We are about to dump a large number of largely untrained degreed new employees on managers who haven't had the time or inclination to really train them. Every year at this time, I shudder a little. I'm glad I'm an analyst and no longer have to deal with this kind of thing myself. But if you do, it's time to take a look at this exposure and some things you can do to mitigate it.
People get complacent in their belief that everyone knows the core rules surrounding employee behavior and both electronic and physical security. However, they often forget that kids coming out of school often have no experience that prepares them for rules they must follow. Human resources departments, in most companies, haven't been staffed by professionals in years and most employees don't bother (because they aren't tested) to read employee manuals. There are few instances where anyone assures the material has been read and understood.
If you've been following higher education trends, you'd know that a certain percentage of these new employees largely cheated their way to their degrees. While they may not actually fully understand this themselves, they have developed a behavioral process that is based on gaming systems. Some will use good judgment and not do anything drastic, but some will go too far. If this behavior isn't corrected early it will follow the employees as they advance in the organization and can often be used to explain later behavior that ranges from product and resource theft to stock fraud and corporate spying for a competitor.
Early examples of this behavior are often expense irregularities, small departmental thefts, or major pranks showing very poor judgment and control. But if you aren't looking for patterns, you can't see and correct the behavior. And if you wait too long, you can have an "event." That event will probably result in the employee's termination and the employee feeling wrongfully terminated. That combination often can lead to violence in the workplace. I've seen a lot of that too, so assuring that doesn't happen should be an ongoing process that begins even before the employee is hired.
Much of what I'm going to suggest may be easy to pass off on HR, but as I mentioned above, HR isn't the power it was in the '70s and is generally neither equipped nor staffed to deal with problems in the early phases. They are focused largely on compliance and, these days, mostly focus on making sure employee hiring, treatment, transfer, and termination all fall within aging policies. They aren't well connected enough to be proactive, even if they wanted to be; generally they don't want to be connected.
If the employee becomes a problem, chances are security will have to deal with it. In fact, in many cases it may be security that actually discovers the problem in the first place. Therefore, it makes sense for security to assure a process that ensures that employees have minimal opportunity or inclination to steal or compromise corporate assets or harm other employees.
What follows is a series of recommendations I've developed over the years working at a number of companies which had issues that too often escalated into violence or massive theft.
Years ago, a security review of the team I was running identified a set of conditions we felt could lead to large-scale employee theft. Despite using a sampling method, we could not actually find that the theft had occurred and management did not agree with the recommendations to change the process. Two months later, two employees left and their replacements discovered a series of anomalies that turned out to be financial fraud, using bogus vendors and the very flawed process we had identified.
The employees, who had both joined the company a few months prior, had been working as a team. We were not the only company hit. In fact, they had been going company to company, getting jobs in accounting, then funneling hundreds of thousands of dollars to false vendors under executive signature limits.
There had been a background check done, but not by security. It was performed by the manager who called the reference the employees gave who probably (we never confirmed this) was in on the scam.
The mechanisms in place to create false credentials and references are widespread, and we've even seen CEOs hired that don't have the background they represented. Large hiring spurts, which often happen when a large number of students suddenly hit the market, are a time when things like solid background checks fall through the cracks and likely the best time for someone that shouldn't be hired to get in.
Actions & Consequences
First-time employees who have been living off their parents often don't fully understand or think through the repercussions of their actions. They can't connect the dots between the risks they take and the personal and business impacts that result. This can lead to anything from in-office affairs to dangerous pranks and outright theft of company property.
Of course, the best way to understand consequences on a deep and visceral level is to experience them. New employees often get a lot of slack as they learn the ropes. I suggest the opposite should be true. It used to be that new employees were on probation and violation of that probation would result in termination. If employees see someone fired for cause, they understand the rules are meant to be followed. If it doesn't happen to them, or they don't see it happen to others, they won't learn how serious the consequences are.
Actually teach them about consequences. People often learn from stories, some of them can be kind of funny if they aren't happening to you. Without naming names, an orientation session going over some of the most common ways employees get into trouble, and discussing the implications of the problem to the organization and to the individual can help drive home the point. As part of this effort it can humanize security and begin to make the folks securing the company less of an obstacle to overcome and more of an asset to use.
Getting to Know You
New employees, like freshman in school, are at the bottom of the food chain. They often have issues with feeling important and will act out to gain attention. If you can help make them feel important and help you address issues like employee theft or other security exposures, you can kill two birds with one stone. Plus, it is much harder to hurt someone you know and who treats you with respect, as opposed to some faceless entity that simply represents authority.
Have someone from security personally talk to each new employee. Offer to help them understand the importance of their role in assisting you secure the site. Make sure they know who to call or email if they see an exposure, and create a relationship where they know they are important to the firm's security and security can be important to them.
In today's hostile world, personally, I'd rather have someone report something that turned out to be nothing and feel like they were helping than not report something because they either didn't know who to call or believed no one would care. Getting people to take security seriously is always difficult but, in my experience, it is much easier when the employee is new than when they are entrenched and jaded.