Pre-employment screening: assessing honesty is difficult and the use of specialist security psychometric testing and background checking is essential for trusted positions.
Regular measurement of changing employee attitudes, loyalty and commitment. There is a strong relationship between specific attitudes and specific workplace behaviours. Measuring these variables can provide a better indication of staff intentions than personality measures, particularly concerning undesirable workplace behaviour.
Support for employees facing difficulties at home or at work. Again, the intention is not to single employees out, but rather to provide support and assistance where required.
Regular security behaviour audits. These should not be viewed as tick-the-box exercises, or a way to catch employees out. Rather they should be promoted as a way to enhance security measures. If employees are circumventing security measures because the measures interfere with their work, then it is better to take a constructive stance and make the measures workable rather than take an authoritarian approach and expect that employees will automatically fall in line.
Listen to the rationalisations used by employees to justify their undesirable actions if they occur. While businesses face significant risk from criminally minded employees who steal IP as a result of financial pressures or other lifestyle factors, there also remains risk from those employees who remove IP without considering their actions to be illegal.
Rationalising the situation
- Denial of injury: the employee claims that no harm was done by his/her actions.
- Denial of responsibility: the employee claims he/she had no choice but to comply with others or their situation compelled them to act.
- Denial of victim: the employee claims that the victim was ultimately to blame as a result of their actions or placed the culprit in the situation.
- Social weighting: the employee makes a comparison with their actions and larger crimes in order to minimise their actions.
- Metaphor of the ledger: the employee rationalises that he/she is entitled to behave in such a way because the company owes him/her for long employment service or effort, or being overlooked for a promotion.
Security preparation for overseas deployments: employees working overseas face a range of risk factors not apparent in their home country. This role would be more pronounced for companies maintaining an overseas presence in countries where corruption is commonplace.
Exit interviews: eventually, for various reasons, employees will leave. Such employees are a valuable source of information and can provide a deep insight into the true culture of the workplace. While talking to a supportive HR representative, they may feel better placed to be more honest about the organisational climate.
Promote a security culture: having a culture that recognises and values information security is a very effective means of managing the human-factors element of security. However, cultural change is often at times difficult and should be considered an important long-term goal. The strategies listed here can be enhanced with a corporate culture that supports the integrity of company assets and places a high importance on ethical workplace behaviour.
Understand that employee behaviour is strongly influenced by their psychological contract and whether their expectations are being met over time. Breaches of the psychological contract can reduce employee loyalty and commitment. Research shows a link between such breaches and workplace crime.
Security threats to businesses come from a number of sources. Existing employees may also seek to harm their employer for a range of reasons, including financial gain, revenge, or even boredom. External third-party threats may capitalise on a lack of employee security awareness or from non-compliance with existing security measures. Employees working in overseas environments where corruption is prevalent are at risk of being targeted for the information and access they possess. HR managers are uniquely placed to enhance corporate security via a thorough understanding of the weakest link in the security chain — people.