Are Background Checks Necessary For IT Workers?

4foot10 writes "UBS PaineWebber learned a hard lesson after hiring an IT systems admin without conducting a background check. Now its ex-employee is slated to be sentenced for launching a 'logic bomb' in UBS' computer systems that crashed 2,000 of the company's servers and left 17,000 brokers unable to make trades."

Just another advertisement

"What do you know about your own people?" asks Alan Paller, director of research at the SANS Institute, a security firm. ...nuff said.

Ask yourself this question

[Bryansix]

Would you like your email to be read by someone you don't even know? Well that is what could happen if you hire a SysAdmin and do not conduct a background check. I know that I would actually prefer if my name was run through a background check so that management can actually trust me instead of always wondering.

Re:Ask yourself this question

[paeanblack]

Employer-run background checks are not the way to go here. Just get your workers bonded for some amount of money commensurate with the damage they can cause. Bonding agencies have been around for centuries and have experience in this field that the typical firm's HR department does not.

Basically, you pay $smallnum, and if $guywithaccess does $badthing, you get paid $bignum to cover your expenses. Let someone guess the odds.

Re:Ask yourself this question

[Pancake+Bandit]

No. I have enough insurances I have to pay for.

Re:Ask yourself this question

[grcumb]

Would you like your email to be read by someone you don't even know? Well that is what could happen if you hire a SysAdmin and do not conduct a background check.

You're not making the argument for background checks; you're making the argument for secure systems that don't allow untrustworthy cowboys to peek at others' mail without supervision.

If someone could prove to me that background checks actually serve any other purpose than to cow potential employees, I'd be willing to consider that there might be some use for them. As things stand, I think they're a silly and - here's the important part - ineffective means of establishing security in business.

Invest some trust in your employees. Verify that the trust is deserved. Punish breaches of trust.

Re:Ask yourself this question

[AnotherBlackHat]

Would you like your email to be read by someone you don't even know? Well that is what could happen if you hire a SysAdmin and do not conduct a background check.

So if I run a background check, my email will be read by someone I do know?

-- Should you trust authority without question?

Re:Ask yourself this question

[couchslug]

A background check could filter out a lot of bad people.

From TFA:

"According to Dawn Cappelli, a senior member at Carnegie Mellon University's Computer Emergency Response Team, a 2006 study showed that 30% of insiders who are caught launching an attack against their employers have arrest records, and that those charges don't generally include computer crimes. Some 18% were for violent offenses such as rape and manslaughter, 11% were for alcohol- and drug-related offenses, and another 11% were for theft."

Coupling background checks with secure systems gets the benefits of both.

Re:Ask yourself this question

[jwarnick]

I'm consulting for a 17,000 person multi-national firm. Most of the the internal infrastructure, including email, is outsourced to HP India. It is my experience that HP India is staffed by diploma mill graduates. These are the people reading your email.

Re:Ask yourself this question

[dave562]

I can't speak for HP India, but as an IT consultant who keeps Exchange running for a lot of large firms I can tell you that Exchange isn't as insecure as some of the FUD here would have you believe. By default, Domain Admins are EXPLICITLY DENIED rights to users mailboxes. If you grant yourself those rights, it will be logged. For that matter, even the Exchange Administrator account is set default deny when it comes to reading other people's emails.

Re: Ask yourself this question

[gidds]

Those figures mean absolutely nothing without corresponding figures from good employees.

If exactly 0% of good employees have arrest records, then an arrest record would be a pretty good indicator of malicious intent; while it wouldn't allow you to catch the other 70% of baddies, it would give you pretty conclusive evidence against that 30%.

If, on the other hand, the records for good employees were the same (which I suspect is closer to the truth), then an arrest record (or lack of one) would tell you absolutely nothing about an employee's trustworthiness.

And if the records for good employees were generally higher than for bad ones, then an arrest record would be an indicator in FAVOUR of hiring, not against!

So, worrying as those numbers might sound, they're utterly meaningless here without some context and background!

Re: Ask yourself this question

[timmarhy]

bullshit, it doesn't filter out "bad people" it only shows the ones that have been caught. you coudl still be placing your trust in a person guilty of the worst crimes.

Re:Ask yourself this question

[LainTouko]

a 2006 study showed that 30% of insiders who are caught launching an attack against their employers have arrest records

Hang on. You're a bad person if you've been arrested? Doesn't matter whether you were actually guilty of anything?

Re:Ask yourself this question

[paeanblack]

Hang on. You're a bad person if you've been arrested? Doesn't matter whether you were actually guilty of anything?

OmniMedia's shares dropped 50% when Martha Stewart was arrested. Nothing changed when she was convicted. This is typical market behavior. Even if she were acquitted, the damage was already done.

The arrest is worse than the conviction. Guilty or not, you are still a risk to the company. That's reality.

Re:Ask yourself this question

[daeg]

The amounts of money required to cover some disasters are astronomical, and even then, money alone cannot solve the damage.

If one of your system admins, say, sells a database of 2 million social security numbers, how much is that worth?

Ideally, it would a be a mix of the two systems. Some positions do require security and background checks. Bond them, too -- the security check should lower the cost to bond them (and in a high-bond instance, the bonding company would likely do their own background check anyway).

Re:Ask yourself this question

[glrotate]

Hang on. You're a bad person if you've been arrested? Doesn't matter whether you were actually guilty of anything? Probably. There's enough crime out there that cops generally don't waste their time arresting innocent people.

Re: Ask yourself this question

[Billly+Gates]

Yes I have been denied jobs because my credit score wasn't high enough.

I always pay my bills on time but I rarely use credit cards and was a college student until recently so I didn;t spend much. Now employers think I am irresponsible with money or I am more likely to steal because thats what people without perfect scores do bla bla bla.

By law they have to tell you they are doing a credit check. But its a common practice and most employers will refuse to hire unless you agree to undergo one. Yes they have the power to see what your spending habits are as well.

Re:Ask yourself this question

[MaxQuordlepleen]

Don't fish around like that on the production system. Do it in your test lab with the backups...

Re:Ask yourself this question

[toadlife]

What the last poster said.

To expand a bit, it's about privilege separation and auditing. Windows, and every other network OS supports it in some form or another.

With Windows and Exchange, the reset of a password or the change of an ACL on a users mailbox can be set up to trigger an audit event in the security portion of the event log. The exchange administrator can be denied the right to clear (or even view) the security event logs and/or the event logs can be piped out to an external server that only a third party can access. The clearing of the security even log on a system adds an event that says "so and so cleared the event log".

In the past I've enable auditing on policy changes on our Windows DCs - not because someone was hacking - but because someone in the department was changing GPOs without first discussing it with others and causing problems.

Of course, with enough access, someone who is sufficiently bright could probably get around such measures with kernel hacking/root kitting, but if someone has enough access to do those things then, proper privilege separation isn't being practiced in the first place.

Re:Ask yourself this question

[Sj0]

How many people, at what cost per hour, for how many hours, will you use to do the background check? What agencies or companies will require what fees for information? How long will you have to wait for the check to be completed, and how will the vacancy you're trying to fill affect your bottom line during the duration of the check?

That's your cost for option A.

How much is the bonding service?

That's your cost for option B.

Whether you like it or not, you're paying for insurance either way. The question is which cost is greater, and which provides the greater effective insurance.

Re: Ask yourself this question

[arivanov]

Yes I have been denied jobs because my credit score wasn't high enough.

Ha-ha. You are also as likely to be denied a job if it is too good.

Happened to me the one of the few times when I was stupid enough to apply for a bank job. I run a very tight household - no debts besides mortgage (and even that on an accelerated repayment), no credit taken for anything else (my cars are always bought with a money transfer, same for furniture and everything else), no late payments ever, no missed payments ever. And guess what - I failed the credit portion of background check. It looked to non-standard for them and they decided that I probably have some clandestine hidden income to be able to do this (I learned that from an insider much later).

So at least some US banks actually like to see their employees comfortably deep in debt. Just in case so that they do not develop too much independence. Anyway, I have learned the lesson and stick to telecoms now where the background check is mostly limited to references.

Re:Ask yourself this question

[umghhh]

there exists a cheaper solution - outsource the IT dep to China.
Chances are that chinese legal system i.e. firing squads will deal with the problem more appropriately. Even if not then at least you saved something. At the very least the idea should bring some bonus to the person that proposed it.

Re: Ask yourself this question

[QMO]

...geeks tend toward a highly nonconformist mindset and "know their rights" from a young age...

I know this is a common stereotype around /., but I wondered if you have any evidence of this.

Of course, I realize this depends on the extremely subjective definitions of "geek" and "nonconformist."

Re:Ask yourself this question

[Jesus_666]

Although I would be interested to see the coding-equivalent of engrish :)

// Saying it is great, together.
// Warned: Danger when fifty more than size is present!
int great_operation_of_high_addition_talk(int incrementor_number, int adder_number)
{
// Memorizer of the chestnut is great reservation
char * holder = malloc(sizeof(char) * 50); int addition_chestnut = 1;

// Let's increment by the great opportunity of addition!
do
{
adder_number += addition_chestnut;
incrementor_number -= addition_chestnut;
} until(!(addition_chestnut - 1 !=
incrementor_number)) // it is done

// Adding we are finish, it is enjoyed to write the figure
sprintf(holder "%50d", adder_number);

// The saying, it is
printf("%50s\n\l", holder);

free(holder); // given freedom for holding entity, it lessens the space taken
}

Re: Ask yourself this question

[mutterc]

My employer, a routing software company, just got bought by a chip company.

The forms I currently have to fill out (as a "new employee") require authorizing a credit check. You never know what a kernel developer with bad credit will do, I guess.

Credit checks bother me even more than the more-invasive checks (arrest (not conviction) records, medical history, etc.) because of the downward-spiral potential. When substantially all employers are using them (which of course will happen soon enough), if you get bad credit, you won't be able to get a job.

With bad credit, things cost more, and now your job prospects are limited. Good luck climbing out of the debt.

It's just one of those things that seems to make good sense for every individual employer (like another pet peeve of mine, not training people but expecting them to arrive fully-experienced), but when everyone does it, has significant negative societal impact.

Re:Ask yourself this question

[Eristone]

The problem with just adding yourself temporarily to the permissions when the support request comes in is that you seem to also have to either wait a couple of hours for the mailbox to allow the access, or restart the Information Store on the server (which disconnects all the clients from the server).

Exchange tip: If you find you need to add yourself and permissions are not updating quickly enough, you can do the following:

1) Check to see which server the mailbox resides on and which DC that Exchange server thinks is it's primary, then connect to that domain controller and add your account there.

2) Run the Recipient Update Service - tell it to update changes made.

That should get you in without having to wait for replication or dropping the information store service (eeek.) Works in 2000 and 2003. Haven't tried it with 2007 but then I haven't played with 2007 yet.

Of course not!

[susano_otter]

Background checks are a blatant violation of our right to privacy!

Our entire civilization will be replaced by a fascist tyranny the moment we allow background checks to happen!

No guarantee

[homer_ca]

"a 2006 study showed that 30% of insiders who are caught launching an attack against their employers have arrest records, and that those charges don't generally include computer crimes."

