Slashdot Mirror
Are Background Checks Necessary For IT Workers?
4foot10 writes "UBS PaineWebber learned a hard lesson after hiring an IT systems admin without conducting a background check. Now its ex-employee is slated to be sentenced for launching a 'logic bomb' in UBS' computer systems that crashed 2,000 of the company's servers and left 17,000 brokers unable to make trades."
IT people aren't necessarily any more or less likely to do bad things - but often the consequences of them doing a bad thing are a lot worse (or at least more widespread as in this case).
I've always been under the assumption that, given proper preparation and time, a high-level IT guy with good enough access could repeat everything that happened in the Enron scandal. As of now, most incidents I've heard of seem to be just one guy trying to nail a company that angered him, but it's only a matter of time before someone decides to milk a company for all it's worth (or maybe it's happened and I just haven't heard about it). Preventing that sort of thing would probably be a good idea, to say the least.
Besides, other positions require background checks. Why would IT be different?
No. I have enough insurances I have to pay for.
Obviously you have never worked in the Mortgage Business. It seems like the majority of the people in this business are in it to commit some kind of fraud. Whether that fraud will cost the company money is up another story. Still you have the Loan Originators lying on applications and changing data to push loans through, you have Branch Managers accepting first payments and cashing the checks in their offshore accounts, you have people "referring" loans to get around licensing requirements. So what risk does an IT person pose in this industry? Ever heard of Identity Theft? I personally have access to the social security numbers, bank account numbers, last know addresses etc of all of the borrowers on any loans passing through here. Now I'm not stealing this information but the Secret Service actually arrested some former employees here for an ID Theft Scheme. So yes, background checks plus a process of following up and actually being aware of what your employees is up to is very important.
A background check could filter out a lot of bad people.
From TFA:
"According to Dawn Cappelli, a senior member at Carnegie Mellon University's Computer Emergency Response Team, a 2006 study showed that 30% of insiders who are caught launching an attack against their employers have arrest records, and that those charges don't generally include computer crimes. Some 18% were for violent offenses such as rape and manslaughter, 11% were for alcohol- and drug-related offenses, and another 11% were for theft."
Coupling background checks with secure systems gets the benefits of both.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I can't speak for HP India, but as an IT consultant who keeps Exchange running for a lot of large firms I can tell you that Exchange isn't as insecure as some of the FUD here would have you believe. By default, Domain Admins are EXPLICITLY DENIED rights to users mailboxes. If you grant yourself those rights, it will be logged. For that matter, even the Exchange Administrator account is set default deny when it comes to reading other people's emails.
I have a family relative who is a senior HR executive and you would not believe the stuff she sees. The vast majority of people lie with degrees and experience and many have criminal backgrounds. More than half plainly lie or use family members as references. People who were once criminals have trouble finding jobs and are very likely to keep applying until someone doesn't notice. They make up a very large majority of desperate applicants with false resumes.
She ends up firing quite often over this
http://saveie6.com/
Is there any evidence that there is a correlation between that and long-past criminal convictions that aren't closely related to the kind of damage they later do?
I do background checks for a living.
I wouldn't go as far to say that it's snake oil, but I definitely think it's oversold by so-called security types.
I think they are most useful in predicting some types of violent behavior. In my experience, an individual who gets charged and convicted with domestic violence in their 50s almost always has a dozen speeding tickets, a criminal trespass conviction and maybe a disorderly conduct charge for good measure. Background checks might be useful to predict this type of potential behavior.
On the other hand, people who commit murder or sexual offenses (whether it's in their 20s, 30s, 40s or 50s) won't even have a parking ticket in their name. I feel like they just snap one day. So in this regard, background checks are worthless.
Theft and burglury and related charges are 95% of the time committed by those under 25. It just doesn't come up later in life. Background checks can be misleading in this regard.
Background checks that go back 30 or 40 years are pretty expensive (as noted in the article) and unusual. If you did your crime in the 70s I'm guaranteed not to find it.
My biggest issue is that background checks are hugely dependent on our judicial system, which doesn't operate as "cleanly" as the credit rating system, but for some reason, is treated as if it did.
Money used in defense plays a huge role in things. An extra grand or two on a lawyer might very well be the difference between being offered a plea bargain to misdemeanor 1 Theft, and being offered a plea bargain to misdemeanor 4 unauthorized use of property with the prosecutor agreeing to expunge the case in a year. (Whereas the credit rating system keeps all the records out there, what keeps criminal records around in the judicial system might have very little to do with the crime perpetrated.
How the state legislature enacted laws plays a huge role, though one the security companies like to dismiss. For instance, my state of Ohio has probably the nation's most liberal marijuana possession laws--anything under 100g is a minor misdemeanor, maximum fine $100--and no public record.. In quite a lot of states the same posession is a high level misdemeanor with jail time and obviously, a public record.
Does that mean that two people who've been cited for marijuana possession (same quantity), one in a state like Ohio with no public record, and another in a state with a public record will be treated very differently by companies because of their records? Absolutely. But that neither strikes me as fair or particularly logical--after all, the companies nor the security firms really ever sit down and realize that they are dependent on the state for the information--and that different laws in different states cause different information outcomes. They just use whatever information they have against the job candidate.
Yes I have been denied jobs because my credit score wasn't high enough.
Ha-ha. You are also as likely to be denied a job if it is too good.
Happened to me the one of the few times when I was stupid enough to apply for a bank job. I run a very tight household - no debts besides mortgage (and even that on an accelerated repayment), no credit taken for anything else (my cars are always bought with a money transfer, same for furniture and everything else), no late payments ever, no missed payments ever. And guess what - I failed the credit portion of background check. It looked to non-standard for them and they decided that I probably have some clandestine hidden income to be able to do this (I learned that from an insider much later).
So at least some US banks actually like to see their employees comfortably deep in debt. Just in case so that they do not develop too much independence. Anyway, I have learned the lesson and stick to telecoms now where the background check is mostly limited to references.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Turns out we hired a guy who used a fake name and someone else's social security number, and he worked as one of our main sysadmins for over a year...
Hmm, so I would assume he picked a clean SSN and name, so a background check would have revealed???
There is a place that has 441 employees, and here is the breakdown of their past:
* 29 members have been accused of spousal abuse.
* 7 have been arrested for fraud.
* 19 have been accused of writing bad checks.
* 117 have bankrupted at least two businesses.
* 3 have been arrested for assault.
* 71 have credit reports so bad they can't qualify for a credit card.
* 14 have been arrested on drug-related charges.
* 8 have been arrested for shoplifting.
* 21 are current defendants in lawsuits.
* And in 1998 alone, 84 were stopped for drunk driving, but released after they claimed Congressional immunity.
Yes, thats congress.
Exchange tip: If you find you need to add yourself and permissions are not updating quickly enough, you can do the following:
1) Check to see which server the mailbox resides on and which DC that Exchange server thinks is it's primary, then connect to that domain controller and add your account there.
2) Run the Recipient Update Service - tell it to update changes made.
That should get you in without having to wait for replication or dropping the information store service (eeek.) Works in 2000 and 2003. Haven't tried it with 2007 but then I haven't played with 2007 yet.