Cyber Security Background Checks

Background checks for cyber security professionals screen several databases to verify the information provided by the candidate is true and accurate. They may also include checks of the candidate’s criminal and credit history. 

These background checks allow employees to assess whether the information provided by a potential employee is accurate and gauge whether they’d be fit for the role or not. 

It’s essential to vet new hires for a number of reasons, and here are several examples of why you should conduct thorough background checks on cyber security candidates. 

Safeguarding your company’s IT 

Cyber security involves safeguarding and having access to a lot of sensitive information. This may include client information, employee records, and even private company information and communication systems. Employers put a lot of trust in cyber security professionals, so they need to screen these candidates thoroughly to ensure they’re trustworthy of such a significant responsibility.

Find the best possible candidate 

Many background checks include verification of education, credentials, and certifications. This is a great way to ensure you’re only moving forward with well-qualified candidates whose certifications are legitimate and up to date. 

Avoid bad hires 

The hiring process is time and resource-intensive. It can be expensive for employers, and they want to avoid repeating it often. Conducting thorough background screenings during the onboarding process can help ensure you hire the right people for the job. 

Protect your company’s reputation

Everyone has seen data hacks and privacy breaches in the news – and the damage they can do to that company’s reputation. Background checks can help prevent this from happening to your company by catching potential issues before they arise.

Cybersecurity professionals are responsible for protecting a company’s intellectual property and its customers’ sensitive information. Employers must ensure their personnel are qualified and trustworthy.

While cybersecurity is meant to prevent external attacks, the people inside the organization can pose just as much of a threat, if not more so. Employees have direct access to a plethora of confidential information and can cause as much damage as an external hacker, whether through a careless mistake or a coordinated attack.

The rise of remote and hybrid work models has also stressed the need for cybersecurity screenings. Work-from-home setups can invite security risks with the use of personal devices, unsecured networks, and vulnerable file sharing. Oftentimes, security incidents result from human error, rather than malicious intent, and data breaches can cost a company millions of dollars in regulatory fines, legal fees, and reputational damage.

Background checks cannot completely prevent insider threats, but they can heavily minimize the likelihood. They allow employers to assess a candidate’s past behavior and reveal potential risks before granting them access to valuable assets. Onboarding the right personnel better protects this sensitive information and creates a greater culture of security.

Cyber security background checks need to be in-depth – a person in that position could cause a lot of damage if they chose to. That’s why many companies prefer to use a third-party background check provider, like ScoutLogic. A cyber security background check done by ScoutLogic might include the following:

• Criminal Record – Criminal record searches include information like prior or current offenses/charges, arrest dates, crime severity (misdemeanor vs. felony), criminal case number, deposition number, and sentencing record (if applicable).
• Credential Verification – Verifying credentials is vital in any industry; they can be expired, incorrect, or even falsified. A credential check may include a candidate’s types of certifications, the certification number and validity, the issuance and expiration date, the issuing organization, and any sanctions or public discipline.
• Employment History – This step verifies the employment record on an applicant’s resume, including details such as the company address and name, the title or position(s) held, and employment dates.
• Education Verification – Many cyber security positions require at least a bachelor’s degree in a relevant field. Education checks verify the degree(s) on an applicant’s resume and may include details about the educational institution, including attendance dates and institutional accreditation.
• Credit Check – Many cyber security positions include access to sensitive information – information that a person in financial strain may be tempted to misuse or even sell. While some states have limitations on employment credit checks, a typical check includes information like available credit, collection accounts, payment history, bankruptcy history, and financial distress indicators.
• Sex Offender Registry – In addition to a criminal records check, many companies also screen candidates against national sex offender registries due to the potential to access client information. This search assesses various sex offender registries across states. If an applicant is found on a registry, the report may include details like their current address, identifying marks or tattoos, the offense, and conviction details.

State and federal laws are meant to keep background checks as fair as possible – and companies can get into trouble if they violate these policies. Here are several steps to conduct FCRA-compliant background checks.

• Create a Policy – Create a comprehensive, company-wide policy for background check procedures. Consider a legal review to ensure the policy complies with local and federal laws. Train employees to ensure policy understanding and compliance, as well as to avoid bias. 
• Give Notice and Obtain Consent – The FCRA requires employers to notify prospective employees before conducting a background check and obtain their written consent. An applicant’s refusal can be grounds to deny employment.
• Retain a Third-Party Background Check Servicer – Background checks can be time and resource-intensive. Many companies prefer hiring a third-party company specializing in thorough, legal, and accurate reports that maintain compliance with FCRA standards.
• Maintain Transparent Communication – Communicate clearly and often with the candidate during the hiring and onboarding process – especially the background check. Ensure they understand the process and why it’s necessary.
• Avoid Blanket Rejections – Sometimes, background checks raise red flags. Assess failures and/or convictions on a case-by-case basis based on the nature of the issue, when it happened, and relevance to the job.
• Follow FCRA Adverse Action Guidelines – The FCRA requires employers to provide a pre-adverse action notice in the event of background check failures. This gives the candidate time to correct errors on the report or provide evidence of rehabilitation.

• Disqualifying Criminal History – Certain criminal convictions, including hacking and theft, are automatically disqualifying. Dishonesty about criminal history can also disqualify a candidate, even if the offense itself was not disqualifying. 
• Falsified Education and Credentials – Misleading or falsifying education or credentials can be a reason for disqualification. Not only has the candidate shown they’re untrustworthy, but they might also not even be qualified for the job.
• Misleading Work Experience – Exaggerating work history, experience, employment dates, and job titles can disqualify candidates after a background check. 
• Failure to Meet Required Certifications – As with most jobs, candidates who don’t meet the required criteria may be passed over in favor of more qualified applicants. 

Common disqualifiers

Dishonesty: Cybersecurity requires a skillset specific to the job. A candidate claiming to have experience with certain security threats can be verified through past employers. If a candidate has lied about their work experience or exaggerated their role, they can be disqualified from employment.

Similarly, lying about education or certifications can also disqualify a candidate. Many employers require a minimum of a bachelor’s degree and certifications specific to the role. Claiming to have unearned degrees or certifications can be revealed in education verification.

Lacking Certifications: Cybersecurity jobs require specific certifications related to the role in question. If an applicant does not possess these certifications or cannot obtain them within a set timeframe, they can be turned down by the employer.

Certain Convictions: Cybersecurity professionals often have access to sensitive information. Because of the high level of trust involved, applicants must demonstrate proper handling of this information. Certain convictions, including fraud, hacking, and identity theft, can bar candidates from some jobs.

Individuals with a felony can be automatically denied employment if the position requires a security clearance.

Cybersecurity screening doesn’t end after onboarding. Post-hire monitoring can recognize new criminal activity and other emerging threats after a candidate has been recruited. In addition, periodic re-screening can maintain the security of a workplace by flagging significant changes to an employee’s background.

While these security measures are not required for all employees, they should be heavily considered for those in highly sensitive roles to minimize insider risk.