Samuel Johnson, the famous 18th century author, once commented, “We are inclined to believe those we do not know, because they have never deceived us.” That trust can be misplaced. Security directors need to ensure that processes are in place to verify the identities of their companies' employees and to control access to their companies' assets and data. Unfortunately, just buying the latest access control technology does not solve this problem. It is a process problem. Let's look at the issues behind identifying and authenticating employees.
The FIPS 201 Program
The federal government has a clear vision on this issue. They have issued a Federal Information Processing Standard (FIPS 201) that covers personal identity verification. The program has two overarching goals: to issue credentials based on “sound criteria for verifying an individual employee's identity”; and to use smart cards that are “strongly resistant to identity fraud, tampering, (and) counterfeiting.” In other words, it answers the questions Who are these people? and What credentials will we give them to prove it?
To solve the first half of the problem, the government now consistently performs an NACI investigation (National Agency Check and Inquiries) for all employees, in addition to requiring presentation of documents such as a drivers license or passport. The NACI investigation consists of a check of the FBI fingerprint and name databases, a check of several other government databases, and a five-year survey of past and present employers, schools, references and local law authorities. Candidates for higher-risk positions also undergo a credit check, and even more checks are involved for positions with security clearance.
The government is working on second half of the problem by issuing to all government employees and contractors new, uniform smart card badges that allow multi-factor authentication and are highly resistant to tampering and cloning. The surfaces are printed with a standardized layout, and the printed data can be verified electronically.
The FIPS 201 program ensures that government workers are who they say they are, that they have a background suitable for their position, and that they can be readily and reliably identified before being given access to government facilities or systems.
Many companies in the commercial sector have a comparably integrated view of employee identification, but few go as far in verifying identity or providing a highly secure ID badge. Will FIPS 201 trickle down to the commercial sector? Should it? Let's take a deeper look.
Who Are Your Employees?
A 2005 survey by the Society for Human Resource Management (SHRM) found that only 68% of respondents always checked new hires for a criminal background. Fewer yet did enough research to verify that candidates were who they said they were.
But does this represent a significant risk? A quick look at the ADP 2006 Screening Index (created by ADP, a vendor of screening and selection services) suggests the risk is real. Among the criminal records checks ADP performed in 2005, five percent revealed an unreported criminal record. Forty-nine percent of employment, education and credential checks uncovered a resume discrepancy, and 46% of credit checks discovered a judgment, lien, bankruptcy or collection activity.
Worse, of the background checks that companies commission, how many are done correctly? Federal, state, and local governments do not make it easy on the background investigator. There is no single database that lists all criminal convictions. Commercial firms, with rare exception, are not allowed to use the FBI database, and some question the completeness of that database in any case. That leaves the investigator to check each local county in which the applicant has ever lived.
Because many entities have removed sensitive identifying information—such as social security numbers and birthdates—from their databases, it is increasingly hard to verify that a conviction really belongs to your candidate. It is also easy to miss a conviction, since name changes and nicknames without other identifiers can make people disappear. The only solution is often to pull hard copy files at a courthouse, and that kind of labor-intensive digging may come with a hefty price tag.
Identity Fraud at the Corporate Level
Once you issue a badge to an employee, does it get misused? Do badges get loaned? Do computer passwords get shared? Do workers buddy punch their late friends at the time clock in the morning? Most of these incidents seem innocent enough in isolation, but taken together, they set up a culture in which little thought or value is given to the risk of sharing or neglecting an identity.
You may think that none of this happens at your company, but odds are, it does. Nucleus Research conducted a study of employers who had installed a Kronos biometric time-and-attendance terminal. Of the companies analyzed, 74% experienced losses from buddy punching before they installed the biometric system. Nineteen percent of the companies' employees had punched in their friends at least once a year. The cost on average was 2.2% of gross payroll, and for a 500-employee company with a $30,000 average salary, that's a loss of $330,000 per year.
One of the reasons FIPS 201 is so important is that it demonstrates that two-factor card and biometric authentication can now be implemented successfully. With two-factor authentication, the problems of sharing identities are greatly reduced, if not eliminated. “The next wave of biometrics for physical access is now growing. One of the key drivers is the adoption of the ANSI 378 standard by the government. This ensures interoperability between vendors and is bringing out buyers who were waiting for an open solution,” said Mathew Bogart, director of corporate development and communications for Bioscrypt Inc. Certainly, not every door deserves this type of protection. But almost every company has one that does.
What are the Risks?
For some companies, the risks of corporate identity fraud are obvious. Healthcare, for example, pays a high price not only for hiring mistakes but for “wrongful disclosure of individually identifiable healthcare information” as specified by HIPPA. The penalties can be as high as $250,000 and a 10-year jail term.
Sarbanes-Oxley issues also raise the bar for any public company. Section 404 requires the establishment of financial controls, but it is hard to argue those controls are in place if an auditor finds felons on your staff and passwords on Post-It notes in your offices.
Is your company at risk for disclosing sensitive data? We have all heard about the data breaches resulting from the loss and theft of laptops. According to the Privacy Rights Clearinghouse, which tracks data breaches, stolen laptops accounted for nearly one-third of all compromised records containing personally identifiable information in 2006. The remainder is largely split between hackers and stolen IT equipment on premises, such as conventional computers and hard drives.
Even if your company does not have a legislative driver, you need to look hard at the damage that wrongful access can cause. Allegations last year that a Coca-Cola employee tried to sell proprietary information to Pepsi brought the issue of industrial espionage to light again. In this age of cell-phone cameras and USB memory sticks, hiring practices and access control are at the top of a list of preventive measures.
How much risk does your company have? The government uses a simple, yet effective approach to gauging these risks for their facilities. FIPS 199 outlines a model to evaluate risk in three categories: confidentiality, integrity and availability. As Figure 1 shows, this model gives us an easy way to think about the consequences of a potential incident. While developed to evaluate information systems, it is not hard to extend the concept to physical security. No matter what tool or process you use, the key is to identify the real risks and the likelihood of damage to your company. In most companies, there are sensitive areas and information that deserve the protection of two-factor card and biometric authentication.
What Should You Do?
Identity management is not a subject that gets a lot of time from the typical security manager. Given the security risks of improper hiring and sloppy access control, perhaps it should. The two halves of the problem are equally important. Background screening is not just an HR or purchasing problem. Security needs to know that the process will weed out the high-risk candidates. Similarly, the available technology to prove identity and grant access to your company's assets has improved dramatically in recent years.
Companies that fail to keep up will not only suffer direct losses but will leave themselves wide open to accusations of neglect. Perhaps it is time to take a good look at what the government is doing with the FIPS-201 program and adapt it for your organization.
Rich Anderson is the president of Phare Consulting, a firm providing technology and growth strategies for the security industry. A 25-year veteran of high tech electronics, Mr. Anderson previously served as the VP of Marketing for GE Security and the VP of Engineering for CASI-RUSCO. He can be reached at [email protected].
