The Enemy Within

Feb 1, 2004 12:00 PM, By Jim Crumbley

When it comes to contracted service personnel, what do employers truly know about them? Can this lack of knowledge be harmful?

Security professionals know the benefit of a risk management program that includes screening of employees for criminal records and, depending on the job classification, checking credit, education and military service backgrounds. But while few security practitioners would advocate hiring someone without a background check, many have not given sufficient thought as to who is allowed to service security equipment and who is playing a contracted support role in other sensitive departments.

Proper vetting of contractors and vendors is a time-consuming task. Is it worth the effort? Certainly, there is a lot at stake.

Here are some examples:

• A computer company recently fell victim to the theft of hard drives from 15 PCs and three servers. Ten janitors from the contracted cleaning service suddenly disappeared. Data — apparently from the hard drives — subsequently appeared on a competitor's winning proposal for a defense contract;

• A contract guard conspired with two outsiders to steal $200,000 worth of gold from a manufacturing plant;

• A woman in an apartment complex was attacked by a contracted maintenance person;

• A man was murdered in his apartment by a contracted painter;

• A seven-year old boy was molested by a janitor at an apartment complex; and

• A contracted chauffeur provided details of an executive's movements to kidnappers.

What do these incidents have in common?

• All the perpetrators were in a position of trust;

• All had been given master keys or access cards to provide unescorted, unlimited access to the facilities where they worked;

• None of the perpetrators had been subject to an adequate background check conducted by their employer;

• The maintenance man, the painter and the janitor all had prior criminal convictions for crimes of violence; and

• All incidents resulted in lawsuits. Awards ranged from $200,000 to $1.75 million, with an average award of $750,000.

Furthermore, maintenance and janitorial services are not the only contractors that can place property, personnel and information at risk. Think about it: Who has unhindered and unescorted access to your facility?

Contracted personnel can include: service technicians from the phone company; food service; locksmiths, plumbers, electricians or other tradesmen; computer programmers; delivery persons; temporary staffing employees; security systems installation and service technicians; and waste disposal companies.

These individuals have the opportunity to act criminally and damage the corporation by a variety of means. To name a few: product sabotage or contamination; theft of proprietary or trade secret information; theft of blank check stock; excessive long distance phone calls; loss of profit due to contractor fraud; reputation damage; loss of credibility; higher insurance premiums; and shareholder lawsuits due to decreased earnings.

A security professional might have a top-of-the-line access control system, but by allowing unscreened personnel onto the property, an officer can facilitate the theft of sensitive information and valuable equipment. The “enemy within” has even more potential for criminal and violent activity than those on the outside trying to get in.

So how can the officer ensure the access control system isn't compromised?

Undertaking several basic steps can mitigate the risk of an unseen enemy, including:

• Focus team

  Develop a team made up of plant operations, IT, security, purchasing, human resources, and anyone else who routinely uses outside contractors. The goal of the team is to identify — as much as possible — any outside person who needs access to the campus.

• Procedural control

  Determine authorized access points and administrative control for any outside contract person accessing the campus. Some deliveries and services, such as to the loading dock, are easily controlled. Others will require signing in, verification of access need and issuance of a visitor's pass.

• Escorts

  There are certain sensitive areas — such as executive suites, accounting, and the IT offices — that need an escort. Control can be ensured through security or by training staff to carefully supervise the outside person while in their area.

• Effective due diligence

  All contractors should be carefully screened prior to allowing site access. The responsible department should check, at a minimum, for proper licensing, insurance, reputation, references and training of staff. A listing in the Yellow Pages is not an adequate due diligence check.

• Criminal records checks

  The due diligence process should include ensuring that the contractor checks their employees for criminal records and promotes a drug-free workplace. When validating their screening program, customers should ask for a copy of their policy outlining their process and drug-free program.

• Screening consistency

  Contractors, especially those used on a routine basis, should screen their employees to the same level as the corporation that they serve. The best way to ensure that screening is properly conducted is to ask the contractor to use your screening company with the same program and standards used by human resources.

• Management and oversight

  Security and human resources are the two most logical choices to oversee the screening requirements of contracted personnel. This should be a team approach with human resources supplying expertise on screening programs and security providing auditing and enforcement.

FOR THE RECORD

About the author

Jim Crumbley, CPP, PPS, is a senior risk consultant with Amsec Enterprises, a Washington D.C.-area risk mitigation firm.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue