Before hiring someone for a cybersecurity role in your organization, it’s important to confirm they have the necessary qualifications to perform the job and can be trusted with your company’s sensitive information.
According to a report by IBM, data breaches cost companies an average of $4.35 million in 2022 and are expected to reach $4.45 million in 2023.
All employers should protect against costly data breaches and cyber-attacks by hiring the right cybersecurity professionals.
At iprospectcheck, we conduct background checks for employers in every state and U.S. territory.
Read on to learn about cybersecurity background checks and the laws that apply.
Key Takeaways
- Cybersecurity background checks confirm an applicant’s credentials, education, and qualifications and identify those who should be screened out for the job.
- Failing to conduct thorough background checks on cybersecurity applicants could place a company at significant risk of civil penalties, data breaches, stolen information, and lawsuits.
- Employers must ensure they comply with relevant laws when conducting cybersecurity background checks.
What is a Cybersecurity Background Check?
Cybersecurity professionals typically have access to a company’s intellectual property and the sensitive information of customers.
To ensure you hire qualified, trustworthy candidates, it’s essential that you conduct background checks on all prospective hires.
Cybersecurity background checks might investigate an applicant’s criminal history, certifications, education, former employment, and other information related to the job.
Why Should Cybersecurity Professionals Be Screened?
Cybersecurity professionals must protect networks and the company’s proprietary information. They must also ensure their employers’ sensitive customer information is protected to comply with data privacy laws.
Because of these tasks, cybersecurity professionals necessarily have access to extensive confidential information, making it important for companies to ensure their new hires are qualified to perform the tasks of their job and can be trusted when handling sensitive information.
What Shows Up on a Cybersecurity Background Check?
The information you might see on a cybersecurity background check depends on the searches you request and your applicant’s background.
If the position requires a security clearance, you might have to request more extensive searches and perform a fingerprint-based search.
In general, employers request the following searches on background checks for cybersecurity roles:
- Criminal history
- Employment verification
- Credentials verification
- Education verification
- National sex offender registry search
Here’s a description of these searches and what you might see in the reports.
Criminal History
You should perform a criminal background check for employment when hiring for cybersecurity positions.
This type of check shows whether an applicant has convictions and could pose a risk when handling sensitive company and client information.
If an applicant has a criminal conviction or pending criminal matter, the background check will reveal the following details:
Criminal case number
- Offense/arrest date
- Name of offense
- Offense level (misdemeanor or felony)
- Case disposition
- Disposition date
- Sentence information (when available)
Employment Verification
Employment verification confirms what applicants have claimed on their resumes about their work history.
An employment verification report shows the names and addresses of an applicant’s past employers, the dates the applicant worked for each company, and the positions and titles the applicant held while working at each job.
Credentials Verification
Cybersecurity professionals are commonly required to have several technology certifications to ensure they are qualified to perform their job duties.
A professional license or credentials verification reveals the following information about each of an applicant’s claimed certifications:
- Whether the certification is valid
- Certificate number
- Type of certification
- Issuing organization
- Issuance date
- Expiration date
- Public discipline or sanctions
Education Verification
Most employers require cybersecurity professionals to have at least a Bachelor’s degree in a related field.
Education verification reveals whether an applicant has the claimed degree and shows the names and addresses of the educational institutions the applicant attended and their attendance dates.
Credit Check
Where allowed, credit checks are important for cybersecurity positions because they can show whether an applicant is under financial stress, which might place the sensitive information of customers and the company at risk.
Some states, including California, Colorado, Washington, and others, restrict credit checks for employment, however, so you’ll need to check with legal counsel about whether you are allowed to perform them in your state.
An employment credit check is not a full credit check and will not hurt your applicants’ credit score.
A credit check for employment reports the following information:
- Payment history
- Available credit
- Any bankruptcies within the last seven or 10 years
- Collection accounts
- Names and addresses of current and previous employers
- Other inquiries that have been made
- Indicators that an applicant is in financial distress
Sex Offender Registry Search
Since cybersecurity professionals will have access to the personal information of customers when securing the company’s networks and data, many companies request national sex offender registry searches.
A sex offender registry search investigates the registries in every state to identify whether an applicant is a registered offender.
If an applicant is a registered sex offender, the report will provide details about the applicant’s registered address, marks, tattoos, photograph, the offense requiring registration, and conviction details where available.
Know Before You Hire
How to Conduct Background Checks for Cybersecurity Roles
1. Draft a Company Background Check Policy
Before initiating background checks at your company, you should first draft a comprehensive background check policy that complies with all relevant laws.
