People are the strongest link  in an organisation – but evidence shows us that occasionally they are also the insider risk. Have COVID-19 working practices changed that?

The recent Security Institute-hosted webinar by the Centre for the Protection of National Infrastructure (CPNI), the UK’s National Technical Authority for personnel and physical security, on insider threat was a timely reminder of this persistent risk. All organisations, big or small, need to manage their insider risk (a member of staff/contractor, who uses their legitimate access to your organisation’s assets for unauthorised reasons).  Some companies will have dedicated insider risk mitigation programmes; some will respond on an ad hoc basis following an insider incident; almost all will rely on some mitigations that require being able to interact with staff on a daily basis. Typically, that has often meant a shared physical location in a workspace.

As CPNI noted in its insider data collection study, ‘a general lack of management supervision or oversight of employees meant that many of the behaviours, problems and activities of the insider were noticed but went unaddressed’. If a key mitigation of insider risk is about staff (line managers, peers) being able to see (and recognise) when their colleagues are acting differently or observe changes in work productivity, then COVID-19 has changed this landscape. From the looks of things, for some businesses it’s a permanent change, with CEOs recognising that their staff and operations can function as effectively working from home or at distance.

However, for many staff these new working practices have additional pressures – staff are feeling isolated and concerned for their future. There is a lack of communications from the company at both a corporate strategic level and from their management chain. They have lost the opportunity to chat through some of these concerns with their peers as they no longer share office space. Ultimately, these valid concerns can start to turn to dissatisfaction with the organisation, may result in a reduction in productivity and almost certainly a fall in adherence to office processes and policies.

Insider activity rarely happens overnight, as any changes in behaviour tend to be gradual, which co-workers and managers notice from prolonged periods of time spent working together with their colleagues. It will be interesting to track whether the COVID landscape has  contributed to a quicker pathway from dissatisfied member of staff to an insider, because of the isolation. What will be evident though is that the opportunity for peer/management recognition of these changes has decreased.

Staff interaction/oversight for many is now based on virtual meetings where you can choose whether to show yourself on camera or stay hidden behind a photo or blank screen, instant messaging or email. The opportunity for social catch-ups at the tea point or before meetings is replaced with silence on the screen before the chair arrives to begin procedures. There have been examples of staff who have been recruited during COVID, joined the workforce and then left without team members ever seeing their new colleague. The only people who have seen the individual were the recruitment team. This can be a challenging landscape in which to build trust.

A good insider risk mitigation programme is going to need to be flexible and dynamic in the same way that many of your company IT departments have needed to move from a ‘computer says no’ response to decision making process based on immediate requirements. Because insider risk is all about people, your security team is going to have to work with a range of departments, to help them see the COVID-related changes that affect them, their policies, processes and procedures through a security lens.

Managing the insider risk needs to effectively adapt to meet these changing environments.

Top tips include:

• Reviewing your insider risk assessment – have the risks changed, have your critical assets changed, are the current mitigations still effective during working from home and/or returning to work under COVID restrictions?
• Review your ‘work from home’ policies – are they fit for purpose? For example, what does ‘home” mean? Is it UK-based or overseas? Does company insurance cover staff working from home in another country?
• Work with your HR department to develop effective ‘at distance’ line management policies and procedures that include a security function. It is a sad fact that many businesses are having to make staff redundant. A poor exit strategy for staff is regularly identified as an opportunity for  staff to exploit; it is key that your exit strategy takes account of additional risks that COVID poses – e.g. return and disabling of IT equipment and passes.
• Work with Comms departments to include security communications as part of wider corporate comms, so that securityresponsibilities are interwoven with business as usual. The role of your corporate comms has never been so important – staff are relying on clear communications whether they are in furlough or now doing their job from home. It is key that you identify all communication channels – not all staff will check your internal company website for updates, not all will read the ‘send to all’ email circulars and not all will be at meetings where new comms are given out. You need to ensure that all comms channels are used and build in a mechanism for ensuring that staff have received and understood the content. This will help reduce staff feelings of anxiety and isolation.
• Work with your IT departments to understand what the new ‘normal’ working routines look like, to check whether the auditing function provides adequate assurance or needs some adaptation.
• Review any reporting processes – if you encouraged staff to drop in and see the security teams to discuss any issues, what can you put in place for those staff who are no longer working in an office environment?
• Keep your boards informed of changes to insider risks and their responsibility to lead from the top and show visible support for, and engagement with security during these unusual circumstances.

There is a wealth of information available on the CPNI website to help organisations understand, manage and reduce the risk from insiders. There are a number of different toolkits available to help with a range of security issues. These are downloadable and can be branded for your own organisation. I would strongly encourage you to take a look at COVID-19 related pages for some simple steps and easy-to-use toolkits to help you navigate this challenging risk.

Sarah Austerberry Mlitt, CSyP, FSyI

Director

Au Security Consulting

www.ausecurityconsulting.com

For related articles, see our Personnel and Vetting category including:

Changes to Staff Security Screening in 2020

Ten top tips for security screening

The post Insider Threat – COVID-19 changes the landscape appeared first on City Security Magazine.

On 1st April 2020, the updated British Standard relating to staff security screening BS 7858:2019 (published 30th September 2019) comes into force, bringing a number of significant changes. Now is the time to make sure you are prepared for this new standard.

An important aspect of security and risk management is an effective approach to security screening of new staff, in particular those involved with the security of your people and property and those with access to critical systems and data. The accreditations that many security organisations require will include adherence to effective screening as laid out in BS 7858:2019. Additionally, this updated standard broadens its scope so it can be used as a model for all staff screening, not just within the security sector.

You may have a team within your organisation that carries out screening, or you could use an independent specialist screening organisation. Either way, the security of your organisation and reaching the required accreditation is dependent on you getting it right.

In this transitional period before BS 7858:2019 becomes operational in April 2020, where either standard BS7858 or BS7858:2019 can be used, there is time to familiarise yourself with the changes summarised below.

Rescreening required?

Firstly, it is helpful to note that if you have already satisfactorily screened people under the BS 7858 regime, you do not need to rescreen them when BS 7858:2019 comes into force.

Top management must demonstrate commitment to screening

A significant change in the new standard is that it now places more importance on the role  of top management of an organisation, requiring them to demonstrate that they are employing good risk management practices, including their approach to employing people.

Top management must show they understand the parts of their business where risk lies and the roles that are involved with these risks, be they financial, security of data, risk to property or related to people, such as roles with access to vulnerable adults and children.

Commitment to effective screening from the top of the organisation is needed: to ensure the resource and infrastructure is in place; to direct and support the activity required; to ensure responsibilities are assigned and communicated. This is irrespective of whether screening is outsourced or carried out in house, to comply with the standard. In either situation, the organisation employing the individual screened is required to review and sign off the screening file.

Practical Changes to BS 7858:2019 for staff security screening

There are a number of specific changes within BS 7858:2019 that those carrying out screening need to understand:

Character references no longer required

The 2012 standard required a character reference as part of screening. Additionally, individuals who needed to explain a long period out of work could use a character reference to evidence a valid reason for this period under the previous standard. Character references are now deemed to be too easy to abuse and are no longer required. For absences (more than 31 days and not registered as unemployed) further evidence and checks will be needed and this is going to be more of a challenge to provide. This is where specialist agencies can sometimes be of help.

Global Watch List Check

As part of screening, checks must be made across a range of lists and databases. For example, the HM Treasury list of financial sanctions targets in the UK, watch lists and fraud databases like CIFAS. A comprehensive list is not provided; it is the screening organisation’s responsibility to determine which are the appropriate lists to check against.

Electronic media

The new standard recognises that a lot of documentation is now authenticated by electronic means; “wet signatures” are not always used.

Annual competency review

There is a new requirement for evidence on an annual review of the competency of individuals carrying out screening.

Conditional Offer

Third requirements added: Currently there are two steps you have to follow before making an offer of conditional employment: completion of the prescribed preliminary checks and satisfactorily completing limited screening. The new standard introduces a third element: you must undertake a risk review and confirm that “the level of risk in the intended employment has been evaluated and is deemed to be acceptable and documented“ and therefore you are happy to make the offer based on that and your risk profile.

Record Keeping

Where an individual is reviewed and not made a conditional offer, or where employment will not continue after limited screening, organisations are required to retain records on this person for 12 months.

Permission to pass on screening file from one employer to another

With appropriate consent of the employee, employers can pass on their screening files to another employer. However, the new employer is still responsible for making sure screening has been done to the required standard. Both parties are also responsible for ensuring that other legislation, such as data protection, is adhered to.

Open Source / Social Media

The new standard recognises that some organisations may want to carry out open source checks on social media activity. This is an area that needs to be handled with care. Organisations carrying out these kinds of checks need to do them consistently, without discriminating and within data privacy legislation. The guidance for the new standard refers to the Financial Conduct Authority (FCA) Handbook – The Financial Crime Guide for further help. Caution is recommended for this area and to keep a watching brief of further guidance to be provided from regulatory bodies.

In just a few months BS 7858:2019 will come into force. Is your organisation ready? Make sure you can answer key questions around screening. Now’s the time to ensure you have the right process, resources and infrastructure in place.

Victoria Hotchkin

Managing Director, National Security Screening Agency (NSSA)

www.7858.co.uk

See also:

Ten top tips for security screening

Security screening for your new job in security

The post Changes to Staff Security Screening in 2020 appeared first on City Security Magazine.

Many senior security specialists believe the most significant threat to business today comes from the insider threat: the criminal, terrorist or disgruntled employee or those open to coercion, who can cause significant damage, steal from your organisation or worse.

Your first defence against someone with criminal intent being on your staff is by having effective security measures in place, especially a robust security screening process. Does your process address these key factors?

1. Do not discriminate

Treat all job applicants and employees in the same way. For example, make no assumptions about a person’s right to work or security status based on their colour, nationality, ethnic or national origins.

2. Plan for security screening

The level of security screening will depend on the role. The full written process takes 4-5 weeks on average, with a maximum of 12 weeks permitted.  There will be a business imperative to bring your new candidate into post as soon as possible, but it is important to factor in the time to properly screen.

3. Meet your legal requirements: Carry out a right to work check

You can commit a criminal offence if you employ an illegal worker. So, you must ensure that a potential employee is permitted to work in the UK. Full information is provided on the government’s website www.gov.uk

4. Ensure you carry out the right level of security screening

There are certain checks that well-trained personnel in your own organisation can carry out. Or you can use an independent specialist screening organisation to ensure robust pre-employment screening. It is important to establish the right level of screening for the role. This will depend on the level of access to critical assets within the organisation. It is important to determine when developing the job specification, the level of security screening required and to communicate this to potential candidates.

5. Check all ID documents are valid

Terrorist organisations encourage their followers to conceal their true identity with counterfeit and forged documents. So, as police colleagues advocate, it is important to: Assume Nothing, Believe Nothing, Check Everything when it comes to checking documentation. This can include checking birth certificate, passport, firearms certificate, driving licence and SIA licence. Specialist training and resources are available from your local police force and specialist providers.

6. Check credit history

For some roles, it is important to arrange for a Consumer Information Report (CIR). This examines the electoral role for current and previous addresses of the most recent 5 years and who else lives at these addresses.  In addition, it will check for satisfied and unsatisfied County Court Judgments, bankruptcy/insolvency and outstanding debts, individual voluntary arrangements (IVA) and debt relief under £15,000.

7. Check career history and account for gaps

It is good practice to check back at least the most recent 5 years in a potential candidate’s career history. This includes checking accounting records for the self-employed. Redundancy happens to most people at some point and there are many other legitimate reasons for career gaps, but you may need to ask for documentary evidence for these. For example, details of benefits claimed. Many people travel or live abroad for long periods, so you may require details of this, such as passport stamps, visas and/or confirmation of employment overseas.

8. Check references

It is important to take up references as evidence of a candidate’s career history. Previous employers may only be prepared to provide dates of employment and job title in writing. If you want more insight, you may find a personal telephone call more fruitful.

9. Check educational attendance

If your candidate is a recent graduate or school leaver, security screening could involve checking the most recent 5 years’ history including attendance at school, college or university. The screening process should ascertain if the individual was full-time or part-time, the dates attended and whether there were any extended periods of absence.

10. Police Checks – Disclosures

Depending on the role for which you are screening, varying levels of information held about the individual can be requested from the police – these are known as “disclosures”. This process is covered by the Rehabilitation of Offenders Act 1974, which defines when criminal offences are “spent”, or no longer disclosed. This depends on the sentence received for them, for example a minor offence resulting in a fine may be spent after 1 year has lapsed. A serious offence involving a long prison sentence will never be spent. Overseas police checks may be required if the applicant is a foreign national or has spent extended periods overseas.

In this modern world, security screening plays an important part in keeping us all safe and protecting our brand.

National Security Screening Agency

www.7858.co.uk

The post 10 top tips for security screening appeared first on City Security Magazine.

Whether starting out in security or moving roles, security screening is now a key part of the process of getting a new job.

These vital checks aim to assess whether you can be entrusted with the security of people and their property and, in some cases, whether your current circumstances make you vulnerable to coercion and therefore a potential risk, rather than an asset to the organisation.

To stay in business, it is often mandatory for organisations providing security products or services to security screen employees for them to maintain the accreditation or approval ratings needed to operate. So do not underestimate the importance of security screening in the path to your career success.

The level of security screening will depend on the role, but bear in mind the process takes 4-5 weeks on average, with a maximum of 12 weeks permitted. So you can help make this process as smooth and speedy as possible, and increase your chances of shining as a candidate, by making full preparations.

Your Career History

Keep a detailed record of your career history, in particular the most recent 5 years. You need to keep the start and end dates of the positions you have held on a day/month/year basis. As time passes, it is surprisingly easy to forget these details. One way to keep track is to ask each employer as you leave for an Employer Reference: just stating start and end dates, a brief comment on your performance, attendance and time keeping. Remember that an Employer’s Reference comes from the organisation and that a Character Reference comes from an individual who knows you on a personal basis, so you may like to ask your line manager or a colleague for a Character Reference too.

Periods of self-employment/owning your own company

If you have worked for yourself, having client trade references confirming the work completed including dates will assist in providing the required evidence. In addition, details of your accountant and bank will be useful.

Accounting for Gaps in your Career

It is important to be able to account for career gaps. Do not be unnecessarily worried about revealing periods of unemployment. This is a fast-moving world – redundancy happens to most people at some point. Indeed, claiming benefits during the periods of unemployment provides clear evidence to explain the gap.

There are many other legitimate reasons for career gaps, but if you have no documentary evidence for your day-to-day activities you may need to provide a character reference from someone who knows you and what you were doing – perhaps a neighbour or friend who has seen you regularly. For example, if you have been full-time caring for children, the elderly or infirm, you may need to provide verification for this time. If you have not claimed benefits and no other documentation is available, this will mean a character reference is needed.

Periods out of the country

When you travel or live abroad for long periods, keep a record of the dates and locations. Passport stamps will show where you have been. If you have been out of the country for more than 6 months, it will be necessary for a criminal records check to be made in the country where you resided, so accurate details of your time abroad will be needed. If possible, get a criminal disclosure check from the country you have resided in before you leave. This will speed up the security screening process.

Educational Establishments

If your most recent 5 years history includes attendance at school, college or university, you need accurate records of this. The screening process will ascertain if you were full-time or part-time, the dates between which you attended and whether there were any extended periods of absence.

Checking your credit

In all circumstances, checks will be made about your credit history – this is known as the Consumer Information Report (CIR). This is not the same as checking your credit worthiness by those lending you money: no trace of the CIR will be left and it will have no implications for other credit checks you have.

The CIR will examine the electoral role for your current and previous addresses of the most recent 5 years and who else lives at these addresses. In addition, it will check whether you have any outstanding County Court Judgments, whether you have filed for bankruptcy/insolvency and whether you have any outstanding debts of more than £10,000, individual voluntary arrangements (IVA) of more that £15,000 and debt relief under £15,000.

Police Checks – Disclosures

Depending on the role for which you are being security screened, varying levels of information held about you can be requested from the police – these are known as “disclosures”. This process is covered by the Rehabilitation of Offenders Act 1974, which defines when criminal offences are “spent”, or no longer disclosed. This depends on the sentence received for them, for example a minor offence resulting in a fine may be spent after 1 year has lapsed. A serious offence involving a long prison sentence will never be spent.

Be open about any previous convictions from the beginning, they will not necessarily rule you out of a job. However, if you have convictions for serious offences, there are certain roles you will never be able to take up.

In this modern world, security screening plays an important part in keeping us all safe.

You can make this easy for yourself and prospective employers by keeping your documents and certificates in a safe place and keeping simple records about your life and career. This means if you need to be security screened it is a straightforward task and gets you to the job you want quickly and efficiently.

Paul D Wallis, Managing Director

National Security Screening Agency

www.7858.co.uk

The post Security screening for your new job in security appeared first on City Security Magazine.

Fixated behaviour Risk Management techniques, until recently the preserve of forensic psychiatrists operating from a tiny number of specialist police threat assessment units across Europe and the United States, are now being adopted by corporate brands to help protect workplaces and employees.

The written and spoken pre-cursor indicators associated with a higher risk of unwanted security and reputational outcomes are now understood, and companies can take advantage of the fact by applying structured and evidence-based approaches to identifying and responding to communicated risk.

What is fixated behaviour?

We all fixate, on our spouse or partner, our children, our work, or the sporting pursuits and hobbies that we enjoy. These normal fixations inform how we relate to one another and how we prioritise the giving of our time and attention.

In risk management terms, ‘Fixate’ is used to describe those suffering a pathological fixation: often socially isolated individuals with an ‘obsessional pre-occupation pursued to an irrational degree’, usually in the form of idiosyncratic quests, grudges or grievances.  Such fixations frequently develop as a result of mental illness, personality disorder, or cognitive distortions that impair an individual’s ability to communicate, problem solve or recognise and respond appropriately to social cues.

In a corporate setting, this behaviour presents across a number of business functions, including legal, HR, security, customer relations, web and social media management, line management and the private offices of senior executives. It is typified by intrusive and harassing communication, the conduct of on-line hate campaigns, workplace bullying, insider activity, employee stalking, or vexatious litigation.

Particularly common are efforts, usually by a customer, service user or former employee, to right a perceived wrong allegedly perpetrated by an organisation or an individual seen as representing that organisation. Motivated by retribution or claims for redress or acknowledgement, these quests often lead to highly persistent and unreasonable complaining or litigious behaviour, or disruptive acts and attention-seeking stunts at company offices.

Occasionally, as options are perceived by an individual to be running out, behaviour can escalate to threats and individual acts of violence.

Intrusive and hostile action by the fixated is often preceded by antecedent behaviour in the form of communication.

Communications from the fixated, for the most part, do not fall into the category of the floridly unwell. They commonly appear coherent in form, do not constitute a breach of the law, but are unreasonable or inappropriate in content and characterised by a sense of overriding entitlement, intensity and determination.

The cost of fixated behaviour

Organisations that find themselves the focus of fixated individuals invariably absorb the associated financial and human cost for longer than necessary, or feel it more acutely than necessary. This is usually because warning indicators are ignored or missed; because they are misinterpreted and responded to inappropriately; because, in lieu of a more nuanced understanding, risk management decisions are taken purely on ‘gut-feel’ or ‘instinct’; or because, as time goes on, cases of fixated behaviour become viewed as purely legal problems, encouraging and all but guaranteeing persistence.

If fixated behaviour goes unrecognised when it presents, or is responded to inappropriately or too late, the cost can be high.

Personal injury and physical damage to buildings or company assets bring obvious and immediate human and direct costs. But as well as the psychological distress and interference with work function and performance for individual victims, spend on security, legal and reputational management can escalate quickly, across separate departments, separate budgets and under different risk managers.

Towards a structured and evidence-based approach

One of the most striking and common features, both with private companies and agencies of government, is the similarity in the way they tend to handle inappropriate or worrying communications from members of the public.

Specific threats, or similar breaches of the law, are usually referred straight to the police.  But by no means all fixated communication meets this test. Rather, they are demanding, angry, delusional, chaotic, explicit, or threatening in a less direct manner.

For risk managers, very little by way of structured framework or evidential guidance exists as to the degree of risk likely to be associated with a problematic e-mail, letter, call, social media posting or approach, or how to prioritise appropriate responses. Applying third-party social media scanning in this context provides companies with an illusory sense of ‘protection’, reaching out in to the ether with search algorithms insensitive to fixated risk, whist ignoring that communicated directly to its post-rooms, reception desks, executive offices, customer services teams, and the in-boxes of employees.

However, developments in forensic psychiatry and psychology in the last decade have led to evidence-based screening and assessment tools for managing fixated risk. Their development and availability in the private sector ‘raise the bar’ on the standard that should be adopted when it comes to identifying and managing communicated risk on behalf of employees, top corporate talent and brands.  Indeed, it is becoming harder to justify their absence from risk management in this context.

Adopting a structured approach to screening communication empowers the risk manager, allowing identification and initial assessment to take place in-house, without necessitating immediate recourse to a third-party. While some communications may require active intervention, the effect is that no risk-bearing communication is overlooked, and a highly nuanced view of risk becomes available, not just in terms of violence – statistically the least likely to occur – but in the domains of escalation, recurrence, disruption and psychological damage to the victim, all of which can have significant human, operational and financial implications.

Conclusion

To ignore communications that appear, obsessed, angry, demanding, amorous, unreasonable, deluded or nonsensical is to increase workplace vulnerability, expend resources unnecessarily, and expose employees and brands to unnecessary human, financial and reputational damage.

The factors in fixated communications that are associated with a higher risk of unwanted human, legal and reputational outcomes are now understood.  And the tools to identify and assess those indicators are no longer the preserve of specialist policing units or impenetrable ‘risk-calculating’ software solutions. ‘Gut-feel’ and ‘instinct’ have a role to play in managing such risk on behalf of brands in the public eye. But in isolation they are difficult to defend from a corporate risk management perspective.

Philip Allen

Partner

Theseus Fixated Risk Management

www.theseusllp.com

The post Fixated behaviour risk management in a corporate setting appeared first on City Security Magazine.

A study by the Office of National Statistics (2009) demonstrates the ever changing composition and structure of the UK work force. In particular, the age composition has changed, with emerging trends across diversity and working hours, alongside the changing employment behaviour of students and, in recent times, a growth in the number of foreign/migrant workers.

Added to this a propensity to change the business model by complementing or replacing full time staff with both short or medium term contractors/consultants, the emerging picture is complex and one to which we in the security industries and law enforcement need to react.

Recruitment process

Human Resource departments can be under internal pressures to recruit to vacant or emerging posts quickly, depending on the strength of the business requirement. The balancing act between running an effective, efficient and profitable business and maintaining security is always a challenging one.

Consequently, managing the risks at the beginning of the recruitment process is enormously challenging, but help is at hand.

Importance of identity awareness

The value of counterfeit and forged documents in terrorist activity has been widely acknowledged by a range of AQ-linked terrorist groups for many years. Document abuse affords operatives and facilitators an additional level of cover and access when planning, preparing for and executing terrorist attacks, with additional opportunities around concealing their true identity, past criminal activities and previous travel patterns which could ordinarily be of concern. This is exemplified in a previously captured Al Qaeda training manual which highlights the value put on the acquisition of identity documents (and counterfeit currency) over and above other parts of planning logistics.

The 9/11 Commission Report, published in 2004, reiterates the value of documents to terrorists, stating they are as equally important to operations as weapons.

It also recommends that any individuals within professional organisations who look at documents on a regular basis (e.g. Human Resources or Security personnel) should have some knowledge of identity documents. The examination of any identity document requires a certain amount of understanding of the security features contained within documents. It was recognised that awareness training for relevant organisations’ staff in the skills needed to assist in detecting counterfeit or forged documents would be of significant use in combating the threats posed by this activity.

Improving identity awareness

In response, Operation Fairway, which sits within the Metropolitan Police’s Counter Terrorism Command at New Scotland Yard, developed a free of charge Document Awareness Workshop to be delivered nationally across the CT network. This workshop, which comprises two and a half hours of counterfeit and forged document detection training, equips staff with the skills they need to identify such documents at the pre-employment phase of recruitment, and with the knowledge they need to refer any incidents on to the police for further action.

The City of London Police Special Branch recently delivered a number of CT Awareness Presentations to staff from a wide range of City businesses and premises, which comprised both a ‘taster’ document awareness session, an input on the ‘insider threat’ posed by individuals who gain employment for nefarious purposes, and a presentation on the value of the Prevent engagement programme (a national initiative to prevent or divert people from radicalisation and extremism).

The ‘taster’ document awareness input focused on various forms of forged and counterfeit passports and driving licences  Delegates were shown a number of common security features which members of HR and security could quickly and easily examine with little or no special equipment, in order to identify if a document was legitimate or not. Participants also had the opportunity to practise their new skills on a selection of both genuine and fraudulent documents, which served to cement their new knowledge.

In support, other partners also delivered an input on the ‘Insider Threat’, illustrating the operational, financial and reputational damage that can be caused by a member of staff using their legitimate access against their own organisation.

The presentation itself focused on the threat posed by employees who deliberately gain employment with the specific intent of committing an insider act, through to people who become disgruntled, after they have gained employment or been recruited by a third party, whilst working within a company  and are motivated to commit an insider act.  Common motivations for insider acts are personal gain, seeking recognition or revenge. Participants were shown how to identify areas of vulnerability from a line manager’s perspective and advised on how businesses can mitigate the insider threat by a combination of understanding the risks, undertaking robust pre-employment screening, demonstrating good line management and having an embedded strong security culture.

