Mike Sopp looks at the importance of pre-employment screening of laboratory employees and emphasises the need for ongoing vigilance.
Laboratories, by the nature of the activities they undertake, can face various security threats and be the target for unwanted attention from various groups.
To prevent security threats from materialising, laboratories may have to become “target hardened”. A key aspect of this is to identify, assess and control the threats to the organisation from the so-called “insider”.
Pre-employment screening is the foundation for good personnel security but unless the laboratory maintains vigilance, the insider threat can still materialise even where pre-employment screening has been completed.
The need for screening
According to the Centre for the Protection of National Infrastructure (CPNI), the placement or recruitment of an insider who exploits, or has the intention to exploit, their legitimate access to an organisation for unauthorised purposes has been used by terrorist and criminal networks, as well as activists, journalists and competitors.
The threat does not just come from those who wish to deliberately gain employment to undertake malicious acts. Individuals who would normally be trusted to act with integrity may have changes in circumstances and attitudes, either gradually or in response to certain events, that then motivates them to commit malicious acts.
The threats relating to insider personnel may not just exist with direct employees. Laboratories, as with other organisations, are likely to have significant supply chains with contractors having a presence on-site either permanently or on a temporary basis.
As with many threats, the starting point for determining screening requirements will be the assessment of the risks. The CPNI suggests that a “Personnel Security Risk Assessment” will help to identify the different types of risks that different roles present, consider how these risks might affect the level of screening, and decide on the levels of screening that are appropriate for different posts.
The assessment “focuses on employees, their access to their organisation’s assets, the risks they could pose and the adequacy of existing countermeasures” and is completed at three levels.
Organisation level which identifies the range of insider threats that an organisation faces and prioritises these in terms of their likelihood and impact.
Group level which requires assessment of which groups of employees have the most access to key assets and the greatest opportunity to carry out the threats identified at the organisation level.
Role-based (individual) which is an optional level carried out if there are high-risk roles which require their own detailed personnel security risk assessment.
This will enable informed decisions to be made as to what level of screening is required for certain roles so that resources can be applied in a more effective way.
If using pre-employment screening, it is essential for the laboratory to have developed pre-employment screening policies that ensure processes are consistent, fair and efficient and maintain an organisation’s reputation.
In developing the policy, appropriate legislative requirements such as those contained in the Data Protection Act, Human Rights Act and Rehabilitation of Offenders Act must be taken into consideration. The policy should also include subcontractors and where responsibility for security screening will rest.
The CPNI guidance states that “one of the most important aspects of a pre-employment screening strategy is deciding what pre-employment checks to perform for each post”. This will be influenced by the outcomes of the personnel risk assessment, size of organisation, cost, time and resource requirements.
Typically, there are three levels of screening that can be undertaken as follows.
Minimum level that verifies identity, residency, right to work and criminal record declarations.
Medium level that includes the above plus basic criminal record disclosure, qualification, employment and media checks.
High level that includes the above but with enhanced checks and financial enquiries.
Of interest is the use of media checks in modern screening. The CPNI guidance notes that employers are increasingly reviewing the online presence of candidates as part of their recruitment processes but that there are “no generally accepted guidelines and procedures for fair, complete and efficient online searches”.
Good practice in security screening can be found in BS7858: Security Screening of Individuals Employed in a Security Environment-Code of Practice. This provides a framework that many organisations, particularly in the private sector use to develop pre-employment screening practices.
The British Standard sets a minimum screening period of five years and suggests that the checks should be completed “not later than 12 weeks after conditional employment has commenced”.
However, the CPNI recommends that pre-employment screening is completed before employment has commenced or, depending on outstanding checks, as soon as possible after.
Where a laboratory utilises various screening levels, consideration will need to be given to additional screening where an individual is, for example, transferred or promoted. In such cases, the laboratory should be ensuring the necessary additional checks are made even if the individual involved is of good character and integrity.
In a study completed by the CPNI, it was found that three-quarters of insider acts “were carried out by employees who had no malicious intent when joining the organisation, but whose loyalties changed after recruitment”.
It was also found that the employee undertaking the insider act had been in their organisation for some years prior to undertaking the activity and opportunistically exploiting their access.
There can be many factors that could make an individual a threat to the laboratory. Circumstances surrounding employees’ work or personal life may increase their vulnerability to coercion, exploitation or duress, impair their judgment or precipitate their involvement in an insider act.
Laboratory employers will need to, through the risk assessment process, determine if ongoing screening is required and to what level. In essence, identifying employees who may give cause for concern involves a basic level of screening for all employees, which can act as an initial filter.
The CPNI suggests a number of tools or techniques including:
automated monitoring of employee activities to identify anomalous behaviour such as access control monitoring
using the appraisal process or one-to-one meetings for managers to identify signs and behaviours of concern
application of more detailed assessment or tools by trained practitioners when concerns are raised by a line manager or colleague
raising awareness throughout the organisation on personnel security and the insider threat
providing mechanisms for employees to express their concerns confidentially.
In essence, the tools are either about recognising any behaviour change in an individual or using hard data to identify unusual patterns of behaviour.
Certainly, in respect of the former managers and colleagues are most likely to become aware of or detect behaviours of concern. The most important aspect is that the laboratory has in place the appropriate procedures to support managers and colleagues but also the individual with concerning behaviour. This may include provision of training, welfare arrangements and if necessary further investigation procedures.
The CPNI recommends that organisations run awareness programmes to ensure that line managers and employees do not overlook problematic or negative behaviour, and are comfortable in observing and reporting behaviours of concern.
However, it also notes that when concerns are raised, “it is important not to overreact but to take swift and proportionate action in order to avoid any escalation”.
The CPNI guidance, Ongoing Personnel Security — A Good Practice Guide, contains useful information on the process and procedures that can be adopted by organisations such as the setting up of an employee hotline.
Centre for the Protection of National Infrastructure: www.cpni.gov.uk.
Personnel Security Risk Assessment: A Guide
Pre-Employment Screening: A Good Practice Guide
Good Practice Guide on Pre-Employment Screening — Document Verification
Personnel Security and Contractors: A Good Practice Guide for Employers
How to Obtain an Overseas Criminal Record Check
Holistic Management of Employee Risk (HoMER)
Ongoing Personnel Security: A Good Practice Guide
British Standards Institution: www.bsigroup.com.
BS7858: Security Screening of Individuals Employed in a Security Environment — Code of Practice