White Paper

Employee Vetting
and Protection

SEPTEMBER 25, 2019

RED FIVE SECURITY, LLC

Red5Security.com
888-RED5-007
Employee Vetting and Protection
Red Five highly recommends that companies, including venture capitalist firms,
disruptor companies, and private family offices, take steps to properly vet and
assimilate their recruits and employees as the knowledge economy grows, but also
as such companies face growing security risks.

Individual employees can be an organization’s most valuable asset or their most

significant risk. The current economic conditions of wage growth and low unemployment,
mixed with ample employment opportunities, create an environment of ‘job hopping,’
according to a recent CNBC article.

We have outlined below several Red Five best practices companies should consider
implementing to ensure employees are properly recruited, vetted, hired, and retained. We
recognize that each company will have different challenges and needs; however, our best
practices will mitigate unnecessary corporate expenditures on the front end of the
employee life cycle and mitigate threats to the corporation on the back end.

Red Five also recognizes that when it comes to

security there is no one size fits all approach and we
are prepared to tailor our best practices to
your unique needs and challenges.

Red5Security.com
888-RED5-007
 Red Five Best Practices
Vetting Practices and Mitigating the Insider Risk for Vetting

• Recommended vetting
Companies often hire employees and third-party
practices include reference
vendors from an array of backgrounds who are given
checks, background checks, and
access to sensitive information, thus heightening the
need for more cognizant vetting practices. criminal checks.

The non-traditional workforce has exponentially grown in the • Companies should prepare
last decade alongside the booming gig economy, leaving specialized questions to assess
companies at a higher risk of vetting oversights. EY’s 2014 trustworthiness of high-risk
Global Information Security Survey recorded 57 percent of internal hires and third-party
respondents saying the most likely source of a cyberattack vendors during interviews.
was an employee, while 35 percent said it was a contractor.
It is important that an HR team establishes standards • Social media analysis is also an
against which the candidate or vendor will be measured, option though companies should
particularly for high-risk hires who may fall into the ‘job be wary of inadvertent
hopping’ category and have access to sensitive information. discriminatory biases that arise
It is absolutely critical that employers create a specific on candidates’ profiles, and be
hiring/vetting mechanism for strategic hires and more aware of state legislation that
specifically those that are at a high risk for poaching from may limit such alerting.
competitors – putting intellectual property, company
finances, and PII at considerable risk.
• Partnering with a security
company that understands the
technology and search needs will
Onboarding and Corporate Assimilation
create a robust process/solution
Practices that helps protect a company’s
most important asset – its talent
A well-structured onboarding and corporate
– from identifying a candidate to
assimilation process should last well past a new
hire’s first few days, weeks, and even months, to successful onboarding.
improve both employee retention as well as
productivity, according to several studies. • In addition to understanding
technology and search needs it
New hires have a desire to be properly trained and is also important to partner with a
familiarized with their new company’s culture, values, and security company that
goals. Otherwise, they may perform poorly and decide to understands the insider threat,
quit after a short amount of time – or worse, create recognizes unusual behavior and
internal risk that they perpetuate by not quitting. suspicious activity and is capable
Replacing employees can cost as much as twice a of assessing your ongoing needs
person’s annual salary, according to the Society for as your business grows, threats
Human Resource Management. Numerous studies also evolve and the risk increases.
found many employees make a conscious decision on
whether to stay with their company within the first several
months.

Red5Security.com
888-RED5-007
Red Five Best Practices
for Onboarding Protecting Your Most Critical Asset –
Your Employees
• The onboarding and corporate
assimilation process is a team The security culture of a company is an often-
effort that involves human overlooked aspect of an assimilation practice due
resources, managers, and to employers’ fears of scaring off the new
coworkers, according to several employees.
studies. It should also include the
security team – to ensure core
One trend in Silicon Valley is that employees are
security awareness and
now far more concerned about active shooter
expectations are established.
events post-YouTube. The large technology
• The most effective processes employers are shifting their onboarding and
steadily introduce a new hire to security awareness programs accordingly.
the company’s culture, norms,
values, and goals, but also avoid
immediately overwhelming new
hires with information. The
process can also include periodic
check-ins between the new hire
and their respective managers,
which may taper off in frequency,
but last throughout the new hire’s
Figure 1: Biggest Influencers of
first year.
Onboarding Efforts
58% All
• Other best practices include 60%
51% Companies
sending paperwork electronically 50%
and setting up office space and 39%
40%
equipment before the new hire’s
30%
first day.
20%
• A company that partners with a 10%
thought leader security firm with
0% N=192
experience in personnel security Need to engage Need to Need to reduce Source: Aberdeen
can expect a reduction of risk new hires in the improve new first-year Group, March
company hire turnover
when they build a holistic culture productivity
2014

onboarding process.

