Documente Academic
Documente Profesional
Documente Cultură
Employee Vetting
and Protection
Red5Security.com
888-RED5-007
Employee Vetting and Protection
Red Five highly recommends that companies, including venture capitalist firms,
disruptor companies, and private family offices, take steps to properly vet and
assimilate their recruits and employees as the knowledge economy grows, but also
as such companies face growing security risks.
We have outlined below several Red Five best practices companies should consider
implementing to ensure employees are properly recruited, vetted, hired, and retained. We
recognize that each company will have different challenges and needs; however, our best
practices will mitigate unnecessary corporate expenditures on the front end of the
employee life cycle and mitigate threats to the corporation on the back end.
Red5Security.com
888-RED5-007
Red Five Best Practices
Vetting Practices and Mitigating the Insider Risk for Vetting
• Recommended vetting
Companies often hire employees and third-party
practices include reference
vendors from an array of backgrounds who are given
checks, background checks, and
access to sensitive information, thus heightening the
need for more cognizant vetting practices. criminal checks.
The non-traditional workforce has exponentially grown in the • Companies should prepare
last decade alongside the booming gig economy, leaving specialized questions to assess
companies at a higher risk of vetting oversights. EY’s 2014 trustworthiness of high-risk
Global Information Security Survey recorded 57 percent of internal hires and third-party
respondents saying the most likely source of a cyberattack vendors during interviews.
was an employee, while 35 percent said it was a contractor.
It is important that an HR team establishes standards • Social media analysis is also an
against which the candidate or vendor will be measured, option though companies should
particularly for high-risk hires who may fall into the ‘job be wary of inadvertent
hopping’ category and have access to sensitive information. discriminatory biases that arise
It is absolutely critical that employers create a specific on candidates’ profiles, and be
hiring/vetting mechanism for strategic hires and more aware of state legislation that
specifically those that are at a high risk for poaching from may limit such alerting.
competitors – putting intellectual property, company
finances, and PII at considerable risk.
• Partnering with a security
company that understands the
technology and search needs will
Onboarding and Corporate Assimilation
create a robust process/solution
Practices that helps protect a company’s
most important asset – its talent
A well-structured onboarding and corporate
– from identifying a candidate to
assimilation process should last well past a new
hire’s first few days, weeks, and even months, to successful onboarding.
improve both employee retention as well as
productivity, according to several studies. • In addition to understanding
technology and search needs it
New hires have a desire to be properly trained and is also important to partner with a
familiarized with their new company’s culture, values, and security company that
goals. Otherwise, they may perform poorly and decide to understands the insider threat,
quit after a short amount of time – or worse, create recognizes unusual behavior and
internal risk that they perpetuate by not quitting. suspicious activity and is capable
Replacing employees can cost as much as twice a of assessing your ongoing needs
person’s annual salary, according to the Society for as your business grows, threats
Human Resource Management. Numerous studies also evolve and the risk increases.
found many employees make a conscious decision on
whether to stay with their company within the first several
months.
Red5Security.com
888-RED5-007
Red Five Best Practices
for Onboarding Protecting Your Most Critical Asset –
Your Employees
• The onboarding and corporate
assimilation process is a team The security culture of a company is an often-
effort that involves human overlooked aspect of an assimilation practice due
resources, managers, and to employers’ fears of scaring off the new
coworkers, according to several employees.
studies. It should also include the
security team – to ensure core
One trend in Silicon Valley is that employees are
security awareness and
now far more concerned about active shooter
expectations are established.
events post-YouTube. The large technology
• The most effective processes employers are shifting their onboarding and
steadily introduce a new hire to security awareness programs accordingly.
the company’s culture, norms,
values, and goals, but also avoid
immediately overwhelming new
hires with information. The
process can also include periodic
check-ins between the new hire
and their respective managers,
which may taper off in frequency,
but last throughout the new hire’s
Figure 1: Biggest Influencers of
first year.
Onboarding Efforts
58% All
• Other best practices include 60%
51% Companies
sending paperwork electronically 50%
and setting up office space and 39%
40%
equipment before the new hire’s
30%
first day.
20%
• A company that partners with a 10%
thought leader security firm with
0% N=192
experience in personnel security Need to engage Need to Need to reduce Source: Aberdeen
can expect a reduction of risk new hires in the improve new first-year Group, March
company hire turnover
when they build a holistic culture productivity
2014
onboarding process.
Red5Security.com
888-RED5-007
Security Briefing Practices
Companies should ensure that new employees receive an initial security briefing that
reflects current concerns and how those concerns affect the company.
Companies should inform employees of steps it has taken to mitigate those concerns in order
to protect all employees. The company should also educate the employee on what they
individually need to do to protect themselves and their coworkers from those concerns.
Approximately 61 percent of cybercrime victims in 2016 were businesses with less than 1,000
employees, according to a 2017 Citibank white paper on family office cybersecurity.
A 2017 Campden Wealth study found that 66 percent of ultra-high net-worth families never
corrected or removed publicly available data relating to the company or business, yet 98
percent said reputation is important to their success. Similar to onboarding and corporate
assimilation practices, security briefings and cyber audits should take place periodically to both
refresh employees on existing information, but also introduce new practices that arise from
factors such as technology changes, more diverse threats, and relevant world events.
Companies should also disseminate security memos and carry out other relevant
training as needed for all levels of employees.
Companies should consider providing opportunities for their employees to read and
be familiar with security-related plans, policies, and procedures.
Companies should also illicit from their employees their ideas, concerns, and
observations regarding physical and cyber security.
Red5Security.com
888-RED5-007
Alerting Practices
Employers may face an increased financial or legal risk when they neglect to
continue to check for alerts about employees and third-party vendors post-hiring.
Financial problems, expiration of professional licenses, and criminal record updates are
common issues that pop up during re-screenings, and can become a financial and/or
legal issue for companies if proper monitoring practices are not in place.
• Alerting has been shown to flag at-risk employees who may be experiencing
psychological or financial stress, creating a potential for a violent or otherwise
undesired incident that affects the employee, the company, and sometimes
shareholders.
• There are technology tools available today that will actively monitor
employees for arrests, convictions, traffic citations, bankruptcies, etc., for
those employees in high risk, critical positions (aircraft pilots, train operators,
financial advisors, account managers for family offices). Advanced
applications can also collect such data, and then automatically notify
employers of the information found.
• Companies can better fuse internal data from protocols such as badge logs,
physical and video sensors, and endpoint detection systems to better mitigate
the insider threat, according to a TruStar white paper.
Red5Security.com
888-RED5-007
Offboarding Practices
Companies also need to evaluate their offboarding processes--an often-overlooked
measure.
Many companies hardly consider their offboarding practice, and the individuals who
conduct a routine exit interview rarely analyze findings and feedback from the process to
ultimately improve their organization, according to a study done by cinfo, an international
cooperation network platform.
Companies put themselves at unnecessary risk when they neglect offboarding practices,
according to SilkRoad Technology (“SilkRoad”), a strategic onboarding company.
Red5Security.com
888-RED5-007
Want to find out how to improve
your program?
Call Red Five. We can help.
Red5Security.com
888-RED5-007