That means a background check won't catch 70% of the malicious insiders. This article is meaningless without info about the rates of attacks from insiders who would've passed or failed background checks. It's a reasonable hypothesis to say that IT workers with criminal records are more likely to launch insider attacks, but there's no scientific evidence of it in this article. It's all fluff based on one person's case.

Re:No guarantee

[DragonWriter]

More importantly, it doesn't tell you if the 30% of "insiders" who launch attacks that have arrest records is greater or less than the proportion of people in similar positions that have arrest records to start with, and therefore if people with arrest records in are even more dangerous than others.

Re:No guarantee

[GigsVT]

That logic is flawed.

Same logic: Per capita, more black people commit crimes than white people, therefore, black people are more dangerous to hire.

Re:No guarantee

Where's the flaw part?

Re:No guarantee

[ObsessiveMathsFreak]

Where's the flaw part?

An obvious troll,(modded up why...?) but I'll bite. Let's look at the GPs statement again.

That logic is flawed.

Same logic: Per capita, more black people commit crimes than white people, therefore, black people are more dangerous to hire.

Where's the flaw part?

This is an obvious fallacy based on what I like to call "The Tyranny of the Random Mean". Like most statistics, the GPs statement is valid, when based on a certain "population". In this case, the entire population of black people, in I presume the USA. And certainly it would be true that, on average, on average, if you selected at random 100 black people from the entire black population in the US, and the same for 100 white people, then the total sum of criminal convictions would probably be higher for the former group. Please note the italised and emboldened words in the above. They are very, very important.

Now, you're conducting a job interview, where the interviewees' skin colours vary. You are concerned about security and you have the above statistic in front of you. The sad fact of life is, most people will read the above and conclude that security-wise, a white person is a safer bet. They weren't. Or that is to say, the above statistic is of no use in telling you whether they are or not. Here's why.

Firstly, statistics is based largely on the fact that when the number of samples from the population is large, say ~100, then general population statistics are applicable. If the sample is, say, one or two, population statistics is of little to no use.

Secondly, and more importantly, your sample is no longer random. N.B. N.B. N.B. !!!!

I'll say that again, in case you missed it.

Your sample is no longer random .

The entire premise of statistics is that you randomly select individuals from the population. Statisticians stay up at night worrying themselves over how to do this, and are even more obsessive about their random number quality that a /dev/urandom geek. If your selection from the population is not random, then the statistics will be totally misleading.

You're at a job interview for a specific IT position, yet you want to use a population wide statistic for the entire population in this situation. You're basically assumming that all; qualified, black, geeks, applying for a job at your company, in your town, at this time, is a valid random selection from the entire black population of the United States. Congradulations. You just failed Data Analysis 101.

If you want to actually apply a statistic validly, again, you need to have a random sample, from the right population. In a job interview, you're never going to have a random sample. It may or may not be quasi random, but even it if was, you'd need a statistic for all contemporary, qualified, black, geeks, probably in your region. If you had that, then you might be justified in applying a statistic, but in reality, with such a small sample size (likely just one guy), the noise would be so high you're just wsting your time.

Instead of trolling for pretty useless statistics and data, companies should just hire based on merit. Take candidates, look them up and down, decide if they personally are the best person for the job. "Normal" is a statistic. Human beings are not homogeneous, they are all different, they all have strengths and weaknesses. If you base your hiring practicies on the averages, then you'll end up with average employees. Mediocre, jacks of all trades who are neither excellent or terrible at anything. And your company too will be as average as they come.

Backgroud checks are needed for some IT workers

But for this case, they had bigger problems.

No organization that large should technolgically empower a single person to be able to do that much damage without some sort of review process that would have caught the problem.

Did his changes get reviewed by his peers?

Did they go through some sort of QA process?

While it's a bit scary that they hired a criminal, that's hard to avoid in any large organization.

What's really *really* scary is that their internal processes let him do that much damage. I'd be worried if I were their customer.

Re:Backgroud checks are needed for some IT workers

[teal_]

While it's a bit scary that they hired a criminal

That's not fair. This person has presumably been punished for their crime(s) and paid their debt to society, it's unfair to blacklist him for the rest of his life.

Don't see the point...

[DragonWriter]

Sure, he had a criminal record with offenses 20 to nearly 40 years prior to the time he was hired. I don't see that that's a real indication that he is likely to lauch a "logic bomb".

I've certainly heard plenty of stories about disgruntled IT workers in sensitive positions doing things like that—usually a criminal history isn't mentioned. Is there any evidence that there is a correlation between that and long-past criminal convictions that aren't closely related to the kind of damage they later do?

Or is this just a case of "Ooh, something bad happened, lets look for something about the person that might explain it, and then assume that this proves the general utility of background checks"?

Re:Don't see the point...

[mikelieman]

psst. There's an entire industry built around pre-employment background checks and screenings.

Anything for a buck...

Re:Don't see the point...

[JimBobJoe]

Is there any evidence that there is a correlation between that and long-past criminal convictions that aren't closely related to the kind of damage they later do?

I do background checks for a living.

I wouldn't go as far to say that it's snake oil, but I definitely think it's oversold by so-called security types.

I think they are most useful in predicting some types of violent behavior. In my experience, an individual who gets charged and convicted with domestic violence in their 50s almost always has a dozen speeding tickets, a criminal trespass conviction and maybe a disorderly conduct charge for good measure. Background checks might be useful to predict this type of potential behavior.

On the other hand, people who commit murder or sexual offenses (whether it's in their 20s, 30s, 40s or 50s) won't even have a parking ticket in their name. I feel like they just snap one day. So in this regard, background checks are worthless.

Theft and burglury and related charges are 95% of the time committed by those under 25. It just doesn't come up later in life. Background checks can be misleading in this regard.

Background checks that go back 30 or 40 years are pretty expensive (as noted in the article) and unusual. If you did your crime in the 70s I'm guaranteed not to find it.