Red5Security.com
888-RED5-007
Security Briefing Practices

Companies should ensure that new employees receive an initial security briefing that
reflects current concerns and how those concerns affect the company.

Companies should inform employees of steps it has taken to mitigate those concerns in order
to protect all employees. The company should also educate the employee on what they
individually need to do to protect themselves and their coworkers from those concerns.
Approximately 61 percent of cybercrime victims in 2016 were businesses with less than 1,000
employees, according to a 2017 Citibank white paper on family office cybersecurity.

A 2017 Campden Wealth study found that 66 percent of ultra-high net-worth families never
corrected or removed publicly available data relating to the company or business, yet 98
percent said reputation is important to their success. Similar to onboarding and corporate
assimilation practices, security briefings and cyber audits should take place periodically to both
refresh employees on existing information, but also introduce new practices that arise from
factors such as technology changes, more diverse threats, and relevant world events.

Similar to corporate assimilation practices, security-related practices should be a key

effort of the company as a whole, not just the IT or HR departments.

Companies should also disseminate security memos and carry out other relevant
training as needed for all levels of employees.

A strong effort should be made to be proactive rather than reactive. Tabletop

exercises provide a learning experience for employees, ultimately improving internal
practices.

Companies should consider providing opportunities for their employees to read and
be familiar with security-related plans, policies, and procedures.

Companies should also illicit from their employees their ideas, concerns, and
observations regarding physical and cyber security.

Companies should consider bringing in Subject Matter Experts to discuss workplace

violence, active shooters, sexual harassment, and other relevant topics.

Red5Security.com
888-RED5-007
Alerting Practices
Employers may face an increased financial or legal risk when they neglect to
continue to check for alerts about employees and third-party vendors post-hiring.

Financial problems, expiration of professional licenses, and criminal record updates are
common issues that pop up during re-screenings, and can become a financial and/or
legal issue for companies if proper monitoring practices are not in place.

• Companies should implement employee and third-party vendor alerting

practices in accordance with local, state, and federal laws. Information
collected on employees should be protected and compartmented so that only
those with a need-to-know have access to it and only for official purposes.

• Alerting has been shown to flag at-risk employees who may be experiencing
psychological or financial stress, creating a potential for a violent or otherwise
undesired incident that affects the employee, the company, and sometimes
shareholders.

• Companies should have a policy on information retention, reducing exposure

and potential for unintentional information leaks, or other breach of privacy.

• There are technology tools available today that will actively monitor
employees for arrests, convictions, traffic citations, bankruptcies, etc., for
those employees in high risk, critical positions (aircraft pilots, train operators,
financial advisors, account managers for family offices). Advanced
applications can also collect such data, and then automatically notify
employers of the information found.

• Companies can better fuse internal data from protocols such as badge logs,
physical and video sensors, and endpoint detection systems to better mitigate
the insider threat, according to a TruStar white paper.

Red5Security.com
888-RED5-007
Offboarding Practices
Companies also need to evaluate their offboarding processes--an often-overlooked
measure.

Many companies hardly consider their offboarding practice, and the individuals who
conduct a routine exit interview rarely analyze findings and feedback from the process to
ultimately improve their organization, according to a study done by cinfo, an international
cooperation network platform.

Companies put themselves at unnecessary risk when they neglect offboarding practices,
according to SilkRoad Technology (“SilkRoad”), a strategic onboarding company.

• Companies need to consider protecting

physical property, and ensuring that
security systems, physical access, and
data protection measures are properly
updated as part of any offboarding
program.

• Approximately 72 percent of active

shooter incidents have taken place at
work settings between 2014 and 2018.
Some incidents are likely attributed to
poor monitoring and offboarding
practices.

• Twenty-five percent of shooters involved

in 2018 active shooter events were
current employees, and two non-
employee shooters had grievances
against businesses.

• Companies should consider having a

qualified and experienced security firm
review their offboarding practices to
ensure they are following industry best
practice standards and identify areas
where they are in need of improvement.

Red5Security.com
888-RED5-007
Want to find out how to improve
your program?
Call Red Five. We can help.

For those companies looking to bring

additional value to their employees; to
better protect their most expensive and
unique talent; and to be aligned with
employment best practices to attract and
retain the best talent – reach out and
contact Red Five. We can be your partner
in this effort with our Employee Vetting
and Protection (EVP) Program.

Red Five has decades of experience

helping employees: be safe, protect their
employers, their corporate information,
and brand. We bring hundreds of years of
personnel security experience to the
private sector – straight from our
experiences in the Intelligence
Community and Federal Law
Enforcement – it’s time to do it right.

Let us help. 1-888-Red5-007

Red5Security.com
888-RED5-007