Cyber criminals like to be able to target organisations where they can access large amounts of sensitive information and have a deep impact with the attack – the recruitment sector is a prime example. Candidate data is the most valuable intellectual property asset for a recruitment business, so for this to be at risk could bring the business to its knees overnight. Even if recovery is quick the reputational impacts alongside the risks a breach of confidential data would pose for candidates and clients are likely to lead to long term suffering.
With a wide range of risk factors to consider for recruitment businesses it’s important to consider your current position regarding some of the most likely threats, and also how you can evolve the levels of security surrounding these.
The range of confidential data held by recruiters is huge, and if compromised would cause significant issues for both candidates and client businesses. In order that the best job is done for the client a recruitment company will hold information about the client’s business that may not be in the public domain such as new teams/roles, restructuring programmes or business plans that feed in to personnel needs. Alongside this the recruiter will hold information on salaries and related budgets, which if compromised could give competitive advantage to other recruiters. Also, if you are on a preferred supplier list or hold a long-term complex contract with your client you most likely want this information kept away from prying eyes – competitors having access to this sort of information could result in lost business which can be hard to recover from. A final thought here is that as a recruiter you may specialise in a particular industry enabling access to information about many organisations within said sector, or you are a potential access point to high profile organisations who themselves may be harder to infiltrate directly. All of this warrants careful consideration when looking at how to protect both your own and your client’s sensitive data and information.
As a candidate an individual puts a lot of trust in their chosen recruitment professionals, and with this comes a responsibility to handle their personal information appropriately and ensure it is securely stored and used. The range of personal information for one candidate could cover:
- Contact information
- Home address
- Personal history disclosure
- Driving licence
- Bank details
…not a mix to be managed irresponsibly! Now imagine this at scale with hundreds or thousands of candidates registered in one database, this is an attractive target for cyber criminals both in terms of potentially selling on the information and instigating a ransomware attack on the recruitment business. Beyond this level of personal information recruiters will also store the contracts candidates have with employers – another source of sensitive information including salaries, bonuses, and benefits which the individual may not want in the public domain.
Thankfully, although given the above this might seem a little bit of an oxymoron, this information is now stored in online systems and not paper files locked away in filing cabinets. The level of security controls available in these systems and those you build up around them in your business offer many more layers of protection against the inevitable cyber-attack, especially if implemented well and regularly reviewed and maintained. However, the complex nature of the way we now do business online using a large range of connected systems and devices means that you must consider more than just your own systems. As a recruiter you may have access to client systems, or both sides may be linked to enable smoother information sharing and process management – all of this presents more risk as the attack surface for cyber criminals has grown.
A further aspect to consider for many recruitment companies, often due to their size and business focus, is outsourced IT management. One way of looking at how the risks present themselves in outsourcing IT is to think about how it might be if you outsourced salary negotiations on behalf of your candidate without having any insight or influence…the damage could be huge to both the candidate and you in terms of revenues and reputation. As IT is most likely not your area of specialism you may not know what to ask, and even if you do you may not know whether what you hear in response is good enough for your business. This is where seeking support and investing a little ahead of appointing a supplier could save you in the longer term. In the very first instance though it would be valuable to ensure you know how they approach topics such as device management, backups, and patch management.
Working in an industry that handles so much personal, sensitive, and potentially valuable data it is surprising to see that there is not a lot of support and guidance in terms of professional and membership bodies setting standards for recruitment companies regarding their approach to cyber and information security. There is more support available around GDPR for example, but this doesn’t in our view go far enough in raising the levels of required security within the industry.
Taking on this challenge for your business may seem like a big task given all that we have explored so far, but this need not be the case. The best place to start is by raising awareness of the risks within your teams. Although the delivery methods of cyber attacks will be through digital or technological means, most of the time they pass through humans. Whether it’s a phishing email, ransomware attack, invoice fraud or social engineering you can add in a layer of defence by investing in awareness training for your staff and ensuring that there is a top down view that security is important and everyone’s responsibility. Building this culture will better protect you, your candidates, and clients in the event of an attack.
In additional to training there are three other areas you could focus on to ensure you have more security controls in place:
- Ongoing governance – ensuring you have active policies and management around the areas of remote working, device usage, cloud access and password controls, only adds to the levels of awareness and controls in place. They are ever more needed now all due to how we work and candidates’ availability needs, facilitating you to do business how you need to
- Insider threat awareness – unintentional or intentional there is in recruitment significant value to be had from staff stealing client and candidate information. Whether looking to set up alone or add value to a new role, this would be a valuable dataset to have
- Incident Response Plan – in the face of the inevitable attack and ensuing impact preparation is important and in cyber security that comes in the form of a well built and tested Incident Response Plan focused on reacting to an attack and recovering as quickly as possible
There is indeed much to consider but remember this; securing your business will be seen as a positive both with clients and candidates as the understanding evolves around how we are all responsible for managing and communicating sensitive personal information. This will put you in a stronger position as soon as you start on this journey.
Within such a fast-paced industry the threats will be moving alongside you at the very least, making sure you protect your business and critical relationships is something you should be starting on today.