Recent case studies from the City of London Police demonstrate the potential problems.

Case study one – a person was employed by a City-based company and hired through an agency. The assumption from the employer was that checks on bona fides were the responsibility of the employment agency. However, this was not the case. The person left after a very short period of time having committed a serious criminal offence against the company. All employment documentation provided was false, including passport and birth certificate.

Case study two – a person was employed for a short period of time on a ‘non-contractual basis’. An internal incident occurred at work and on examination of his application it was found to contain serious anomalies, such as a ‘care of’ home address and different handwriting throughout sections of the application.

It’s vital we all make it harder for criminals to pose a threat to us through gaining employment without us knowing who they are, so the risks can be mitigated.

A very simple, but highly effective investigative checklist of ‘ABC’ could be utilised:

• Accept nothing you are being told or provided with as genuine;
• Believe nothing you are being told or provided with until you have;
• Check everything you reasonably can.

If you would like any further information about this article’s content, please contact special.branch@cityoflondon.pnn.police.uk from a company e-mail address.

Paul Barnard, Detective Superintendent, City of London Police (at time of writing)

The post The importance of identity vetting in recruitment appeared first on City Security Magazine.

We all know that the nature of the security threat is asymmetric and that we need to protect our companies’ assets from all realistic security threats in a converged manner.

But do we really consider the reality that all security threats have a people dimension?

Results from recent surveys demonstrate the increasing threat posed by the insider, from both accidental and intentional compromise of data or access to facilities. Insiders likely target trade secret information; the information of most value to an organisation. Information which is deemed to have value to a company (either real or potential) and which is shown to be known only to the company and which is protected internally can be said to be a trade secret. It is trade secret information which must be protected from the insider threat. In this digital age, information contained on technology platforms is the likely target.

Theft of trade secrets

A recent study prepared for the European Commission regarding the theft of Trade Secrets in the Internal Market, dated April 2013, identified that the respondents had suffered attempts or acts of misappropriation of trade secrets over the last 10 years, both within and outside the European Union (EU). Of the 537 respondents, 20% suffered at least one attempt of misappropriation within EU countries. The companies which experienced the highest proportion of such acts were in the chemical, motor vehicle, and pharmaceutical sectors, with slightly lower rates in the telecommunications, electricity and gas, and computer sectors. Larger firms reported a higher frequency of attempts or acts of misappropriation of information when compared to small/medium firms both inside and outside the EU. The parties identified as being primarily responsible for such acts are competitors, former employees and customers.

Employee Attitudes

When reviewing a 2012 survey conducted by the Ponemon Institute, the statistics concerning employee attitudes to information theft are staggering. From the 3,317 survey respondents, the following was identified:

• 50% of departing employees kept confidential information and 40% planned to use the information in a new role;
• 60% stated that new employees from a previous competitor offered confidential information from their previous employer to their new one.
• When considering mitigation action, 69% of employees stated that their company does not do anything to prevent an employee from using information obtained from a competing company;
• 53% stated that their companies do not take any action when an employee takes sensitive business information. There was also a consensus of belief that no-one from a company would be able to know that the information had been taken and that the sharing of such information would not harm the previous company.

Defining the insider threat

Currently there is a draft directive at European Parliament level, which, if passed, will require EU member states to adopt the Directive into local country legislatures. However, the Directive will unlikely go far enough and so the onus is on the individual company to protect itself from threats posed by insiders.  Enterprises must clearly understand how they define insider and ensure that they consider all employees, contractors and consultants, as well as vendors and external partners who have access to an enterprise’s information assets. An organisation must also set clear direction regarding how such threats will be mitigated. If the intent is malicious, then a desired approach may be a law enforcement referral, depending upon legal jurisdiction and enterprise location. If the compromise occurred as a result of poor security behaviour, then mitigation could include enrolling the employee on an education programme or an internal discipline case, depending upon severity.

Accountability and Governance

Any programme designed to mitigate this threat must have accountability and governance. The Chief Security Officer (CSO) must understand how this threat manifests itself internally and communicate the resulting risk to an organisation’s board. Where the security risk is greater than the acceptable threshold, then the risk should be placed onto the Enterprise Risk Register. The CSO must then be named as accountable for this security risk and be charged with defining a related corporate policy and compliance programme.

Success of any programme resides in the level of endorsement and support that the leadership displays in regard to it and the talent that is hired to deliver the programme’s objectives. Tone from the top must be set and individuals employed in this field should have a counter-intelligence background that complements their corporate knowledge and their ability to influence stakeholders.  Additionally, all valuable intangible assets should be inventoried.

Poor security behaviour

There must be a desire to capture metrics regarding poor security behaviours, in order that the business can understand the value of the security programme. Where gaps are identified, it is the role of Security to work with stakeholders to close them and to refresh existing policies. Where gaps exist around security knowledge, it is necessary to deliver an enterprise-wide learning presentation. This learning must be mandatory, accessible by all, reviewed regularly and form part of the enterprise compliance programme.

Education must be complemented by constant communication detailing the desired behaviours, for example a Clean Desk policy or enforcing the Need-to-Know principle, thereby empowering colleagues with security knowledge. The programme must ensure that employees feel personally responsible for protecting the company’s trade secrets and that they take ownership of their security related behaviours.

Finally, there must be enforcement activity, namely investigations and discipline, delivered in a transparent manner. It is this holistic approach to the insider threat that will allow adequate mitigation.

Rowena Fell, MA CPP FSyI

Merck Sharp & Dohme

Associate Director, Intellectual Property & Trade Secret Protection Programme (EMEA)

Women’s Security Society Board Member

The post The insider threat: protecting trade secrets appeared first on City Security Magazine.

Using red flags in the data mining and risk profiling process.

The media announced in April 2014 that “Crime rate in England and Wales falls 15% to its lowest level in 33 years”. However, what was also pointed out, and perhaps unsurprisingly, was that fraud was up by 25% from the last reported year. For those working within the counter fraud community this was an expected trend. Despite popular belief, fraud is not a victimless crime and in some cases the perpetrator may have been driven to such acts because they themselves were victims of the financial crisis. It has often been said that after a fraud there are two investigations; one to find the perpetrator, and the second to establish why the organisation was blind to the warning signs and red flags that littered the path of the fraud.

Risk profiling and data mining

Fraud risk profiling and the use of data mining and matching techniques provide a cost effective means of detecting such red flags, but they must be part of a holistic approach with leadership from the top. Senior board members must set an example and the organisation needs to recognise that turning a blind eye to “minor” infractions, such as:

• overstating mileage in expense claims;
• splitting the cost of a meal with colleagues and claiming the full amount; and
• accepting a generous gift from a supplier and not declaring the true value have a cumulative and corrosive effect on the organisation and will make it more susceptible to fraud. Before considering an effective data mining strategy it is important to understand who the key opponents are and the sources of data.

Employees quickly recognise and some exploit the weaknesses and blind spots in the organisation. Collusion occurs when the relationship between an employee and supplier becomes too close and pressure is put on the employee to meet targets. Consider the collusion between bankers to manipulate interest rates; could that have happened if the working relationships were not so close and the pressure to achieve not so great? Organised criminals will target and exploit the weakest links, be those employees or suppliers.

Several years ago, I was involved in an investigation where a serial bankrupt and disqualified director convinced a number of legitimate suppliers to an organisation to allow him to use them to front a number of business ventures. Since he was a disqualified director he needed “front companies” to operate from. He then lavishly entertained an employee and compromised him into assisting with a scheme to defraud his employer. There were numerous red flags along the way but none were picked up at the time.

Cost effective data mining tests

So what data mining tests can be quickly and cost effectively used? Many organisations have a “conflict of interest policy” which should record an employee’s outside associations. But how often is this just a vague requirement? And, does the Internal Audit or Compliance function ever validate that information, for example by data matching against its internal suppliers and clients or externally matching against Companies House data to see whether any undeclared relationships exist. Such relationships may not be direct but make use of partners, with potentially different names, living at the same address. Membership of CIFAS would allow the organisation to further data match against known frauds and fraudsters.

Again, many organisations maintain a “hospitality and gifts” register but is this ever really analysed and compared against other internal information? A review of this information will often reveal employees who undervalue the gifts and hospitality because to declare the full amount would put them under the spotlight.

For example, declaring the value of a Christmas gift bottle of wine as £15.00 but then stating that it was a 1998 Grand Cru is a little naïve as a quick internet search will indicate the true price. In one recent case the value was in excess of £100 for such a bottle of wine; falsely undervaluing can only suggest that the employee was embarrassed with the gift and had something to hide. I’ve identified instances where individuals have been invited as guests to major sporting events, such as Rugby World Cup finals or the opening ceremony of the Olympics and because they were “complimentary” there was no associated value. The only reason a supplier would be offering such largess is to get preferential treatment in the future or as a thank you for past assistance. Excessive and lavish entertaining has all too often been the starting point of a corrupt practice and under current bribery legislation organisations will need to be much more proactive in this area. Ensuring that the information recorded is accurate and complete will ensure that any data mining has a better chance of success.

Using link analysis to graphically represent the individuals or organisations who are entertaining the most will identify whether a specific employee or department may be at risk of compromise.

Out of bound data mining

Matching employees’ details against those of suppliers is another useful data mining test, but all too often considered “out of bounds” under privacy and data protection legislation. This is not the case and demonstrates a lack of understanding of the legislation, which is all too often used by HR departments as an excuse not to provide employees’ details. Registration with the Information Commissioner that employees’ data will be used for “crime prevention and detection and the prosecution of offenders” can be submitted on-line in a matter of minutes and then such matching can take place.

Open source intelligence such as the HM Treasury’s sanctions lists or the US Office of Foreign Asset Control “OFAC” can also be used effectively to establish whether Suppliers, Customers or Counter Parties are on international watch lists. Once one starts to research open source (free) data the only consideration is not to be overwhelmed with the results, which will contain many false positives, but to grade the data and refine the profiles to achieve meaningful and practical results.

Richard Kusnierz

IDM Fraud

idmfraud.com

The post Using red flags in data mining and risk profiling appeared first on City Security Magazine.

… and increases compliance at the same time.

Knowing who you are dealing with or who you are employing should be the most obvious start to any counter fraud strategy and technology is certainly evolving to help address this fundamental check. In particular, the deployment of scanners and accompanying software to help detect fraudulent identification documentation is on the increase with its proven ability to detect false documents across a whole range of public and private sectors.

Different organisations want to detect fraudulent identification for different reasons and therefore there will always be a varying emphasis on counter fraud activity based on individual risk assessments. However, as well as detecting possible fraud, most organisations will need to comply with some form of regulation within its their sector. In financial services there are the Know Your Customer (KYC) and Anti Money Laundering (AML) regulations. In the high value goods sector there are also AML considerations for selling any goods over €15.000. All employers in the UK need to comply with the Right to Work legislation. Whilst all these pieces of regulation were introduced to protect against different problems, they all have a common aspect – the need to verify the identity of the customer/passenger/potential employee. The potential fines and brand damage can be very high for non-compliance and it is therefore often the desire to stay compliant that drives organisations to carry out work that will also help fight fraud and increase security. Without the regulation, many organisations may not believe they have sufficient fraud risk to warrant any resource or effort to counter fraud. Even in financial services, how stringent would identity checks be if KYC and AML regulation did not exist as the cost of fraud is simply priced into products?

How does an organisation that wishes to or is required by regulation to verify identity go about doing so?

First of all, an organisation needs to define what verifying identity actually means. Close reading of the example legislation set out above will often provide statements such as, “You must satisfy yourself that the identity document is genuine”. In reality that means, at best, that a member of a HR team in any organisation recruiting staff in line with the Right to Work legislation will do a visual inspection of the presented document. Two different HR staff in the same organisation will have different levels of scrutiny – based on experience, training or attitude. Different organisations in the same sector will enforce the requirement differently and will certainly be conscious of any commercial impact of such regulation in defining what constitutes an acceptable check internally. In essence, all organisations are left to decide themselves what is acceptable checking of fraudulent identity documentation, making the reality a very inconsistent approach to such a vital element of remaining compliant and combating fraud.

As with all regulation there is the very practical issue of supervision. As has been highlighted during the crisis in the financial services sector, regulation existed but some organisations either chose to ignore it or did not understand exactly what the regulator required of them. This is the problem with most regulation – it is rarely precise in its requirement of the organisations it covers and supervision can be limited due to scarce government resources, thereby creating an inconsistent environment and potentially unfair commercial situations. The recent Immigration Bill has pushed increased emphasis on identity authentication to anybody operating in providing financial services, housing, benefits, healthcare or employment, in an effort to restrict access to such services to illegal immigrants. Whether the government will follow up such increased demands on the public and private organisations within these areas with increased supervision remains to be seen – but organisations should plan that they will and they have demonstrated intent by planning to increase the fine for employing an illegal immigrant from £10,000 to £20,000.

