This webinar, held on 26 August 2020, was a collaboration between strategic partners, PayrollServe (a company of Stone Forest) and Cisive. Through this webinar, participants gained insights into the role of human resource (“HR”) in preventing and mitigating security incidents such as frauds, embezzlements, and cyberattacks. The participants also gained a good understanding of best practices on different levels of background checks, and identify potential loopholes in HR processes.
As many companies are now operating from home, due to the COVID-19 pandemic stay-home order, they tend to forget to put in place basic cybersecurity measures to avoid hack-ins and data breaches, among the other cyber threats. To minimise or avoid the occurrences of these threats, companies have to make sure that they appoint a qualified data protection officer according to the local law. This will also safeguard confidential data from data thefts by employees. It is, therefore, important to ensure the company hires the correct person to helm the data protection function or any other key roles in the company.
Patch Up HR Loopholes
Employing someone without prior background checks can cause more harm than good. This is a major HR loophole in many companies. According to the poll conducted during the webinar, we found out that 52 per cent of the attendees rely on job applicants to self-declare their track records or obtain information through their referees. The two major issues with referees are as follow:
- Most referees are close friends and they may or may not divulge anything bad about the applicants
- Calling the previous, direct supervisors may not be a bad idea, but if there is bad blood the attestation might be biased
Therefore, it is of paramount importance that companies seek other ways to obtain more information about potential candidates to make informed hiring decisions and avoid undesirable consequences, such as employees extracting company’s confidential data for personal agenda. Exit interviews are just as critical as on board interviews to make sure that no confidential information is being brought out from the company.
To address these issues, we have to take note of the following three measures:
- Tighten your company’s internal security controls
- Get the right person on board through stringent and thorough background checks
- Have a monitoring process in place when things happen
Another source which we can take reference from is the International Standard Requirements of ISO 27001 Standard, which Stone Forest does help companies to comply with:
A.7 Human resources security
A.7.1 Prior to employment
Objective: To ensure employees and contractors understand their responsibilities and are suitable for the roles for which they are considered
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations, and ethics, and shall be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
Terms and conditions of employment
The contractual agreements with employees and contractors shall state their and the organisation’s responsibilities for information security.
For financial institutions such as banks, insurers, CMS license holders etc., Monetary Authority of Singapore (“MAS”) has also set out some hiring guidelines for these companies to adhere to:
GUIDELINES ON OUTSOURCING
5.4.4 The institution should ensure that the employees of the service provider undertaking any part of the outsourcing arrangement have been assessed to meet the institution's hiring policies for the role they are performing, consistent with the criteria applicable to its own employees. The following are some non-exhaustive examples of what should be considered under this assessment:
(a) whether they have been the subject of any proceedings of a disciplinary or criminal nature;
(b) whether they have been convicted of any offence (in particular, that associated with a finding of fraud, misrepresentation or dishonesty)
(c) whether they have accepted civil liability for fraud or misrepresentation; and
(d) whether they are financially sound
Any adverse findings from this assessment should be considered in light of their relevance and impact to the outsourcing arrangement.
Types of Screening when Hiring
Several checks are necessary for HR practitioners to put into practice when hiring:
- Criminal Checks: Do your potential candidates have any former criminal convictions? Were they ever involved in theft (physical or data), fraud or any other crimes?
- Employment History: Did they really work where they claimed they did? Did your candidate inflate their title or salary? Did they leave on good terms or were they forced to leave after being the subject to disciplinary proceedings?
- Education Verification: Did they really graduate from the university they claim? Did they doctor their certificate? Or is the school just another diploma mill?
Civil Litigation Records: Have they ever been sued? Have they ever sued anyone?
Global Media and Internet Search: What is out there in the public domain? What kind of reputation does your candidate have that’s known to the public?
Balance between Cybersecurity Hygiene and Background Checks
Establishing good IT or cybersecurity hygiene, and implementing adequate background screening when hiring are critical. Remember, inadequate checks and sluggish cybersecurity measures can lead to various degree of organisational damages.
Find out more and how PayrollServe and Cisive can help you ramp up cybersecurity measures and get the best hire for your company.