My biggest issue is that background checks are hugely dependent on our judicial system, which doesn't operate as "cleanly" as the credit rating system, but for some reason, is treated as if it did.

Money used in defense plays a huge role in things. An extra grand or two on a lawyer might very well be the difference between being offered a plea bargain to misdemeanor 1 Theft, and being offered a plea bargain to misdemeanor 4 unauthorized use of property with the prosecutor agreeing to expunge the case in a year. (Whereas the credit rating system keeps all the records out there, what keeps criminal records around in the judicial system might have very little to do with the crime perpetrated.

How the state legislature enacted laws plays a huge role, though one the security companies like to dismiss. For instance, my state of Ohio has probably the nation's most liberal marijuana possession laws--anything under 100g is a minor misdemeanor, maximum fine $100--and no public record.. In quite a lot of states the same posession is a high level misdemeanor with jail time and obviously, a public record.

Does that mean that two people who've been cited for marijuana possession (same quantity), one in a state like Ohio with no public record, and another in a state with a public record will be treated very differently by companies because of their records? Absolutely. But that neither strikes me as fair or particularly logical--after all, the companies nor the security firms really ever sit down and realize that they are dependent on the state for the information--and that different laws in different states cause different information outcomes. They just use whatever information they have against the job candidate.

Re:Only as much as every other position...

[susano_otter]

It's not that IT employees are more likely to do bad things than other people; but rather that IT employees are often in a position not only to do more harm when they go bad, but also cover it up better.

You don't need background checks for everybody, just for those employees in a position of significant responsibility and authority.

Re:Only as much as every other position...

[karlto]

IT people aren't necessarily any more or less likely to do bad things - but often the consequences of them doing a bad thing are a lot worse (or at least more widespread as in this case).

I have not been caught yet ..

[RubberDuckie]

The only thing a background check really proves is that a person has not been caught at anything yet. It's the ones that get away with nefarious actions that you really have to worry about (Note, I'm not one of those nefarious people, though I'm sure someone will bring that up).

Re:I have not been caught yet ..

[silentounce]

Exactly, why would I want to hire someone incompetent enough to get caught committing a crime? I want the smart ones, the innovators, the ones that don't get caught.
But seriously, I work in recruitment for a very large organization and we background check ALL of our new employees. We fingerprint quite a few too, but that's due to specific legislation.

What was the cause?

[AK+Marc]

Prosecutors charged that Duronio, angry over not receiving as large a bonus as he had expected, sought revenge against his employer [... who] spent about $3.1 million to assess the damages and restore the computer systems, [... and] haven't reported how much was lost in business downtime.

In retrospect, it appears that the entire event, as well as the financial damages and the hit to the company's reputation, could've been avoided if UBS PaineWebber, a giant in the financial community, had done a background check on Duronio when he had been hired.

And I see the problem as being caused by a lack of bonuses in IT. Prevent logic bombs, give your IT workers large bonuses!

(I'm talking to you, boss)

CEOs and CFOs far more of a risk

[WillAffleckUW]

If you look at where firms lose the most money, and the risk factors, it's the lack of realistic background checks and clawback contracts for CEOs and CFOs that puts a company at risk, then the accounting staff, then sales and shipping staff, and way down you have IT staff.

Let's get real.

It's a necessary evil

[VorpalEdge]

I've always been under the assumption that, given proper preparation and time, a high-level IT guy with good enough access could repeat everything that happened in the Enron scandal. As of now, most incidents I've heard of seem to be just one guy trying to nail a company that angered him, but it's only a matter of time before someone decides to milk a company for all it's worth (or maybe it's happened and I just haven't heard about it). Preventing that sort of thing would probably be a good idea, to say the least.

Besides, other positions require background checks. Why would IT be different?

Been there, done that

[k4]

Yes, of course admins with the ability to wreak major havoc at an organization should have to undergo background checks. Several years ago I worked at a Fortune 500 company, and there were no background checks done at all for IT staff. Turns out we hired a guy who used a fake name and someone else's social security number, and he worked as one of our main sysadmins for over a year, with privileges on probably 100 servers and full privileges on the email servers, before he was caught. I thought background checks were a waste of time until that...scared me half to death because no one had any idea what he'd done in all that time, and worse, no idea who he actually was.

Re:Been there, done that

[hackstraw]

Turns out we hired a guy who used a fake name and someone else's social security number, and he worked as one of our main sysadmins for over a year...

Hmm, so I would assume he picked a clean SSN and name, so a background check would have revealed???

There is a place that has 441 employees, and here is the breakdown of their past:

* 29 members have been accused of spousal abuse.
* 7 have been arrested for fraud.
* 19 have been accused of writing bad checks.
* 117 have bankrupted at least two businesses.
* 3 have been arrested for assault.
* 71 have credit reports so bad they can't qualify for a credit card.
* 14 have been arrested on drug-related charges.
* 8 have been arrested for shoplifting.
* 21 are current defendants in lawsuits.

* And in 1998 alone, 84 were stopped for drunk driving, but released after they claimed Congressional immunity.

Yes, thats congress.

First Offence??

[number17]

How would this ever prevent a first offense??

Background Checks and Credit Checks for IT

[michael.j.jarvis]

This is something that has affected me in the past year, while trying to get a job in the industry. I can completely understand background and credit checks, but at the same time, many perspective employers do not even give me a chance to explain myself, or the reason things came up. Granted, I'm only 24, and people see me as some damn kid who wants to show off to his friends, but that is completely opposite of what I'm there to do. I can understand that perspective employers see several arrests as a juvenile, and I'm instantaneously blacklisted. My credit has gone to shit too, especially after a messy divorce that has drug on for way too long.
Ok, so I know I'm going to get modded down on this, but it's something that is really never spoken about. True, it can affect the job search for many of us, but I support having background checks, on the condition that we the person being investigated be offered a chance to explain ourselves, and to not become prospective employee investigation # 54283. /end rant

Re:Background Checks and Credit Checks for IT

[mythosaz]

I hate to burst your bubble, but here's the reality. You, at 24, probably have a similar knowledgebase and skillset as other applicants for my positions. Since I run a background and credit check against my future employees, I get to pick between someone with the same skills as you and a "clean" record, or you with bad credit, a divorce and and a criminal record. Guess who I'm hiring.

Unfair? No. You're not the sort of person I want working for me. You don't have a stable family life. As such you're more likely to quit/move and give shorter notice when you do. You have bad credit. You haven't demonstrated (regardless of good or bad reasons) to large financial institutions that you're worth loaning money to. I'm less likely to want to give you access to mine. Finally, you're a criminal. Sure, you were a criminal when you were a kid, but, on paper, you're more likely to be a criminal in the future, and that's nothing my company wants anything to do with.

On the other hand, if you've got a great resume, and you stand out, and it's not a tiebreak, we might overlook SOME of those problems.

I sympathize. I have a divorce. Until recently I had bad credit. I got in trouble as a young adult and have a misdemeanor record (reduced felony). I know if I didn't have the skills I do in my special niche of the IT world, I'd be passed over in favor of others. Thems the breaks. It's the price I pay for the mistakes in my youth.

Re:Background Checks and Credit Checks for IT

[michael.j.jarvis]

Yes, I can understand the whole not wanting to hire me because of things in my past. The thing is, is that as I get older, things will start to work out for me. I've settled down quite a bit, and I do have much more stability in my life now than I did two years ago. I learned that in 6 years in IT, nothing comes fast. I don't expect to be a Senior Sys Admin when I'm 26. Maybe when I'm 36 or so, but not now. I'm in a great job as a Jr Level AD/Exchange Admin. I'm happy, I'm learning more each and every day than I did in the year I was in college, and I'm obviously more experienced than most Assoc. in CS degrees coming from the ________ Technical College. I totally understand the need for background. I tried for NACLAC/Secret Clearance back in 2001. Didn't get it then. Tried again this year for a contract job, and I got it. Of course, I had a chance to explain my past in the interview with the investigator. All I'm saying, is give someone a chance to explain themselves if black marks come up. Someone took time with me, and I'm wicked happy they did, or else I'd be in telemarketing.

This is funny

[RelliK]

It seems that the croud here decries criminal background checks as useless or even counter-productive. And yet this is the same croud that villifies Diebold for hiring criminals. Go figure...

Re:This is funny

[Introspective]

It seems that the croud here decries criminal background checks as useless or even counter-productive. And yet this is the same croud that villifies Diebold for hiring criminals. Not really. Some of this crowd decries criminal background checks, and some of this crowd villifies Diebold for hiring criminals.

You're underestimating just how huge this crowd is.

Re:This is funny

[jesdynf]

Hey, everybody, help me out here -- is there a specific logical fallacy that covers this, or do we need to make a new one?

If we do, then I'm going to formally recommend we entitle the fallacy of assuming one snapshot of a vocal fragment of a pseudoanonymous userbase represents the beliefs of every such member, and can be compared to other such snapshots without limit, the "Damn You, User #4466" logical fallacy.

So, back to you, RelliK. You say that Slashdot lambasted Diebold for hiring criminals, then lambasted the article for daring to suggest that background checks were a good idea? That Slashdot is unbalanced, hypocritical, and biased?

Damn you, user #4466!

Re:This is funny

[Sj0]

Make up your mind, Anonymous Coward, is Bush the heroic liberator who brought us into our mighty victory of morality and justice and law in Iraq and in so doing struck a blow against terrorism, or is Bush the cowardly army deserter who brought us an illegal, immoral war against a red herring of a irrelevant despot in the middle of the war on terror?

God, you're so hypocritical sometimes! It's like you're arguing with yourself!

Re:What for?

[Bryansix]

Obviously you have never worked in the Mortgage Business. It seems like the majority of the people in this business are in it to commit some kind of fraud. Whether that fraud will cost the company money is up another story. Still you have the Loan Originators lying on applications and changing data to push loans through, you have Branch Managers accepting first payments and cashing the checks in their offshore accounts, you have people "referring" loans to get around licensing requirements. So what risk does an IT person pose in this industry? Ever heard of Identity Theft? I personally have access to the social security numbers, bank account numbers, last know addresses etc of all of the borrowers on any loans passing through here. Now I'm not stealing this information but the Secret Service actually arrested some former employees here for an ID Theft Scheme. So yes, background checks plus a process of following up and actually being aware of what your employees is up to is very important.

True Story...

[MadMorf]

A company I worked for in the 90's discovered it's night-shift word processing supervisor was a convicted felon when conducting background checks on a couple dozen employees, after wallets and purses started disappearing from the office near Christmas time...

The WP supervisor had worked for another company and copied a database onto floppies and then erased the production database. He tried to hold the data for ransom, but the company just had him arrested. He did a couple of years in the klink and when he got out he went to work in the billing department of a local utility where he deposited customer payments into his own account. He did a couple years for that as well...He had worked for our company for 2 or 3 months, virtually unsupervised.

The wallet thief turned out to be a mailroom guy who had worked there for years...

Absolutely

[iamacat]

Companies should start by doing a background check of their CEOs and promptly fire them if any irregularities like a previous arrest or drug/alchohol violations are found. Once the people who could really do a lot of damage, like violate US/EU business laws, are investigated and dismissed, the company will be justified in asking rank and file to give up their privacy.

Re:Are you serious?

[$RANDOMLUSER]

> Are background checks necessary for Sys Admins at a financial institution?

For sysadmins it should be called a wallpaper check.

It's UBS' Fault

[h4ck7h3p14n37]

The question you should be asking is not, "would a background check have prevented this", it's "how the hell could one person alone cause that much damage on UBS' network"?

One person should not have been able to push a logic bomb out to thousands of machines without several other people in the organization knowing about it. Isn't UBS publicly traded? The Sarbanes-Oxley Act should have required that their IT group be audited to ensure that controls were in place to prevent exactly this sort of situation.

How would it have helped?

[Christopher_Edwardz]

How would burglary and assault (um... 47 YEARS AGO) lead to logic bombs? (From the OP) How would this have helped?

From the article:

Using only publicly available information, Hershman found three incidents, including drug-related charges from 1980 and a tax violation, within 24 hours. Within three or four days, he says investigators found information on a conviction and incarceration from the early 1960s related to aggravated assault and burglary charges. A presentencing[sic] report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s.

So... basically, 27 years ago this guy had a drug case, and more than 40 years ago had an aggravated assault and burglary charge. From this they were supposed to deduce that this guy was going to logic bomb them?

Or, according to TFA and Hershman, this would've been enough for them not to hire him at all or just for computer work? He doesn't say. I've worked in firms that would refuse to hire you if you had anything on your record.

Please note here that Mr. Hershman sells this service and I am not so sure that he would be considered unbiased.

Here is some guy that would have been penalized for something he did 40 years ago?

Talk about 2nd class citizens. Do they understand that over 2% of the population is in prison and a considerable portion of people living today have been in prison or convicted of some offense at one point or another?

One of the engineers I hired had a drug conviction, but it was clear that she was recovering and this was a good opportunity for her. That was several years ago. Do I feel bad about that? Of course not.

I understand why companies feel the need to do criminal background checks to absolve themselves of a possible lawsuit. (They are culpable if they hire an ax-murderer just released from prison and he axifies some people.)

I believe that some of this is designed to find a chink to break down an employee so he/she will accept less in salary.

"Hmm... you have bad credit. Oh look, you also have some speeding tickets. Now, how much did you say you wanted for the privilege of working here?"

Criminal background checks should be used judiciously in sensitive positions. IT is probably one of those... but companies shouldn't just rubber-stamp anyone with a conviction a "no hire".

How would a background check stop this?

[Gothmolly]

I have never been arrested for anything, what's to prevent me from doing something malicious? If I do, is my employer at fault for not checking me?

Background checks catch the stupid criminals.

Little/no reward

[mungtor]

The way that I look at it is this:

Your IS/IT people are less likely to do Bad Things(tm) since there is little or no reward in it for them. Upper levels of managment can embezzel funds, so can lowly finance interns. For them, there is the possibility of stealing millons of dollars over time.

For IS/IT people, what have you really done? It's a larger scale equivalent of breaking a window. You've caused trouble for other people, but there is no benefit to you.

Besides, IS/IT people are easy to keep happy for the most part. Let them have ownership of the network, don't micro-manage them, and buy them the occasional cool gadget. Want a 20" LCD? If the $300 is costs keeps you happy for 6 months, you can have 4. Want the most kick-ass computer in the company? For the $1000 difference it would take, no problem.

IS/IT people are important. They are the ones who know where your data is, how it's organized, and where it's backed up. Their needs are simple too. They mostly do IS/IT work because they like new stuff and gadgets. Throw them a new piece of tech every other month and keep their salaries at least comparable and you won't have to worry.

Disclaimer: I say these things about IS/IT people because I was one, then I managed them, and now I'm happy to just be one again.

Re:Little/no reward

[Lehk228]

they could take the rounding errors from millions of transactions each day and deposit those errors into their own account, then the crazy guy you just fired will burn the building down

You are free to refuse

[DaveAtFraud]

And you have the right not to work for anyone who requires a background check. Just like someone who requires a background check has the right not to hire you for refusing to take one.

Welcome to the free market.

Cheers,
Dave

Fearmongering for fun and profit.

[bigmaddog]

The article is just fearmongering. Aside from the questionable use of statistics that others pointed out, many of the choice quotes are from sources that are hardly objective, such as "Howard Schmidt, a former White House security adviser and now president and CEO of R&H Security Consulting" or a a "Ken van Wyk, principal consultant with KRvW Associates," which, you guessed it, is a security consulting firm. It's like asking a telemarketer if he thinks you need a new long distance plan. Of course these people are going to tell you everyone's out to get you and they have the answer, all based on the strength of one horrific case study! Sure, you need to check up on people with, as they put it, the keys to your kingdom, but the analysis in TFA is hardly a basis for a level-headed, thoughtful discussion.

Background checks catch people who lie

[davidwr]

If he lied on his application, a good background check will reveal this. This goes for all employees, from the guy who mops the floors to the guy in the CEO's office. Remember, the guy you hire to mop the floor may be working on his CS degree and become your IT guy in 3 years. 15 years later he may be the CEO.

Catching a liar is much more valuable than disqualifying a murderer or embezzler. The former obviously hasn't learned his lesson yet.

As for protecting your systems from bad acts, keep audit trails. Where necessary, have independent systems log all administrator activity, and make sure those logs get stored in a difficult-to-erase-without-raising-alarms location, like magnetic tape on a machine your admins don't control. Change the tape daily or more and never recycle.

Use the concept of least-privilage. Make sure admins have the tools to do the work they need to do, where they need to do it, when they need to do it, and no more. Critical systems should have multiple approvals required to effect changes.

His bonus...

[TranscendentalAnarch]

was supposed to include a red swingline!