Benefits of scanning technology

So, given we know identity verification is important to a counter fraud strategy and we now accept that it is a key but ill-defined part of much regulation – is there a way technology can assist? Scanning technology for the checking of identity (and other) documents has been around for some time; however, what is new is the growing acceptance that such technology is now priced at a level to be accessible to many more organisations and provides a number of key benefits:

• Provides a higher detection capability than any human visual check carried out – for example, it is impossible to check MRZ algorithms or UV features by visual inspection alone
• Provides consistency of checking with minimal specialist document training. Simply by scanning a document, users will be provided with an electronic record of that check – ideal for any compliance checks that may be carried out in the future
• Reduces the management time and training cost of trying to stay at a level of competence to carry out visual checks – there are thousands of identity documents and it would be unreasonable to expect most staff involved with checking to know and keep abreast of all the various physical document features
• Provides an additional insight to the level of potential fraud faced by an organisation by measuring the detection rate of fake documents presented at the point of entry by either customers or employees
• In addition to the checking of the identity document many systems will also interface with on line data providers to carry out simultaneous checking – for example, the need to prove address.

Systems sold on the market these days can be deployed as stand-alone solutions linked to desk top computers, as mobile solutions on laptops or as an enterprises/Cloud solution across multiple sites. All imagery and results are stored for client use and some providers will share detected fraudulent documents with other elements of the counter fraud community.

Further support for the use of such technology was provided in the 2013 Home Office Document “Guidance on the use of document scanners” that states, “The exploitation of identity by criminals has a major role in underpinning a wide variety of organised criminal activity… as a first line of defence, they [scanners] are a useful tool for identifying fraudulent documents, are relatively easy to use and have proved to be a useful deterrent to criminals.”

In summary, many organisations should be and are checking identity documents as part of their counter fraud or compliance regime. The fact that it is the regulatory pressure that forces such action is a benefit to the overall battle against fraud – that is an important part of some regulation. However, the inconsistency of execution is massive due to the largely human element of the checking that still takes place. Technology does now exist at a cost level far below the cost of the fraud it is designed to combat or the imposed fine for failing to carry out reasonable checks and is simple to deploy and very easy for staff not trained as document experts to use.

Tony Machin

CEO, TrustID

The post Scanning technology helps prevent fraud appeared first on City Security Magazine.

In the dynamic and popular end of the security world, in the land of fast cars, operators dressed in black sliding up and down buildings and constant, dynamic, heart stopping action, the “enemy” is pretty easy to spot and, hopefully, quickly and deftly dealt with in a positive, profitable and cost effective manner.

However, as you move steadily through our world, you leave the tumultuous waters of Close Protection, Surveillance, and “Q Department” technology to eventually drift into the more gentle and slow moving back waters, where the chiselled jawed, suave security operator is seldom, indeed if ever, seen.

For here, Dear Reader, is the land of the Personnel Professional, where we find, standing at the gates of the corporate citadel, the mighty Human Resources Manager.

Like the doughty, fearless, thick limbed heroes of the Norse Sagas’ the Human Resources Manager stands, double headed axe in hand, shield strung across a broad back, as the gate keeper of the company citadel.

This is the ultimate bulwark against which all footpads, miscreants and ne’er do wells will cast themselves in a fruitless effort, to pass said Manager and gain entry into the corporate citadel!  Errrrrr, well no, actually!

This is the unsecured Portal through which the enemy will be welcomed and given entry, unchecked, unseen and unsuspected.

Unseen Enemy

If you look back at history, every kingdom, and mighty realm was brought to its knees by an unseen enemy; the traitor within with free, unfettered access, trusted and beloved by the majority, suspected by only the few, all of whom suffered ultimately from the backlash of the majority.

Your company is no different from these kingdoms of old. You cannot conceive that someone within your organisation could be engaged in activities which will damage or destroy your company, can you?

Well wake up and smell the smouldering cordite and tumbling masonry. It can, it will and it probably is as you are reading this.  Like cancer, you will only know of the problem when it’s too late and untreatable. To focus your minds on the truth that lies before you, here is a tale about an international accountancy firm, who recruited an employee from Iran who quickly achieved a prime position within the Corporate Finance Dept.

The recruit spent 12 years providing Human Resources with total waffle relating to his background and previous employment, all disguised in the mists of “I can’t really tell you, as my family were loyal to the Shah and if any of my real details fall into the current regime’s hands then my family and I would be potentially repatriated and executed”.

Most of the cynical security professionals reading this are now moaning loudly and churning out expletives, but the HR department actually believed him. The employee was allowed to continue without providing the same level and quantity of personal details as colleagues.  Finally, after 12 years of poor performance, incompetence and under performing, HR summoned up the courage and placed him on Garden Leave, preparatory to dismissal from the firm.

I hear your mighty cheer, Dear Reader, but wait; your excitement is ill founded and premature.

Damage

HR, feeling exultant in a job well done, retired for the weekend without briefing security of the employee’s downgraded status or having his access prevented. As you correctly guess, the employee returned to the office on Saturday evening, told the uniformed security officers that he was being re-appointed to new offices and security duly helped him remove all his files from the office to his waiting car.

Cut a long story short, the experienced security manager became involved on Monday and after no more than four hours belated but re-active Due Diligence, the employee was identified no less as an Iranian Intelligence officer!

He was truly the Enemy Within. The damage he caused the firm concerned was substantial, both reputationally and commercially.

HR is charged with ensuring the rights of the individual and this is the way it should be. However, they frequently take this role to the extreme and often to the detriment of the company that employs them. The more worrying part is that company directors are content to let this happen and, in abrogating their responsibility instead of exercising pro-active Due Diligence, the enemy slips through unguarded doors, unseen and unsuspected to cause havoc and destruction.

“So what is Due Diligence and how do we use it?” I hear you cry.

In-House Due Diligence or Employee Vetting

Due Diligence is simply a process whereby you find out as much as you can about those whom you employ and those with whom you are engaged or will be engaged in business.

Essentially, “Know Thine Enemy” and “Know More About Them Than They Do About You”.  It’s all about maintaining a commercial and operational advantage and that’s good profitable business!

For those of you who employ staff, the first part of an effective Due Diligence programme is to screen every new employee. This process should never stop. All new workers of whatever grade should be screened on arrival, re-screened every five years and every time somebody is promoted, they should be screened again. Each time, the process should be more detailed relative to the knowledge and authority the employee gains or is given.