Make sure your background checks for similar roles are conducted uniformly without regard to an applicant’s protected characteristics.
Include information about the types of searches performed and the specific steps your human resources staff should take.
Train your HR staff to minimize the risk of unconscious bias and errors that could result in litigation.
2. Notify Applicants and Obtain Written Consent
Before performing a background check, you must notify the applicant and get their written consent.
Under the Fair Credit Reporting Act’s notice and consent requirements, you must disclose that your company performs background checks on a separate form so it won’t be overlooked.
You must also have your applicants sign a consent form before you conduct background checks.
If an applicant refuses to sign the consent form, you can deny employment or rescind a conditional job offer.
3. Choose the Right Background Check Provider
Choosing the right background check company can make a big difference in the quality, accuracy, and legal compliance of your background check reports.
At iprospectcheck, our extensive resources and technology allow us to return comprehensive background check reports quickly.
We verify all of the information in our reports to ensure it is up-to-date, accurate, and legally compliant.
Our system seamlessly integrates with most applicant tracking systems, and our mobile app makes the process smoother for applicants.
4. Select Relevant Background Screens
Make sure you select only the background screens that are relevant to the cybersecurity jobs for which you are hiring.
When you work with iprospectcheck, you can choose from several packages at different price points or choose from numerous types of background searches to create a custom package for your needs.
5. Communicate With Applicants Before, During, and After the Process
Transparency before, during, and after the background check process helps to build trust between you and your applicants and new hires.
Clearly communicate your intention to conduct background checks and explain why your company performs them.
Keep your applicants updated during the process. With our mobile app, your applicants will have information at their fingertips during the process.
Once you have received the reports, let your applicants know they are free to view them. If you have decided to hire an applicant, make an offer and schedule onboarding.
6. Individually Assess Convictions
If you learn an applicant has a criminal conviction, you should individually assess details of the conviction as they directly relate to the duties your applicant would perform if hired.
Avoid turning down all applicants with criminal records. Instead, assess the information and consider the conviction’s age, severity, and relatedness to the job before basing an adverse hiring decision on the conviction.
7. Go Through the Adverse Action Steps Before Denying Employment
If you want to turn down an applicant based on information in a background check, the FCRA requires you to complete the adverse action process before making a final decision.
Send a pre-adverse action notice to the applicant, and include a copy of the report with the problematic information highlighted.
Give the applicant a reasonable time to respond with corrections or evidence of rehabilitation. Typically, a reasonable time is five business days.
If you decide you don’t want to hire the applicant based on information from the background check, send a final adverse action notice and include a copy of their rights under the FCRA.
Relevant Screening Laws
Federal Background Check Laws
Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA) is among the most important background check laws and applies to employers in every state.
It is a consumer privacy protection law that controls how information about consumers is gathered, held, and reported by consumer reporting agencies, including those that perform employment background checks.
Under this law, background check providers can’t report the following information if it is older than seven years for jobs offering salaries under $75,000 per year:
- Arrests that didn’t result in convictions
- Collection accounts
- Chapter 13 bankruptcy cases (10 years for Chapter 7 cases)
- Paid tax liens
- Civil lawsuits and judgments
Employers must also follow the FCRA when they rely on background check reports to make employment decisions.
When an employer discovers negative information about an applicant on a background check report, they must go through the FCRA’s adverse action process before making a final hiring decision.
Fair Chance to Compete for Jobs Act
The Fair Chance to Compete for Jobs Act is relatively new and was enacted in Dec. 2019.
This law is a fair chance hiring law that applies to government agencies and private companies with which they contract.
Under the FCA, governmental contractors can’t inquire about an applicant’s criminal history until they have made a conditional job offer.
Government agencies are prohibited from contracting with a company that inquires about or checks an applicant’s criminal history information before making a contingent employment offer.
Title VII of the Civil Rights Act of 1964
Title VII of the Civil Rights Act of 1964 (Title VII) is the most important federal anti-discrimination law. It forbids workplace discrimination based on an applicant’s or employee’s race, color, national origin, sex, and religion.
Since Title VII was passed, multiple amendments have been enacted that protect additional protected categories.
The Equal Employment Opportunity Commission (EEOC) is the government agency that enforces Title VII. It has issued guidance for employers about what they should do when a background check reveals criminal record information.
Employers should compare information about the conviction with the job’s duties to determine whether they relate to each other.
The individual assessment should be completed and documented before an employer decides to turn down an applicant based on criminal record information revealed in a background check report.
State Background Check Laws
State background check laws vary. Some states place multiple restrictions on employers during the onboarding process, while others have few state laws and only follow the FCRA and Title VII.
An increasing number of local jurisdictions and state governments have enacted fair chance hiring or ban-the-box laws.
In these jurisdictions, employers must comply with restrictions on when they can ask about an applicant’s criminal history information.
Some jurisdictions with ban-the-box laws make employers wait until after candidates have been interviewed or after the employers have made contingent employment offers.
Most states also have expungement laws, which allow individuals with certain types of criminal records to ask the court for expungement.
When a record is expunged, it is erased and can’t be reported on background checks.
Applicants can deny they have a criminal record, and employers can’t ask about or rely on information they might learn about expunged convictions for employment decisions.
Other states might restrict salary history inquiries or prohibit employers from asking for access to their applicants’ social media accounts or passwords.
Many states restrict the ability of employers to conduct pre-employment credit checks and might limit them to positions in certain industries such as finance.
Since state and local laws differ significantly from location to location, it’s important to check with legal counsel in your area about the laws that apply to your organization.
What Disqualifies You on a Cybersecurity Background Check?
Cybersecurity employers might base adverse hiring decisions on several factors when conducting background checks.
Below are a few of the most common reasons:
1. Embellishing Work Experience
Cybersecurity requires a robust IT skillset and experience demonstrating an applicant’s facility with network DevOps, Cloud security, Network security, advanced threat detection, and more.
Some applicants embellish their work history and claim to have experience handling security incidents they don’t.
Employers that conduct employment verification can confirm whether an applicant has the claimed work experience.
When an applicant has exaggerated their past roles and duties, employers will quickly see this and will likely decide against hiring the candidate.
2. Lying About Education and Certifications
Cybersecurity professionals need numerous job-specific certifications, and many employers also require applicants to have a minimum of a Bachelor’s degree.
If an applicant has claimed to have a degree or certifications that they didn’t earn, an employer that completes education and credentials verification can identify the discrepancies and will likely deny them the job.
3. Having Disqualifying Convictions
Since cybersecurity professionals might have significant access to their employer’s intellectual property and sensitive customer information, having convictions related to dishonesty could result in being denied a job.
Employers might decide to turn down an applicant based on the following types of criminal convictions:
- Identity theft
- Hacking
- Fraud
- Theft
- Embezzlement
If the position requires a security clearance, an applicant with a felony might automatically be denied employment because of governmental standards for clearances.
4. Lacking the Right Certifications
Cybersecurity jobs might require different certifications based on the specific needs of an organization.
If a background check reveals an applicant doesn’t have the requisite certifications and/or can’t obtain them within a set period, the employer might choose a different candidate.
iprospectcheck: Your Trusted Source for Reliable Cybersecurity Background Checks
As an employer hiring for cybersecurity roles, you must ensure your new hires are skilled and can be trusted to handle highly sensitive information.
Failing to perform comprehensive background checks on applicants for cybersecurity jobs could leave your company exposed to substantial losses, civil penalties, and significant liability.
At iprospectcheck, we perform cybersecurity background checks for employers and agencies across the U.S.
To learn more about our background check services and how we can help, contact iprospectcheck today for a free quote: (888) 509-1979
DISCLAIMER: The resources provided here are for educational purposes only and do not constitute legal advice. Consult your counsel if you have legal questions related to your specific practices and compliance with applicable laws.
FAQs
How long does a cybersecurity background check take?
How long a cybersecurity background check will take depends on several factors, including how you complete it, whether the position requires a government security clearance, etc.
Positions requiring security clearances often require extensive background checks and might take more time.
When you work with an experienced, reliable, and legally-compliant background check company like iprospectcheck, you can often receive comprehensive cybersecurity background reports within hours to a few days.
Working with a less reliable company might result in waiting for a week or longer and receiving incomplete or inaccurate reports.
How far back does a cybersecurity background check go?
The FCRA and state laws control how far back a cybersecurity background check might go.
If a position pays an annual salary of less than $75,000 per year, the FCRA restricts the reporting of information about an applicant’s past arrests that didn’t lead to convictions, Chapter 13 bankruptcies, collection accounts, civil judgments, tax liens, and civil lawsuits to no more than seven years.
While the FCRA doesn’t restrict the reporting of criminal convictions, some states limit how far back they can be reported.
Information about an applicant’s past employment, education, and certifications can be reported no matter how old it might be.
