When UBS PaineWebber hired Roger Duronio as a systems administrator in 1999, it didn't do a background check. An investigation likely would've turned up a police record that included burglary and aggravated assault convictions, drug charges and a drunken driving case.
Those records were filed by the U.S. District Court in New Jersey's Probation Office ahead of this month's sentencing of Duronio, 63, convicted this summer of computer sabotage and securities fraud. In 2002, Duronio unleashed a "logic bomb" on UBS' computer systems that crashed 2,000 servers, left 17,000 brokers unable to make trades and cost about $3.1 million to fix. UBS, renamed UBS Wealth Management USA (New York) in 2003, didn't disclose the damage from lost business.
Duronio's criminal past is the kind of information most employers must know, especially if the candidate will have access to key systems.
Thirty percent of insiders who launch system attacks have criminal records, says Dawn Cappelli, a senior member of Carnegie Mellon University's CERT security response team, citing a 2006 study in which 73 percent of companies did background checks, compared with just 48 percent in the 2005 study.
But would a background check have turned up Duronio's record? Investigation firm Fairfax Group (Plymouth, Minn.) found most of the information in the probation report within four days using only public records, and some within 24 hours, says Michael Hershman, president, Fairfax Group.
Cover All the Bases
Companies just starting to do checks on job candidates should go back and check on current employees, too, says Ken van Wyk of information security consulting firm KRvW Associates (Alexandria, Va.). But be open about it, and make sure people understand why it's necessary, he says.
IT and HR managers also need to discuss what's acceptable past behavior, says Howard Schmidt, a former White House security adviser who's now CEO of R&H Security Consulting (Issaquah, Wash). "If someone had a DUI 20 years ago, ... you check the circumstances," Schmidt says. "Was it a drinking problem, or was it one night out celebrating a birthday? It's the repeating of a failure to comply with the rule of law that I would be looking for." Schmidt warns that background checks are no guarantee, but more companies are deciding they're worth the time and expense. * -- Sharon Gaudin, InformationWeek
Courtesy of InformationWeek, a CMP Media Property.
CORRECTIONS: The article "The Handheld Bank" from the December 2006 issue of Bank Systems & Technology magazine incorrectly titled Wachovia's Dan Thorpe as vice president instead of senior vice president, and listed Wachovia's assets incorrectly as $250.1 billion; they are $700 billion. Also, ClairMail's CEO Joe Salesky's name was misspelled.