump every one of them...

Do you do the BGV before or after the hiring is completed?

I mean, if you are done the interviews etc. and now you have decided to hire me - will you do the BGV at this stage and onboard me only after you get a good report? OR will you do the BGV after I have been hired and onboarded?

If this is the case of BGV-after-onboarding, and you get a report with some red flags, would you kick me out? Will there be any compensation?

Does your SOP have a provision for this?

OK, let's move on, what do you check in the BGV - name, address, aadhar, PAN, police verification / clearance - right?

What about my political affiliations, whether I was part of any tukde-tukde gang in school/college? My social media profile, my rants and peeves for and against the government, against business / capitalism / authority, my religious leanings (how much of a bhakt I am - am I hardcore / soft-core / medium-core), my sexual mindset.

Will all this and more information be the basis for my security clearance and acceptance into the organization? If yes, then that's cool... but then what about later?

Am I, the candidate, going to be under continuous scrutiny? And will my BGV be a dynamic document?

My affiliations may undergo changes as will my likes and dislikes.

What if I become a sympathizer or I am "turned" by an enemy recruiter for love, lust or money. (there have been many who have been honeytrapped or bribed).

How will you, or how can you, or how are you keeping track of this to be able to catch my weakness early.

There are many cases which are cause for serious concern and must be studied to update one's own SOP / Policies / Procedures for hiring -

(1) The Pooja Khedkar IAS case in Pune where the candidate had used the system to obtain fraudulent disability and caste certificates and gotten into the IAS cadre. Fortunately she was discovered and is now facing the wrath of the law. For whatever it is worth, the UPSC and the system governing the IAS cadre needs to relook within to review the procedures to make it more trustworthy.

(2) A US company (KnowBE4) hired an IT worker who was later identified as a North Korean mole whose intent was to steal IP. (https://cyberscoop.com/cyber-firm-knowbe4-hired-a-fake-it-worker-from-north-korea/) Such a mistake can be a threat / risk to national security of the candidate is hired into a government department, especially an intelligence department.

(3) Infosys seems to have tripped on their BGV and got another North Korean agent. (https://www.justice.gov/opa/pr/florida-telecommunications-and-information-technology-worker-charged-acting-agent-prc) A little searching on linkedin for Ping Li produced this profile that matches “worked for a huge telco then worked for an international IT services company and the profile shows Ping Li as a "Software Engineer at Infosys Ltd"

For any organization, a BGV is essential and one has to move away from legacy BG checking processes.

During my discussions with client HR managers it is commonplace for all to say yes that BG checks are happening. But usually this is a "standard" practice which is taught in all HR Management classes. What is missing is the risk management and security assessment element.

This is especially critical for organizations which are engaged with government, directly or indirectly, as there is a risk to national security.

Organizations will usually carry out the BGV during the hiring process and then forget about it. The report will be part of the employee's file and will gather dust. BUT what about a review of the BG report annually or at least every two or three years, if not a shorter period?

Did you ever think of the need to do this? If not a BG check, then a psychometric analysis of the employee... both senior and junior.

Personal and professional factors are bound to influence any human and this can bring about changes in the behavior on the job.

Additional threats in today's cyber day and age like honeytrapping, digital arrests, stalking, hacking, blackmail are commonplace too and everyone is at risk. HR teams should be sensitized by the CISO and should bring about changes in their processes to ensure these risks are taken care of.

This can be done by way of training and awareness for employees (touching on the subject of threats in everyday life leading to risky behavior in the workplace).

To sum up, run-of-the-mill BGV reports may soon be of no use and in any case, even today, all that they do is give you a confirmation that the documents submitted are from a valid source.

Some key changes that should be considered as improvement opportunities in the HR and Security Policies / Procedures for BGV are:

• BGV should be carried out within the first week (if not before the hiring) of onboarding and this should be communicated to the candidates.
• Social media analysis / profiling of the candidate.
• Continuous monitoring of employees through psychometric tests etc along with appraisals.
• Regular empathy sessions to impart learning about laws and sensitization to present day values (on the lines of good touch bad touch.
• Grievance cells and/or Employee Assistance Programs should be set up but staffed by non-company persons so that they are neutral in their disposition.
• Security awareness sessions so that employees are equipped with the knowledge to recognize problems and potential violators.

However, as is obvious from the few examples quoted, this verification is not sufficient and there are cracks - these are huge cracks which are overlooked when the documents are suspect at source itself, or the sources are themselves open to manipulation.

Stay safe and question all that comes in.... pray :-)

#BGV #BackgroundChecks #Hiring #Risks

Dinesh Bareja,

CISA, CISM, IRCA-IA, ISMS-LA, ITIL etc

[email protected]

We can help assess and create friendly and practical solutions for your GRC needs.