Come on now

[t00le]

Where will I be able to buy my weed from if they find out our BOFH has a cultivation of marijuana arrest twenty years ago?

Criminals are people (for better or for worse)

[xjmrufinix]

I think the label of criminal is kind of being tossed around like a kind of boogie man, some clearly designated type of human who is scientifically proven to be more prone (if not certain) to steal and destroy the property of anyone fooled into hiring them. I don't think this has any basis in reality, and background checks serve more as PR and a way to placate the public into a false sense of safety than anything else. In reality, every workplace I've ever seen, technical or otherwise, was full of "criminals" who had never been caught and for whom background checks would provide zero protection. Humans are quite often greedy and selfish and inclined towards breaking rules when they think they can get away with it. I've had bosses who used background checks to screen employees while they themselves would steal hardware from the office. I wonder how many (much less sensational stories) of IT workers without criminal histories stealing from their employers aren't being reported... I personally have a criminal record, dating back to my teenage years, and am now in my late twenties. I understand an employer's apprehension when considering me for a job, even after all these years of living a constructive life, but I believe the roots of that apprehension are manufactured by the media. In reality, it is a huge task for an ex-offender to go to school and even develop the qualifications for IT work, and in my personal experience and from volunteering to help employ other ex-offenders, I believe someone who has invested that amount of effort into pursuing that career is far less likely to throw it away by doing something stupid. Most active criminals/addicts can't hold it together enough to get through college and perform the duties expected of an IT worker. They don't invest huge amounts of effort and time playing it straight for years so they can infiltrate companies and ruin everything. This character seems like an aberration to me.

When I was a kid...

[The+Bastard]

it used to be the background check was called "checking references", and was done by the manager or HR. Previous employers were contacted, and if there were bad vibes, the candidate was passed over. This would tell a company far more than background checks.

background checks are worthless

[thoughtlover]

A background check could filter out a lot of bad people.

Perhaps, but will a background check filter out a person who doesn't have a record? What happens if you piss of your sysadmin (for whatever reason)? You may get a similar situation as UBS. How is a background check going to help you there?

If anything, a psychological profile would be the proper approach. Ask, "Does this person, with a clean record, hold the propensity to go postal (aka, rm -rf *) ?" How many people graduating with a CS or IT degree have a crime-addled past? By and large, very few, I would assume, but that's assuming from experience. Not too many of my coding-nerd/dork/geek friends hold outward, violent contempt towards people. However, some of them seem to harbor a deep-seeded disdain for certain organizations, groups, etc. None of them have ever been in trouble for any reason, but what if you pissed one of them off for any reason? I can't say what one of them would do. Perhaps they would do nothing, short of quit their job, but no one can be certain what _any_ person will do when faced with extraordinary duress.

Personally, I believe if we were to go down the road to psychological profiling, we're treading in dangerous territory. Something along the lines of Minority Report meets Gattaca.

Re:background checks are worthless

[vought]

If anything, a psychological profile would be the proper approach.

And with a failure rate of about 20% (according to my headhunter) these personality tests keep a lot of good people out of jobs.

But I suppose we're all supposed to prostrate in front of the almighty corporation. God forbid companies take risks or put in place mitigation strategies so that rogue employees can't bring the whole place down.

Did they make Ken Lay take a personality test? What about Jeff Skilling? I suspect they would have been found ideal based on the types of questions on these tests - which tend to focus on attention to detail, attitude, and trust in coworkers. Yet these men ruined the livelihoods of thousands with their greed. But personality tests don't probe for greed or concern for others (at least not the ones I've taken). They're also pretty invasive, asking about a prospective employee's personal life.

The personality test I took was at a company in Baton Rouge, Louisiana. My friends back in Silicon Valley couldn't believe some of the questions that were on the test, and would "just have walked out". But I need a job, so I took the test. It said I wasn't gregarious enough and a something of a solitary worker. So despite a director-level assurance that they wanted to hire me, the personality test made the hiring decision for them.

Personality tests are measurements based on what companies think they want to know - and this isn't truly useful information. A "loner" might be able to accomplish more, faster, than folks who are sociable and who hang out at the coffee pot for several minutes a day, but according to the Caliper test, these people aren't good fits at most companies.

I think that based on these simple observations, personality tests (and by extension, background checks) are less useful than they're billed as being.

Always check

[Billly+Gates]

I have a family relative who is a senior HR executive and you would not believe the stuff she sees. The vast majority of people lie with degrees and experience and many have criminal backgrounds. More than half plainly lie or use family members as references. People who were once criminals have trouble finding jobs and are very likely to keep applying until someone doesn't notice. They make up a very large majority of desperate applicants with false resumes.

She ends up firing quite often over this

Re:Yes, do the backgrond check

[Jerry+Rivers]

Those potential hires being investigated should also do their own investigating to be certain that they can trust the corporate gumshoes poking around in their private lives. After all, who's to say that the magnifying glass turned the other way won't uncover some untrustworthy employer?

Are felons ever forgiven?

[nexeruza]

This is a topic I've been curious about for a few years now. From about the age of 14 till I was 23 I've racked up many misdameanors and felonies as I went through life doing drugs and being a loser. I'm 26 now and have cleaned up since I was 23. I'm a student right now wondering if when I go for an interview or fill out an app if I should lie about my past or put down the truth and hope I'm given a chance. In the past I've lied and gotten many jobs, but its mostly construction, labor, grunt work that nobody ever does a background check on. I actually work in a factory that makes anti-theft boxes for vehicles. And I lied on the app for the temp staffing company that got me a permanent job there because they do not accept felons of any kind. It actually said on the app STOP if yes to question #12. From experience I've found that telling the truth is 99% guaranteed to have your app thrown in the trash. However from what I read here they actually do backgrounds checks and I've seen that in the hire ads at monster, dice, etc. For anybody that knows, should I maybe have low hopes for getting a job in IT because of this?

