PERSEC is the security discipline that deals with determining whether applicants and employees are eligible and suitable for positions of increased trust. In the US Government PERSEC is the security discipline under which the background investigation and determination of suitability for security clearances falls. However, PERSEC has far more applicability than protecting classified information. Companies need to ensure that only trustworthy and competent people are given access to their proprietary data. Healthcare companies have to judge whether applicants and employees can be trusted with the sensitive medical information by which their companies are required to protect under HIPAA laws. Financial institutions and law offices have requirements to protect the private information of their clients. But it also has a significant place within the private security industry.
Proprietary and contract security personnel are often given immense amounts of access to the sites they protect. They may have more access than many workers and even some managerial personnel. They can cause severe amounts of damage to our clients.
Cyber security specialists for instance may have access to the entire network of a company. Edward Snowden, an IT administrator for the defense contractor Booz Allen Hamilton stole as many 1.7 million classified files with damaging effect to BAH’s client, the National Security Agency, as well as governments around the world. [1] The 2020 Insider Breach Report noted that respondents to their survey reported they believed that 75% of employees put data at risk intentionally. [2]
When someone thinks about a security guard being an insider threat, they may often think of the secure transport business. A number of cash courier businesses have been robbed over the years only later for investigators to determine that one of the security guards was in on the robbery. In 2012 a Garda weekend supervisor helped robbers steal $3 million from one of their sites in Rivera Beach, Florida. [1] The largest cash heist in the United States was masterminded by a Dunbar regional safety inspector. He knew that on Fridays the vault was left open because of high volume movement of cash. He could identify the markings of bags with the largest denominations. He also knew that the security systems panned and he knew their timing. This allowed him and his co-conspirators to move about the facility undetected. He also knew the guards’ schedules so he and his team waited to ambush and subdue them. [2]
Sometimes security guards have been found or suspected of being insider threats when authorities discovered they did not adequately respond to robberies at their location. German authorities announced this year that four security guards working at the Green Vault in Dresden are under suspicion for their potential roles in the November 2019 robbery of jewelry estimated at over $1 billion in value. [5] A security guard in New York City fed inside details to robbers and then posed as a victim during their robbery at the Aqueduct Racetrack on March 7th, 2020. The robbers escaped with more than $280,000. [7]
It is not just money that these security guards are helping steal. For instance, a Maryland security guard was caught loading copper wire into her car. During the following investigation it was discovered over time she had stole over 1,600 pounds of copper valued at over $10,000. [7] On January 5th, 2020 a security guard at a winery in St. Helena, California was videoed changing out of his uniform, loading items (valued at approximately $50,000) into a truck with accomplices and driving away. [6]
And these problems are not unfortunately outliers. Unfortunately, there is not good data on such instances in the private sector. Usually companies keep such things very mum as not to let it be known there are personnel issues within their companies. This could cause client mistrust and potential loss of customers. The US Transportation Security Administration fired more than 400 employees from 2003 to 2012. Theft from traveler bags was pervasive. One TSA officer who was caught admitted to stealing more than $800,000 in items. [9]
And it is not just physical items and cash that are at stake. Security guards may have keys that allow them access to highly sensitive areas of companies. They also can learn a lot about the sites they work at, such as schedules of staff, vendors, repeat customers, the identities of VIP clients, and when assets are coming and going. Security Guard Rafael Bravo plead guilty to charges that he stole secrets from the aerospace company for which he worked and attempted to sell them to Russian agents. [10]
As a matter of business ethics, we should always be worried about damage to our clients. For those though that are not ethically minded perhaps you will at least be swayed by the almighty dollar. These incidents can have serious repercussions on contract security companies. At the very least there is the potential that the company will cut its contract with the security company. No client is going to maintain a relationship with a security contractor in which they do not have the faith to protect their assets. They may also sue for damages as it is your employee who partially or wholly caused the damages.
Therefore, it is important that we look at PERSEC. It ranges widely on laws as well as companies’ adherence to those laws. Some states do not regulate private security in any manner, which has both positive and negative benefits. Like all laws, the good people are already doing it so for them they are not needed. This lack of regulation allows them to operate to their highest function. Many states and sometimes local jurisdictions have begun regulating security in part because they have had criminal and/or grossly negligent incidents happen because of security companies that were hiring people that should not be in positions of trust.
