← ALL POSTS
STAFFING & RECRUITING EXPLAINER

Background checks for IT hires: what to run and why

Think about what your IT hire touches on day one: the password vault, the domain admin account, email for the whole company, the backups, the payroll system's database. Most employees can hurt you in one lane. An IT person with privileged access can hurt you in all of them at once, quietly, with the logs edited afterward. That's why background checks on IT hires aren't HR box-checking. They're access control. Standard caveat, once: we staff IT people, we're not lawyers, and screening laws vary by state and city. Have counsel or your background check provider confirm what's legal where you hire.

Checks that actually matter for privileged access

Run these on anyone getting admin rights, and use a proper consumer reporting agency, not a $19.99 instant-search website. Cheap database searches miss records and return wrong-person matches, and neither failure is one you want on the person holding your passwords.

What's theater

Some checks feel rigorous and prove nothing. Degree verification for a 15-year infrastructure veteran tells you less than one hands-on screening exercise. Trawling personal social media mostly generates bias risk, not signal. And no background check verifies technical competence at all: a spotless record and a real diploma are fully compatible with not being able to do the job. Check the person's history for trustworthiness, and check their skills separately, with techs who can tell.

The other theater trap is treating the check as a substitute for controls. A clean background is a snapshot of the past. Least-privilege access, separate admin accounts, logging that the admin can't erase, and MFA everywhere protect you from the future, including from good people having bad years. Run the checks and build the controls.

Consent and consistency

Two rules keep you out of legal trouble, and they're both federal law under the Fair Credit Reporting Act when a background check company is involved. First, consent: you must disclose the check in a standalone document and get written authorization before running it. Burying it in the application doesn't count. If the results might cost the candidate the job, there's a required two-step adverse action process: give them the report and a chance to respond before you finalize the decision. Records are wrong more often than people think, and the person you almost rejected over someone else's record with a similar name will be glad you followed it.

Second, consistency: run the same checks for the same role, every time. Screening one candidate harder because of a hunch, a name, or an accent is how discrimination claims get written. Define the check package per role tier before you post the job: basic package for standard roles, enhanced package for privileged access, and then apply it mechanically. Also honor ban-the-box timing where it applies: many states and cities restrict when in the process you can ask about criminal history, which in practice means check late, after a conditional offer.

Same logic applies to contractors, by the way. If a staffing firm is placing a tech into a privileged role at your company, ask what screening their people get, and get it in writing. "They're not our employee" won't matter to you when it's your data.

How to know you've got it right

A sane IT screening program fits on one page: which checks run for which access tier, a compliant consent form, a consistent process, and a real screening provider behind it. Candidates get told up front, results come back in a few days, and nobody with domain admin skipped the process because the hire was urgent. That last one is the failure mode we see most: the check that gets waived is always for the emergency hire, and the emergency hire is exactly the one nobody vetted any other way either. Decide your process when calm. Follow it when rushed.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
Hiring sysadmins and network engineers: questions that matter Explainer
Identity and access: one login, fewer passwords, less risk Explainer
Contract, contract-to-hire, or direct: which fits Explainer
Why techs should screen techs Explainer
When your only IT person quits: backfill fast Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston