Background checks tell you what happened, not what will happen – apparently
Background checks tell you what happened, not what will happen – apparently

A former senior US defence official Keith Lowry has slammed background checks in an interview with SCMagazineUK.com.

In a former life, Lowry was deputy under secretary of defence for human intelligence, counterintelligence and security. He was a coordinator at  the Office of the National Counterintelligence Executive after the Chelsea Manning and Edward Snowden leaks.

He made those comments to tech news outlet, The Register, on a recent trip to Australia, only to expand on them to SCMagazineUK.com. These days Lowry is the senior vice president for business threat intelligence and analysis at NUIX USG.

While admitting that the practice is a valuable one, Lowry told SC that “the major issue I have with background checks is that they are a look into the current and past life but in no way are they useful in predicting future behaviours.”

Lowry is certain that Snowden, Manning and most recently, Howard Thomas Martin III all passed expensive background checks conducted at years-long intervals.

“We live in a fast-paced digital world. People's lives, views, health and various other aspects of lives change rapidly. Access to information and the ability to share it far outpace the current background check process. If a person becomes dissatisfied, recruited by another to provide information, sees an opportunity to gain wealth or influence, or any other reason, a background check performed last year will not hinder that person's current choices.”

A more “digitally holistic” approach is required, one that protects critical data and identifies potential bad actors, if we want to transcend these necessary but insufficient measures.

It's a novel if entirely reasonable point to make. On paper, Snowden may have seemed like a red-blooded patriot, not one to betray one of his homeland's critical offices of security. It didn't, however, stop him from considering his patriotism in an entirely new light.

Snowden and Manning may be extreme examples. The malicious insiders, while relatively uncommon compared to employees who inadvertently become insider threats, are still to be feared. Just ask Morrisons which in March 2014 was exposed by an angry ex-employee and is now being sued by thousands of current employees.

A survey published last month by Imperva suggested that one in 50 employees could turn out to be a malicious insider. This means that even in an SME, stocked with no more than 250 employees, five people are well placed to do a lot of damage. Whatever their background, as Lowry said, how are we to know about their future?

Vince Warrington, cybersecurity lead at the Financial Conduct Authority, told SC, “The attitude is one of 'Once you're in, you're in' and there is very little done to ensure that someone who was once so keen to work for you has not now become your enemy.”

However, Warrington adds, UK intelligence services have learned the lessons so harshly taught by cases like Snowden or Manning: “They are a lot more open about their work and motivations with the public, and more so I believe with their staff. They have put mechanisms in place where those who have doubts about the work can bring them to attention in ways that are not detrimental to their careers, and they have expended a lot of effort to make people feel part of a wider team, such as allowing traditional 'backroom' staff to be seconded to the more frontline positions.”

Other organisations can learn from this, concluded Warrington: “If you want to make sure your people don't become your own personal Edward Snowden, then you have to be open with them on how you're running the business, what their future will look like and make them feel engaged with the direction you want to take.”

Tim Grieveson, chief cybersecurity strategist at HPE, told SC that background checks should be complemented with behaviour analytics allowing you to know what is normal behaviour and, importantly, what isn't. Furthermore, implementing roles-based access control so that only the right people can access the right data is an important step.

On a broader level, seeing that adversaries are not just criminals but competitors who are “maximising profit, minimising risk and delivering value to its customers allows organisations to understand how they operate, evaluate their strengths and weaknesses and prepare to defend against them”.

At Logically Secure, noted its MD, Steve Armstrong, ‘Trust' is defined as “the absence of a security control”. Background checks, he said, “are all we have in many cases”.  

“What makes this worse is that many organisations rely too much on background checks and therefore don't put in place monitoring and other controls to protect data from theft or modification because they ‘trust their users',” Armstrong said.