Due Diligence

Let us define “due diligence” for you in the context of security. In the field of cybersecurity and business intelligence, it is doing your homework on your proposed vendors, contractors, franchisees, executives, board members etc. You must be aware of their cybersecurity risks and handle them after identifying them. You might run through a checklist for new vendors or fill out an assessment. However, is this the best approach? Risk assessments can be time-consuming and expensive.

Even at their best many organizations will treat these assessments as “set it and forget it” – That is, a permanent understanding. Unfortunately, this line of thinking can introduce cracks in your security that you might otherwise catch. In addition, a single assessment does not account for changing risks and policies.

How can you keep your due diligence up to date, then? Here are some of the best practices.

Cyberhealth is an aggregate of how safe an organization is with its information. Do they use repeated passwords? Are their devices secure and encrypted? Have their employees received internal threat and cybersecurity awareness training? Checking their overall attitude toward cybersecurity can reveal places they are lacking. You should also measure these positions against industry standards.

Using a cybersecurity management platform, you can track your vendors and their network. As a result, your security teams can manage risks more effectively by quantifying where they are at. You can also give your vendors a cybersecurity framework to help them mitigate risks autonomously. The NIST Framework is a great starting point, allowing organizations to identify and respond to threats quickly.

While it is important to establish new security practices, you should be careful when adding networks together. The addition of a new, less secure network can create a security hole that didn’t exist before. In addition, because the nature of threats keeps evolving, you must stay current and ensure your vendors do the same. Monitoring will help you maintain compliance with your standards.

The due diligence process should identify both threats and areas needing improvement. These areas should never be left to chance or left alone. Help establish your standard by having the vendor take steps to mitigate these risks. There is always more that can be done, and the scope of your defense depends on your specific needs. Anti-malware software, software updates, data encryption, and multi-factor authentication are all useful tools.

Should you allow a random vendor access to your network without vetting their TPRM to your organization? Our investigators can perform due diligence investigations on your proposed vendors//contractors to determine their viability in your organization.

Senior Executives have become synonymous with the reputation, brand, and image of the company they represent.  As such, executive hiring presents its own challenges which makes it imperative to conduct proper screening.  We utilize the same techniques employed by the FBI to screen applicants. Our process combines a thorough review of Social Media, public and private database information, open and closed source intelligence and interviews to provide a complete assessment of the candidate.

Hiring executives is one of the most important things your business can do. However, you should be aware of the challenges it brings, if done incorrectly it could impact your brand and sales. In 2019, a report from the Society for Human Resource Management (SHRM) provided some stark numbers. According to SHRM, 83% of HR professionals who responded to the study had trouble finding suitable candidates. A narrow talent market and competition can pressure HR departments to “take what they can get.” Which can be a terrible idea for any company to avoid conducting executive background investigations.

This can be despite red flags. The search for your company’s very own Steve Jobs shouldn’t ignore these signs. The red flags need to be investigated and mitigated.  If anything, you should vet your few candidates even harder. An executive who moves from company to company every couple of years could be a bad sign. With many companies unqualified for vetting at this level, what should you look for? You need a company like the Arruda Group, with seasoned impartial investigators to vet your candidates. A basic employee background check is not sufficient in these cases, as candidates can get a little overzealous when describing their accomplishments on paper.

Many background checks stop at the basic necessities. Criminal, civil, bankruptcy, and dates of employment are among the few areas searched. Even then, these searches tend to limit themselves to the past 7 to 10 years. It is not enough for an executive to graduate from Harvard with a MBA. Never filing for bankruptcy is a plus, but you need to know more.  What does their credit history look like? If they can not manage their personal finances, what can you expect for your business finances.  Their lack of financial stability makes them vulnerable and a potential security risk to your organization.

The usual pre-employment background check tends to establish the bare minimum of “hireability.” These usually flag major indiscretions, like arrest, identity fraud, or civil judgments. They also include motor vehicle reports, education, and employment verification, rehire eligibility, and criminal records. Sometimes this process is automated.

Executive background checks require a crystal clear understanding of who this person is. Consider that most background checks completely ignore a person’s social media history. Hiring somebody who has made public inflammatory comments is a PR nightmare in the making.

When conducting deeper interviews with past and current employers, it can be hard to get information. In these situations, a few interviews may be necessary at each of the former employers to get someone to provide something other than the dates they worked there and whether they would rehire them. However, these interviews are still necessary to determine the candidate’s true abilities and character. Businesses tend to shy away from giving negative reviews, making the process harder. If the investigator is persistent, they will find an employee that will provide information on the candidates work performance, demeanor, attitude, and “likability.”  Even if your candidate underperformed, there might be a fear of litigious retaliation. They may even want to “unload” the candidate onto you to save themselves the trouble of firing them.  An experienced investigator will be able to determine if the current company is trying to get rid of an under performer or problem.

These interviews and their findings can also present risks. For example, candidates can dispute inaccurate findings during a background check through Adverse Action. In addition, the Fair Credit Reporting Act (FCRA) includes guidelines for denying employment based on a background check and how to request a background check. Under the FCRA, Adverse Action describes how employers should deny employment based on background checks.

Candidates must be notified within three days of the findings and be provided with a report copy. In addition, other documents must be provided. These include the Consumer Report and a FTC document summarizing the individual’s rights under the FCRA. After this, the candidate must have a chance to dispute any findings. If the findings are negative or embarrassing the candidate will most likely pull themselves out consideration for the position.