Are Background Checks Necessary For IT Workers? Ask UBS PaineWebber
UBS failed to do a background check when it hired Roger Duronio as a full-time systems administrator, so it never discovered his criminal record. Duronio will be sentenced next week for crashing UBS’s systems and causing millions in damages.
When UBS PaineWebber hired Roger Duronio as a full-time IT systems administrator in 1999, it failed to do a background check on him. A background investigation most likely would've revealed that Duronio has a criminal record that includes charges of burglary and aggravated assault.
UBS probably wishes it had looked a little deeper into Duronio’s past. Next week he's slated to be sentenced for launching a “logic bomb” in UBS’s computer systems that crashed 2,000 of the company’s servers and left 17,000 brokers unable to make trades.
UBS’s experience highlights the need for companies to conduct background checks on their IT workers, especially those who have access to key systems and applications.
"What do you know about your own people?" asks Alan Paller, director of research at the SANS Institute, a security firm. "You better consider how important IT is. Consider if you could keep on doing business if someone inside hit you with a logic bomb. If you can't, you should think about background checks.”
Paller calls the Duronio case “a perfect illustration of the value of a background check."
Duronio, 63, of Bogota, N.J., was found guilty of computer sabotage and securities fraud this past summer. Prosecutors charged that Duronio, angry over not receiving as large a bonus as he had expected, sought revenge against his employer by building, planting, and disseminating the logic bomb. It was designed to delete all the files in the host server in the company’s central data center and in every server in every U.S. branch office.
On March 4, 2002, the time bomb went off, bringing down 2,000 of the company's servers and leaving about 17,000 brokers across the country unable to make trades. UBS PaineWebber, which was renamed UBS Wealth Management USA in 2003, spent about $3.1 million to assess the damages and restore the computer systems. Executives at the company haven't reported how much was lost in business downtime.
In retrospect, it appears that the entire event, as well as the financial damages and the hit to the company’s reputation, could've been avoided if UBS PaineWebber, a giant in the financial community, had done a background check on Duronio when he had been hired.
During the trial, UBS workers said Duronio held a highly trusted position in the company. Court records show that of more than 20,000 employees, Duronio was one of only about 40 people with the company's highest level of computer security clearance. He had root access to the system.
He also had a record. A preliminary background check by Michael Hershman, president of the Fairfax Group, an investigative firm, that largely deals in theft of proprietary information, embezzlement, and computer sabotage, pulled up enough information on Duronio to raise some concerns about whether he should be put in a sensitive IT position.
Using only publicly available information, Hershman found three incidents, including drug-related charges from 1980, the disposition of which is unclear, and a tax violation, within 24 hours. Within three or four days, he says investigators found information on a conviction and incarceration from the early 1960s related to aggravated assault and burglary charges. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s.
"This is one of the most egregious examples that I've seen of behavior that probably could've been predicted had PaineWebber known about the background of this individual," says Hershman. "If I was a potential employer, based on our searches that took place in less than 24 hours, I would've had enough information to have said I'm not sure this is a good hire for us.
"Based on the quick public record search we did, that would've been enough for the company to decide on the spot that this isn't someone they want in a position of trust and responsibility, or at least enough to call him in and ask for explanations," says Hershman.
He notes that the background check would've cost about $500. The investigation would have come in at about half that cost if a waiver had been provided from the person being investigated, because that would've given investigators quick and easy access to credit reports and other records that would've made the search much easier to do. Hershman also notes that investigative companies often give companies deep discounts when they're brought on to do a large number of employee background checks.
A spokeswoman for UBS told InformationWeek that when Duronio went from being a contract worker to a full-time worker in June 1999, background checks were done on a "selective basis, and Mr. Duronio wasn't subjected to one." She adds, "Post Sept. 11 and after the acquisition of PaineWebber by UBS, firm policy is that all full-time, part-time, and temporary workers are now subject to background examinations."
According to Dawn Cappelli, a senior member at Carnegie Mellon University’s Computer Emergency Response Team, a 2006 study showed that 30% of insiders who are caught launching an attack against their employers have arrest records, and that those charges don't generally include computer crimes. Some 18% were for violent offenses such as rape and manslaughter, 11% were for alcohol- and drug-related offenses, and another 11% were for theft.
The good news is that there has been a sharp increase this year in the number of companies that are doing background checks on new IT hires, Cappelli says. A CERT study in 2005 showed that 48% of companies reported that they use background checks to prevent or reduce insider security incidents; that number jumped to 73% this year.
"We're not saying don't hire someone because they have a previous arrest, but it's something to consider when deciding who's going to be in IT holding the keys to your kingdom," Cappelli says.
Ken van Wyk, principal consultant with KRvW Associates, says companies should be running background checks on IT workers, and they also should be upfront about it with those being investigated.
"If you're going to do it, you need to be careful about it and justify it and make sure everyone understands why you're doing it and it remains out in the open," he says. Companies that haven't done background checks before shouldn't just focus on new hires, but should go back and run checks on current employees, as well, he adds.
Once a background check is done, IT managers then need to figure out what prior bad deeds raise a warning flag and what can be dismissed as simple indiscretions or mistakes.
Howard Schmidt, a former White House security adviser and now president and CEO of R&H Security Consulting, says IT managers need to sit down beforehand with the human resources department and corporate attorneys to come up with policies on what is acceptable past behavior and what isn't.
"You have to have criteria that isn't discriminatory," says Schmidt. "If someone had a [driving under the influence] 20 years ago or they were arrested for marijuana in the 60s … you check the circumstances. Was it a drinking problem, or was it one night out celebrating a birthday? It's the repeating of a failure to comply with the rule of law that I would be looking for."
Don't limit the background check to criminal records alone. Schmidt notes that thorough investigations such as those done with key government employees involve checks of criminal, financial, and education records.
Hiring managers also need to consider the position that the person is looking to take in the company. If an IT worker is going to have root access to IT systems or access to confidential information or critical applications, then he or she needs to have a pretty clean record. But Schmidt warns that hiring managers need to consider what positions someone might move into from the one they're being hired for. Moving up the ladder and taking on more responsibility might call for another background check.
"You look at the whole person, and not just the particular job they're going to be doing at that particular moment," he says. "It's not a 100% guarantee, but it's vitally important to know not just the person's skill but the ethical side of the person, their personal interaction skills. They're all factors into the whole person that you're hiring."
About the Author
You May Also Like