Some of the basics we see is a criminal background check, sometimes done with fingerprints, and maybe even a credit report. Often times the company’s insurance carrier weighs in, especially if the company has vehicles, and asks for a driving record. There is important information we can learn from these background checks. If the person has a criminal record, we need to look very carefully at whether it should preclude them from the work we would have them doing. You do not want to stake your company and your income on hiring a thief to prevent thievery. In many states any crime of turpitude (immorality) is enough to preclude them from getting a security guard license. When looking at a credit report we might want to think about whether we should be putting a person drowning in debt as the guard of high value assets. They might make a great access control at a residential property but perhaps we do not put them on the night time jewelry store shift. They may be a good person but why put that temptation in front of them?
This is not to say that people do not change. People certainly do. People make mistakes they will never repeat again. Others turn their life around. But as a hiring manager or a company owner your number one duty is to protect that company and your employees. You have to mitigate risks where you can.
Now as noted above those were just the basics of PERSEC. Good PERSEC involves going beyond the basics. Review social media, and not just the person’s profile. Look for their activity throughout the web. If you have an applicant for instance that has a social media full of anti-police rhetoric it should be suspicious that they are applying for a position at the local court house or police precinct. Same with if they have a lot of political rhetoric like Antifa and they are applying to work security at the local Republican headquarters. Same with someone that appears to have a lot of rhetoric about PETA and ALF trying to work at a slaughter barn or a mink farm. If something is complete anathema to someone then it does not make sense that they are trying to get a job working there.
Another good thing to do is open up the interview process beyond just the job itself. Try to get a good sense of the person. Security background clearance investigators may interview someone for hours on end going over the Standard Form-86 Questionnaire for National Security Information. They know more about a person than that person has forgot about themselves by the time it is over. Create your own background questionnaire. Be mindful of the pertinent laws and what you can legally ask someone. Do not just copy the SF-86.
Ask for references and actually contact them. Once again be mindful about laws in your state regarding what information you are legally allowed to ask about someone. People can usually find a few friends to serve as references. If they cannot that should be a red flag that something is wrong. Also, note the references. What is the quality of reference the person is providing you? Are they professional references or friends? When you are speaking to their reference get a sense of the reference. Does the person seem to be a decent person, educated, someone that you trust their reference for your candidate or do they seem like a shifty or unsavory person? If one applicant gives you a reference list that has professors, clergy, and a local official on it that should weigh in their favor over an applicant that gives you three Bubba Joes to contact.
PERSEC should not end at hiring either. As part of the management process leaders need to be keeping track of their employees and evaluating their continued suitability for their job as well as for positions of more trust and responsibility. Periodic evaluations are one way that a company can monitor such employees. Evaluate their honesty and trustworthiness as part of the evaluation. Do they exhibit the company’s ethics? Companies should not be promoting unethical leaders. It is important to note the difference in ethics and morals here. Ethics are the company’s values and organizational morals. It should not be confused with personal morals. A person may have different morals but professionally they can follow a company’s ethics as long as they abide by that standard of ethical behavior during their work time. There are some ethics they may also have to uphold in their off-time as well, for instance such as not drinking in a time period where they would be impaired to do their duties or abstaining from marijuana or other drugs so they would not test positive on duty. Further, ask peers about the employee. They likely see more of them than the supervisor sees.
Consider maintaining monitoring of their outside-of-work activity to a reasonable and legal extent. If they start exhibiting erratic or extremist behavior it may be time to intervene, counsel, or otherwise engage the issue. If their social media starts filling up with pro-racial supremacy or terroristic views that could be leading to behavior that could impact the company. Always think of it in terms of if that behavior would affect their post. As discussed earlier if their post is protecting a political campaign headquarters and they are exhibiting extreme view of the other party it may be time to at least consider switching them assignments. That might be enough of a measure to divert a potential issue.
You need to have company policies and employee contracts written in a way that makes personnel security investigations and taking corrective action easy for the company. Consult with a lawyer about your practices and ensuring that the right language is used in employee manuals and employment agreements. One of the catch-all statements, which all-to-often unfortunately some companies abuse is “at the needs of the company” or “all other duties as assigned.” But they do allow leeway in dealing with problems. Ensure that intolerable activities are clearly stated and that applicants know their expectations, the company ethics, and standards before signing any employment paperwork.
Have a fair and discreet reporting method. Supervisors may not always see violations of company policy or notice worrying behavior. Instead, other employees may notice it. Sometimes employees may be scared of backlash for reporting. There a number of ways you can set up a discreet method for them. Have a locked drop box in which they can slip papers in and only certain personnel can open them to retrieve. Make sure it is not actively monitored as not to scare them from using the box. Let them know they can always *67 a call and report to you anonymously if they desire. Ensure they know that any reports are confidential within the confines of policy and the law. Be clear with them on any reasons you would have to break their confidentiality to handle an issue.
Provide your staff with insider threat education. Train them on the company ethics to establish the base. On top of that teach them about indicators of suspicious activity and violations by employees. Lastly, ensure they know the reporting methods.
If you would like more information on establishing a PERSEC program within your company you may contact Risk Mitigation Services LLC at (417) 208-9732 or info@riskmitsvc.com.
References
[1] C. Strohm and D. Q. Wilber, "Pentagon Says Snowden Took Most U.S. Secrets Ever: Rogers," Bloomberg, 9 January 2014. [Online]. Available: https://www.bloomberg.com/news/articles/2014-01-09/pentagon-finds-snowden-took-1-7-million-files-rogers-says. [Accessed 6 October 2020].
[2] S. Williams, "IT leaders fear data breaches are an 'inside job'," Security Brief, 20 February 2020. [Online]. Available: https://securitybrief.eu/story/it-leaders-fear-data-breaches-are-an-inside-job. [Accessed 6 October 2020].
[3] P. McMahon, "Anatomy of an inside job: How the FBI solved a $3 million heist in South Florida," Sun Sentinel, 29 November 2015. [Online]. Available: https://www.sun-sentinel.com/news/fl-armored-truck-heist-millions-20151125-story.html. [Accessed 6 October 2020].
[4] N. Henley, "The 1997 Dunbar Armored Heist," Medium, 8 May 2019. [Online]. Available: https://medium.com/of-misdeeds-and-mysteries/the-dunbar-armored-robbery-151ee91c3cd3. [Accessed 6 October 2020].
[5] K. Brown, "Security Guards Are Under Investigation as the $1 Billion Green Vault Heist in Dresden Increasingly Looks Like an Inside Job," Artnet News, 9 March 2020. [Online]. Available: https://news.artnet.com/art-world/dresden-green-vault-heist-guards-investigated-1797597. [Accessed 6 October 2020].
[6] N. Goldberg, "$280K Aqueduct Racetrack heist was an ‘inside job,’ feds say," NY Daily News, 15 June 2020. [Online]. Available: https://www.nydailynews.com/new-york/nyc-crime/ny-aqueduct-racetrack-heist-20200616-rwy35g2yhza2hfpxa2wtiq4t44-story.html. [Accessed 6 October 2020].
[7] K. Lewis, "Maryland security officer allegedly steals more than 1,600 pounds of copper," ABC7 WJLA, 1 July 2014. [Online]. Available: https://wjla.com/news/crime/maryland-security-officer-steals-more-than-1-600-pounds-of-copper-104681. [Accessed 6 October 2020].
[8] M. Cabantuan, "St. Helena winery security guard arrested in suspected inside-job burglary," San Francisco Chronicle, 14 January 2020. [Online]. Available: https://www.sfchronicle.com/crime/article/St-Helena-winery-security-guard-arrested-in-14972247.php. [Accessed 6 October 2020].
[9] M. Chuchmach, R. Kreider and B. Ross, "Convicted TSA Officer Reveals Secrets of Thefts at Airports," ABC News, 28 September 2012. [Online]. Available: https://abcnews.go.com/Blotter/convicted-tsa-officer-reveals-secrets-thefts-airports/story?id=17339513. [Accessed 6 October 2020].
[10] BBC News, "Guard admits stealing secrets," 17 December 2001. [Online]. Available: http://news.bbc.co.uk/2/hi/uk_news/1715497.stm. [Accessed 6 October 2020].