With all of the recent high-profile hacking incidents resulting in theft of data, many folks seem to overlook the most obvious and glaring exposure encountered by businesses and government agencies. While industry experts can expound on the various types of technological causes and solutions, the fact of the matter is that the human element is often the easiest point of exploitation.
Consider the recent Sony breach. Of course, many blame North Korea as the main culprit in this incident. Regardless of the identity of the main culprit, experts across the intelligence community as well as the IT industry have concluded that current or former employees or contractors of Sony assisted in or even led the effort. Some believe the information acquired by humans was key to conduct an operation of this scope.
What can be done?
After all, even in 2015, human participation is required in all but rudimentary business processes. HIPAA (Health Insurance Portability and Accountability Act) rules, for example, acknowledge that certain staff members need to access sensitive information, or PHI (protected health information) in its parlance. Rules of HIPAA also suggest that employees should be vetted based on their particular level of access. However, HIPAA does not specifically address what type of vetting should take place.
The net result is that many health care organizations, especially smaller ones, implement personnel clearance procedures that are loose, to say the least. As a result, even though these organizations may be HIPAA compliant, the safety and security of the PHI is directly tied to the moral and ethical bounds of any given staffer.
What, then, can be done? After all, large corporations such as Sony may be able to afford comprehensive background checks for potential employees, but many small and midsize businesses and even government agencies do not have such a budget.
At the very least, folks can take advantage of a plethora of online tools to do some digging on prospective or current employees. The easiest, of course, is a simple Google search. Just as handy, the Hawaii Criminal Justice Data Center provides an excellent database at ecrim.ehawaii.gov/ahewa, where searches for criminal conviction information can be conducted for a reasonable fee.
Other online people searches, such as Intelius or PeopleSmart, can also be used to varying degrees of success. Be aware, though, that fees for such services can vary widely and include automatic commitments, such as a one-year subscription.
Social media also can be used to review a person’s background. Look for profiles on both Facebook and LinkedIn. While LinkedIn is targeted more toward a professional background, Facebook also can provide valuable information.
Of course, old-school methods still work. Check with past employers if allowed. While many will only confirm dates of employment, at least it can be determined whether someone has been continually employed or has large, unexplained gaps in their employment history. Also, especially in Hawaii where everybody knows somebody, a personal reference is always a strong vote of confidence.
———
John Agsalud is an IT expert with more than 25 years of information technology experience. Reach him at johnagsalud@yahoo.com.