Should I lie and hope I slip through the cracks and hope some more my past is never revealed?
Should I tell the truth and burn gas to the next interview hoping I'll find somebody open minded?

My record is burglary, theft, dui. Nothing violent or job-related.

Yeah I know I brought this on myself but if I'm never given another chance am I supposed to do manual labor making 9 dollars an hour the rest of my life as punishment?

BTW, at my current job, I see "clean" employees steal things, yet I never do.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Keeping in touch with your employees

[m-wielgo]

Viktor Cherkashin, a former KGB officer states in his book Spy Handler, people most often commit treason based on personal needs that need to be resolved, right now. Most commonly financial reasons, it is why Aldrich Ames and Robert Hanssen both defected to spy for Soviets.

What's the ideal solution? Make your employees happy, pay them more, etc? It's difficult to stop good people from going rogue, and even worse doing pre-screening. Note even a single scope background investigation and polygraph works (see above)

And to quote Cherkashin, "The only way to be safe is to remove people from intelligence gathering, ....as long as people are involved, security threats can never be completely eliminated."

I'm actually shocked they DIDN'T do one

[CharlieG]

I've worked for a LOT of places - some were banks. My wife works for a brokerage. Trust me, for every one of those jobs, we not only had a regular background check, but were fingerprinted, and the prints run

They actually called my wife back on one of them - at out old house, there was a woman with the same name 1 block away, so our addresses were 1 digit different. That woman had "problems". This has actually turned up 2-3 times, including at our house closing - we had to certify that my wife was NOT the other woman - they took our word, but had to sign a paper

I've held security clearences - they don't prove that you won't do something wrong too - BUT they do tend to get rid of SOME of the chaff - yeah, you lose some wheat too, but...

Problems with background checks

[hey!]

The kind of background checks that were done 20 years ago wouldn't be a problem. A credit report (which by law you can obtain and correct), criminal convictions, that sort of thing. Pretty much everything comes out of public or quasi-public records.

These days, companies like ChoicePoint are offering data products mined from a wide array of sources. There are many problems with this approach, starting with the fact you did not consent for people to share your data for this purpose. In the US, the Fair Credit Reporting Act supposedly regulates some information products used for this kind purpose, but there are many ways around. The same kind of information that you have a right, under FCRA, to contest and correct in a credit report can appear in a background check... and lots more.

You have no right to know or contest what is in a background check. Particularly the cheap kind that are sold almost as shrink wrap products.

The information on the background check can be simply wrong. I had a modem line in my house for a short time, less than two years. Possibly because I had it for a short time, the number got recycled fairly quickly after I had it disconnected. Recently I ran a background check on myself, and found data that had nothing to do with me in it. Looking at it carefully, it turned out to apply to the people who got my old modem phone number.

What if those people had been criminals, or terrorists?

Here's another eample. A couple of years ago, a big box store in our area went out of business. A few months before the store went belly up, we had spent $15 there. Later, we got hundreds of dollars of charges on our credit card: somebody at the store ran our credit card number through dozens of times, apparently to bring enough cash to keep it afloat for another month. We told the credit card company to decline the charges. If the information that we had hundreds of dollars of unpaid debt ever appeared on our credit report, we could challenge it. But if it appeared in a background check, we wouldn't even know.

Even where information is correct, it might not be complete. For example, suppose the creditors in the store incident took us to court. That could appear on our background check. But if the judge dismissed the case, it might not appear in the report at all.

Wouldn't a more accurate background check be better? Yes, but it is more expensive. The background company can sell a much cheaper product if they tolerate a lot of mis-information that shows unlucky people in a false light. The employer can tolerate false positives too, unless it is unusally important to hire the best possible person. In those cases they could double check the background check if they aren't scared off; or they could purchase a better background check. Having a selection of price/quality in background checks benefits the employer and the data companies. It's bad for everyone else.

Background checks are a good thing. Inexpensive background checks are a good thing. Cheap (as in shoddy) background checks, which contain information you cannot see, much less contest or correct, are a very, very bad thing. At the very least, the information in the background check should be shown to you first, and you should be able to challenge it before it goes to the employer.

A better system would work like this: somebody ought to offer a "bonded worker" product. You, as the employee, would hire a trusted and respected company to do a background check on you. The bonding company would then produce a risk profile based on the information in that background check, and show it to you. You could query various findings and view and contest the data used to arrive at them. When the report is mutually acceptable, the report would be sent to your prospective employer. If that employer had any special concerns, they would submit them to the bonding company, who would draft a response which you could review and challenge. At any time you

Credit checks are a great tool

[Slashdot+Parent]

With credit checks, it really depends on what they are looking for. I'm a landlord (which is different from an employer, although I guess I am also an employer), and when I pull credit on an applicant for a unit, I just want to know if the person has been lying to me or not. I don't even look at the score, except for grins and giggles.

If you tell me on your application that you are a perfect tenant, pay on time, just moving across town to a bigger apartment, great. But you'd be surprised how many times I pull credit and see the person is from out of state and moved because he's got 12 judgments against him from former landlords, and the local utility won't provide service to him 'cuz he owes them $5,000.00. I'm sorry, but where I live it gets cold, and if you don't pay your electric bill, my pipes are going to freeze and that's more damage than you can afford to pay for, buddy.

So, perhaps that is what employers are looking for. Validation that you aren't totally full of it. I've never heard of someone being denied employment because of a low credit score. I have heard of people being denied employment for lying on their resume or during their interview. "I see from your resume you attended Harvard. Tell me, why did you have electric service in your name in Mississippi and then in Alabama during those 4 years? Correspondence course?"

That's what I use credit checks for.