Suppose you’re the CEO, and you start getting anonymous emails demanding large amounts of cash — and threatening to sell your company’s proprietary technology if you don’t pay up. Or maybe confidential customer records have been turning up in competitors’ hands and, with the supposedly leak-proof systems you have in place, you can’t see how it could have happened.
A company faced with a data breach, or the threat of one, usually starts by assuming that — as with Sony, Target, eBay, and others in the past year — the cyber attack is the work of outsiders. Alas, that’s not always the case. Sometimes, the trouble is coming, as they say in horror movies, from inside the house.
The really scary part, for people who hire techies, is what happens next. Once an investigation has pointed straight at someone in the IT department, an employer leery of bad publicity and potential lawsuits usually hushes the whole thing up. No charges are filed, and the miscreant is allowed to resign quietly, sometimes signing a nondisclosure agreement.
Then he or she is free to move on to another job, maybe at your company.
“IT people hold the keys to the kingdom. Unlike employees in any other area, they can do practically limitless amounts of damage,” notes Ken Springer. Yet, he adds, most employers now are so starved for experienced tech hires that they do only the most cursory background checks on candidates, or none at all.
Granted, Springer has some skin in this game. A former special agent with the FBI, he started and runs Corporate Resolutions, whose team does background checks and fraud investigations for companies around the world. He says any company can protect itself from potentially troublesome tech hires by following four steps:
Verify everything on resumes. “A vague resume is often a sign that the person is hiding something,” Springer notes. For instance, because it’s common for techies to earn their stripes at startups, and because startups often go belly-up or morph into other enterprises, “you might see a nondescript company name on a resume and, when you ask about it, the candidate says the company went out of business.” Maybe, or maybe the candidate was somewhere else during the period in question. Insist on tracking down references for each past job.
Because so many employers now want IT people with master’s degrees, Springer adds, a mini-industry of tech diploma mills has sprung up online, “where they’ll sell you a master’s degree without your having to lift a finger or learn anything.” Make sure any degree on the resume is from a bona fide, accredited school.
Have IT people do reference checks on other IT people. “You need detailed reference checks, not only with former bosses but also peers and subordinates,” Springer says. It’s best to have tech employees, rather than HR, call these folks, he adds. “If you’re not, say, a systems administrator or a programmer yourself, references will often very quickly be talking over your head.”
If you run into references who will tell you nothing more than dates and titles, “go back and tell the candidate you want references who can talk about what you were like as a coworker, or as a boss,” he says. A prospective hire who balks at that request might be trying to hide something. In addition, “use social media to find former colleagues who now work somewhere else, so they are usually more free to talk.”
Time consuming as it is, a bit of detective work can pay off. The IT employee who tried to extort the CEO, for example, had a history of what Springer calls “erratic behavior” with previous employers, including having filed two dubious lawsuits. His erstwhile peers would probably have mentioned some of that, but no one asked them.
Make it known up front that you will be conducting thorough background checks. “Just letting people know that you’re going to go over their work history with a fine-toothed comb is often helpful,” Springer says. “The people who have nothing to hide won’t care, and the applicants who have something in their past that they don’t want you to find out will go apply somewhere else.”
Set up a referral system. If your company doesn’t already have one, consider setting up a program that rewards employees for recommending good IT hires, Springer suggests. “Good tech people know who the other good ones are,” he says — and, since such systems put the reputation of the person doing the referring on the line as well, “they’re unlikely to steer you wrong.”
Watch more of the latest news in tech from Fortune’s video team: