Remember this: Edward Snowden Worked for a Third-Party Vendor. While it remains uncertain what exactly Mr. Snowden shared with other nations, we do know this: he wasn’t authorized to disclose classified information. Some may believe he is a hero, others believe he is a villain. It is clear, though, that his employer, consulting firm Booz Allen, is the recipient of unwanted publicity. The company is one of the more prominent government contractors supplying personnel to the intelligence community.
It is also clear that the third-party background investigation firm that vetted Mr. Snowden is under examination. Northern Virginia-based USIS, which advertises that it is “the leader in federal background investigations ” is on the hot seat. U.S. Senator Claire McCaskill (D-Mo.) said during a Senate hearing in June that USIS is “under active criminal investigation.”
The Senator also noted that there appears to be “systemic failure to adequately conduct investigations under its contract.” In a statement that should resonate with every company engaging with third-party background investigation services, Sen. McCaskill commented that this should serve as “a reminder that background investigations can have real consequences for our national security.” The problem extends to companies outside of the Washington Beltway and the defense and intelligence arena.
While it is unlikely that third-party employee behavior will rise to the level of policy violation exhibited by Mr. Snowden, it doesn’t have to in order to compromise information integrity, breach corporate governance and contracts, and violate regulatory requirements in the forms of identity theft, trade secret theft, brand hijacking, blackmail, and extortion. The background investigation doesn’t always work.
The annals of background investigation history are rich with examples of failed policy, procedures, and even strategies associated with understanding the truth about a candidate’s past. Criminals have passed background checks. There is a reason that top secret security clearances can take up to nearly two years to conduct and may cost several thousands of dollars—and sometimes much more–depending on a number of variables relative to each case. Of course, not every candidate needs this level of background investigation. But companies should examine the background investigation process used by third-parties that have physical, logical, or administrative access to information.
It’s always good to conduct a more extensive background investigation on the basis of access. Sometimes organizations initiate background checks only on some candidates. One executive remarked that “we only conduct checks on positions with the title of vice president or above.” This can convey a false sense of security. While senior executives may have access to critical sensitive information, many lower level positions come with high level of access to this same information.
Here are ten background investigation considerations:
The accuracy and effectiveness of background investigations of third-party employees is one of the best defenses against a breach and its consequences. Knowing who has access to your data, and whether they are trustworthy, is a mandatory tenant of strong corporate governance.
MacDonnell Ulsch is the CEO and Chief Analyst at ZeroPoint. He advises a wide range of clients in the private and public sectors. The author of the book “THREAT! Managing Risk in a Hostile World,” and is currently writing “CYBER THREAT! How to Control the Growing Risk of Cyber Attacks,” to be published in 2014 by John Wiley & Sons Inc.