Now, on reading this your HR department will be enrolling at night school to study advanced witchcraft in order to make wax effigies of the writer, into which pins will be plunged in all sorts of places. They will protest that mass and on-going screening is intrusive, will cause extra work, blow stretched budgets to smithereens and “it’s just not fair or nice to the employees”.

In response to this, consider a little matter upon which the writer was involved back in the late eighties. An American multi-national electronics company, at the forefront of developing computer and PCB technology, invested millions of dollars in developing new products, only to find that within weeks of delivering said new products to the market place an almost identical but cheaper product came whistling out of East Germany.  Naturally enough, the company began to realise there was a problem within.

A highly sophisticated investigation and “Sting” was put in place which identified the Finance Director was responsible for stealing the prototype products and selling them to the East Germans. Following evidence obtained by a UK security company, he ended up having an appointment with the FBI and then moving off to jail for many years.

This man had been in the company for 20 years, having joined at a junior grade and worked his way to the Board. He was well liked, trusted and respected. But, what nobody knew was that he was both a traitor to his company and his country. The full extent of the damage he caused to the company, commercially, operationally and reputationally was never fully quantified.

The new employee with the smile

The person who joins your company as a good intentioned, smiley faced, well-qualified employee may be a fine, honest, upstanding individual. However, never lose sight of the fact that they may not. Just remember the old adage, “in God we trust, everybody else gets vetted and searched!”

Fraud

Every fraud the writer has investigated has involved a member or members of staff, some or all of who have been serial fraudsters. They committed fraud in one company, where they were allowed to leave, joined another company and, bingo, continued committing fraud.

Nobody is allowed to say anything negative about an employee on a reference form. The whole process is a costly, paper-shovelling, job, which creates piles of pointless paper.  You need to have a system that asks questions, looks for problems and then asks further questions. Get this process ensconced in your policy and procedures manual and have somebody aggressively manage it! This responsibility should not sit with HR.

The responsibility is with your Security Manager and the security department. 

HR can complete the function, but the procedures must be in place to “flag up” anything out of the ordinary or inconsistent and move the application or re-vetting straight to Security.

The honest and genuine applicants sail through these processes. Such procedures do not prejudice the honest applicant, but they will target and identify those whom you absolutely do not want working in your business.

The other critical point to remember is the person who joined your company ten years ago is not the same person now as they were then. The only consistent fact about them is their date of birth. In this day and age, they may have changed their name, their marital status, their sex, their sexual orientation, their outlook on life, their religion or all of the above!

These changes may have made them better people, who in turn have spread joy and happiness where ere they go. However, in this stressful, modern life, more than likely, they now have more pressures, financial problems, developed or increased drink problems, fallen in love with the old Columbian marching powder, got a gambling addiction, met bad people who have dragged them to the Dark Side of The Force, and Lord knows what else.

Any one of these factors may be the trigger to turn a person from “Employee of the Year” to a one-person crime wave or socially defective problem deep within your business, that may be almost impossible to remove given current employment law.

Regular screening is critical

This is why you must regularly and consistently screen staff.  You may find people who have problems, and well-designed, in-house support programmes may help them through these problems. In this case you have done the right thing and may recover an employee who becomes the company’s biggest fan and a solid employee who will stay with you all their working life.  But you will never know unless you screen and screen regularly. Screening or Vetting is an integral part of a company’s security, risk management or loss prevention programme.

Regular screening is one of the cornerstones of your security programme.

Each level of screening should follow different formats, depending on who’s being screened and why.

Due Diligence for Associates, Competitors and Acquisitions

When dealing with new clients’, old clients’ acquisitions, takeovers or whatever, complete your Due Diligence. Frequently in these situations, Company Directors or Boards abrogate this responsibility to the lawyers, bankers and accountants who are paid vast fortunes to ensure everybody remains safe.

Due Diligence and Compliance are the much vaunted and trumpeted watchwords of modern business. They have spawned another load of restrictive, controlling, paper-generating groups and departments, none of whom have so much as thrown a Tupperware party in anger, let alone taken risk and undertaken inspired, courageous business. Don’t rely on their say so that Due Diligence has been done. Check and check and check again and if there is anything that makes you think twice, then act on the intuition immediately.

An example! 

Some years ago, two highly successful brothers were in the process of acquiring another profitable group of companies to add to their portfolio. This Group had particularly caught their eye, as a part thereof had invested a king’s ransom into research in Russia to develop and manufacture biofuel, which in the late nineties they believed was worth investing in.

All looked well, but the brothers hard-earned instincts told them something was not right. The banks, lawyers and accountants had completed their Due Diligence and signed the deal off. The brothers trusted their instincts and employed a UK security company to go to the location of the research and development centre in Russia to actually see what was there. The location took several days to find, but was eventually discovered at a grid reference miles from what passed for civilisation in this snowy waste of the former USSR.

Great skills!  Boots on the ground and a Mark 1 eyeball deployed!

A uniquely qualified security professional was dispatched into the wilds of Russia where Europeans never went and here, miles from any form of civilisation; he found a big shiny warehouse, complete with a furnace, coal and a large supply of cabbages for the creature within. This poor unfortunate, disowned by both local inhabitants and the gene pool from which he originated, was living the Life of Reilly. Constant fuel and food delivered monthly, so that this captain of local industry could make soup, stay toasty warm and keep the furnace blazing, which kept him alive and the warehouse from disappearing in the snow.

Photographs were duly taken and returned to London, where they were presented to the Board of the Group who had siphoned off millions having created a complete fiction of biofuel development, believing nobody from the lawyers, banks or accountants completing Due Diligence would ever go there, even if they could locate it. Loads of Money!!!!!!

Errrrr, well no, actually. Cometh the security professional and the whole bogus deal went west. Fraudsters waltzed off to Wood Street, brothers saved from terminal loss and profitable business inherited for almost nothing. That’s the power of Due Diligence!

Due Diligence is not about fiddling with paperwork and believing Wikipedia. 

If you are about to take a big gamble, decision or a risk, get the security professionals who work in this peculiar world of ours to take the risk with you, take that leap of faith for you and dare greatly to return and tell you the actual story other than that which everyone is satisfied to believe.

We have removed the names to protect the stupid and gullible, who rather worryingly are still out there!

Christopher Cully

Managing Director, Dilitas Ltd.

For further information or advice:

Email: info@dilitas.com  www.dilitas.co.uk

The post Employee Vetting is critical to your company’s wellbeing appeared first on City Security Magazine.