Business LawData Security & Privacy

Corporate Cyber-Security and Hiring Practices

 
On March 5, 2009, Computerworld ran an article about how the CEO of Mahalo, a Santa Monica-based search engine company, defended the hiring of an employee, Mr. John Schiefer, who, on Wednesday of this week, was sentenced to 4 years in prison for leading a botnet scheme before he was hired by the company.  Mr. Schiefer represents the first time the federal government has charged an individual with operating a botnet under federal wiretapping laws.  A botnet is a collection of software robots, or bots, that run autonomously and automatically. The term is generally used to refer to a collection of compromised computers (called "Zombie Computers") running software, usually installed via worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.
 
Jason Calacanis, CEO of Mahalo, stated in the article that Mahalo was not aware of the criminal activities of Mr. Schiefer, and that it has a "rigorous hiring process."  According to court documents, Mr. Schiefer had accessed computers of an unnamed client while employed at 3G Communications in Los Angeles.  This case highlights the need to have a thorough, not just "rigorous" Mr. Calacanis, hiring policy in place for a business.  That means when background checks are made, questions like "Has Ms. Smith ever been a hacker?" should be asked alongside "What kind of employee was Ms. Smith?"  There are many parts of employees character that cannot be determined in an interview, and therefore, a thorough background investigation should commence, prior to any offer of employment (i.e. bankruptcy filings, criminal records, credit checks, etc.).  Self-Authentication forms should also be handed out to the applicants, and then followed up with in the interview stages, do determine if any variables exist.  My hunch is that the "rigorous hiring process" that Mr. Calacanis thinks his company operates under does not include a self-authentication form asking if the client has ever been a hacker.  Such an important question should be asked, especially if one is in the business of being a search engine. 
 
I am about giving people second chances in life, lord knows I’ve had them myself.  However, CEO’s need to not talk out of both sides of their mouth when it is obvious their hiring practices are not "rigorous."  Saying that Mahalo was "unaware" of Mr. Shiefer’s criminal activities, but that it has "rigorous" hiring practices, is hypocritical double-talk.  How about stating, to the media, that Mahalo needs to reevaluate their employee selection process to determine if the standards are up-to-date and acceptable?  Human Recource department’s are as much on the frontlines as IT department’s when it comes to corporate cyber-security.  Make sure that your business is properly prepared to train and screen potential hires.
 
To read the article about Mahalo, please click here:  Mahalo CEO defends IT Staffer Who Ran Botnet Before Being Hired
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.