Wednesday, 25 October 2017

Preparing your Recruitment Agency for GDPR: Disaster Recovery Planning



For those of you who have been following my recent series of articles on Preparing your Recruitment Agency for GDPR, I wanted to put pen to paper on one final topic on this theme; that of disaster recovery planning.

GDPR places an obligation on your agency to safeguard the personal data which it holds, and my previous articles have addressed key challenges around day-to-day ways to protect your data through effective risk management in relation to cyber security, insider threats and data backup.

However, with the best planning in the world, sometimes the unexpected does happen. We only have to look at the recent Wannacry ransomware attack that so devastated parts of the NHS to see the reputational damage and compliance breaches that can be caused by such an eventuality. It is therefore important from a GDPR perspective to have the appropriate incident response and recovery plans in place to handle such a situation.

Whilst having a technical disaster recovery plan is vital to recovering systems, it is equally important for the business continuity plan to cover how you would communicate details of an IT failure or data breach to customers, staff, suppliers, the Information Commissioners Office and the public at large to minimise the financial and reputational damage to your agency. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.

And to bring the subject of disaster recovery planning into perspective, whilst many recruitment agencies I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable, with the EMC global data protection index 2016 study showing that the average length of unplanned downtime was 22 hours. Indeed the situation seems to be worsening this year, with IT downtime caused by ransomware attacks in particular often running into a week or more.

It is also critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. Many businesses I work with had put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as our use of technology has moved on significantly, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend that recruitment agencies we work with continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their business and their regulatory compliance obligations. Some points to consider would include:
  • How long could you afford for each of your various IT systems to be down for?
  • How much data, if any, could you afford to lose?
  • Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results demonstrate that recovery times and data loss met your current business requirements and compliance obligations?
  • Where are your backups held? Would an incident like a fire or a ransomware attack wipe out your backups as well as your live systems?
  • In the event of a major disaster what hardware would you restore your backups onto?
  • If your offices were incapacitated (or the emergency services wouldn’t allow you access to your premises) where would you work from and how would you connect to your recovered systems? 
Tests of disaster recovery plans also need to be documented, so there is clear evidence that testing has been conducted, the plan has been reviewed and any necessary remedial actions highlighted by the test have been actioned.

I hope this has given you a useful insight into some of the key areas to consider around disaster recovery planning when preparing your agency for GDPR.

Should you feel that your agency’s current disaster recovery arrangements are not adequate for GDPR, then Xara Computers can help. For those businesses with on-premise servers, we offer effective disaster recovery solutions that ensure all data is protected and can be recovered fully and in a timely fashion. While for those agencies looking to move to a private cloud environment in order to facilitate remote working, our flagship product, the XC360 Hosted Desktop for Recruitment Agencies, provides highly secure protection of both your live and backup data, incorporating fully managed and fully tested disaster recovery provision as standard. For more information, please do not hesitate to contact me on 0208 732 5656 or email me on at@xc360.co.uk when I will be happy to arrange a no obligation conference call or meeting.

Future articles will be posted to my blog, which has been designed to keep owners and Directors within Recruitment agencies up-to-date with IT matters that affect the recruitment sector. As one of my valued recruitment contacts please feel free to follow the blog and contact me at any point should you need advice on compliant IT systems for recruitment agencies.
 ________________________________________________________________________________

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client and candidate data is centralized and secure. For more information please visit our website www.xc30.co.uk/recruitment

Wednesday, 23 August 2017

GDPR in Recruitment – 7 Top Tips for Compliance (Part 2)



In my previous blog, I shared the first 3 of my 7 top tips for GDPR compliance for recruitment agencies.

With Digital Minister, Matt Hancock, having now formally announced the new Data Protection Bill, which will enshrine the GDPR into UK law, as well as preparing the UK, from a data protection perspective, for life after Brexit, I thought today it would be useful to share a further 4 tips on preparing your recruitment agency for GDPR:-

1. Put together a new or updated data protection policy and train employees on it.

This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant. It only takes one employee to not fully understand their obligations to allow something like a data breach to occur, which has the potential to result in crippling fines and reputational damage to the agency under GDPR. One area where I often get asked for advice is around BYOD policies (Bring Your Own Device), where there is the potential for employees to be storing copies of the agency’s data or emails on their own laptops or smart phones. Such devices may not adhere to the agency’s security policies and as such policies around protecting data in this instance need especially careful handling. Please feel free to contact me if you need advice on this subject.

2. Put in place processes for ongoing education for all members of staff around cyber security and data protection.

Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection. To help with this, we have put together a free staff training document, “Best Security Practices for Staying Safe Online”, which you may download here. To help with this, we have put together a free staff training document, “Best Security Practices for Staying Safe Online”; to request a copy please email me at at@xc360.co.uk

3. Review Your Backup and Disaster Recovery procedures.

GDPR imposes an obligation to look after the personal data of candidates, clients and employees which is entrusted to your agency. This includes backing it up so that in the event of an IT problem, a data corruption, a natural disaster or a cyber attack you have backups from which you can accurately restore that data in a timely fashion. As a minimum, I would suggest that you should be backing up your data daily, but in reality most agencies are now looking at much more frequent backups – in some cases as often as every 15 minutes, or via real-time replication.

You can read more about good practice around data backups and recovery procedures in my blog “Preparing Your Recruitment Agency for GDPR: Data Backup and Recovery” [link to http://www.it-for-recruitment.co.uk/2017/07/preparing-your-recruitment-agency-for.html]

4. Create a breach notification plan. 

This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your agency.

If you are concerned about your agency’s GDPR compliance position, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on at@xc360.co.uk or ab@xc360.co.uk when we will be happy to arrange a no obligation conference call or meeting.

_________________________________________________________________________________

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client and candidate data is centralized and secure. For more information please visit our website www.xc30.co.uk/recruitment

Wednesday, 9 August 2017

GDPR in Recruitment – 7 Top Tips for Compliance (Part 1)



The new EU General Data Protection Regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. GDPR has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

Failure to comply will have potentially catastrophic implications for companies, for two reasons:

1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.

2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the agency concerned highly exposed to brand damage and potential customer pay outs.

So what do recruitment agencies need to be doing to prepare for GDPR?

Well this is a big question, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance. And whilst you may think you know where your data is, I would caution that identifying where your data is can actually be a much more complex process than you may think. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails? And then there’s data that has been shared with business partners and other third-party organisations. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs. The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications. Understanding which of these your agency is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data to countries outside the European Economic Area that do not have equivalently strong data protection standards.

2. Identify threats to this data. This could include things like ransomware attacks, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if agencies are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.

You can find more information about protecting your data from insider threats in my blog “Preparing your Recruitment Agency for GDPR: Protecting your Data from Insider Threats”, whilst there is more information about ransomware threats and their prevalence and impact on recruitment agencies in this article 

3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. Long gone are the days when some anti-virus software and a firewall were all that were needed. Nowadays the type of technology we are talking about will include:
  •  Virus protection, ideally from multiple vendors 
  •  Malware protection 
  • Ransomware protection 
  • Behavioural monitoring software that will monitor and block applications which are behaving suspiciously 
  • Software restriction policies 
  • Systems for applying operating system and application security updates to servers, PCs and laptops promptly 
  • Device monitoring software to flag unusual usage statistics which indicate a device may be compromised 
  • Email filtering 
  • Website filtering 
  • Constantly updated firewall protection, ideally from multiple vendors 
  • Encryption of stored data 
  • Encryption of data in transit 
  • Data loss/leakage prevention technology 
  • The ability to remotely wipe data from any user device that is lost or stolen 
  • Strong passwords or two factor authentication 
  • 24/7 monitoring against threats ű
You can find more information about Data Access Control procedures in my blog “Preparing for GDPR: Securing your Recruitment Agency’s Data - Part 1”, whilst there is more information and tips around management of cyber security risks in this article

In my next blog, I will be sharing 4 more tips for GDPR compliance. In the meantime, if you are concerned about your agency’s GDPR compliance position, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on at@xc360.co.uk or ab@xc360.co.uk when we will be happy to arrange a no obligation conference call or meeting.
 _________________________________________________________________________________

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client data is centralized and secure. For more information please visit our website https://www.xc360.co.uk/recruitment/

Friday, 28 July 2017

Preparing Your Recruitment Agency for GDPR: Data Backup and Recovery



Over recent blogs, I have outlined some of the data security issues that recruitment agencies need to consider when preparing for GDPR, including data access control and securing your data from insider threats.

Today I wanted to talk about effective backup of your data, as this also forms an important part of your GDPR compliance obligations. In fact, protecting your recruitment agency’s confidential data and email is paramount, not only for GDPR compliance, but also to ensure your agency is not impacted by an IT problem. As such, it is vital that backups of data are being held. However, not all backups are equal! In fact, backup takes many forms, and in most cases nowadays there is a need for a multi-layered backup strategy in order to provide full protection of data. As a provider of a secure private cloud platform for recruitment agencies, I am all too well aware of the technical complexities and potential pitfalls of data backup and recovery, so I thought it would be useful to share some information on the various different types of backup that are available, along with the pros and cons of each, and the scenarios when you would employ each type of backup.

Cloud/Online Backups

This is where a copy of your data is sent to the cloud either periodically or in realtime as files are updated.

Cloud backups are a useful way of keeping a copy of your data offsite, which provides for extra protection in the event of a disaster on your premises, which might wipe out locally held backups as well as the live servers.

The effectiveness of this type of backup depends on the volume of data you are holding/changing and the speed of your internet connection. Where there are large data volumes involved and limited internet speed/capacity they are not always practical.

There are also security considerations around confidentiality of data that it is important for the agency to understand – for example where is your backup data being stored in this scenario? Does it remain in the UK or EEA? Is the data centre where it is housed suitably secure (e.g. ISO27001 certified)? Is your data encrypted, both on the backup provider’s servers and whilst it is in transit?

It is also important to understand whether the provider is retaining multiple historical versions of each file, or just the latest backup.

With suitable due diligence and appropriate internet connectivity, online backup can be a good solution for retaining up-to-date system backups.

Removable Media

This is where a copy of your data is taken periodically to a removable media such as disk or tape. This provides a very useful form of backup as it is held off-line and therefore can't be attacked by cyber security threats such as ransomware. Offline backups can also be useful to facilitate fast restoration, since you do not need to pull the data back over the Internet.

It is very important to ensure that any removable media backups are kept physically separate from live systems, and ideally off-site, as otherwise there is the danger that a problem which incapacitates your live system may also wipe out the backups.

Bear in mind that removable media backups are not usually run in real-time (an overnight backup is typically the norm), so there is likely to be some data loss if you do need to restore from this type of backup, as well as some downtime while the restore takes place.

However, it is best practice for a cycle of backups to be taken, which does then provide the facility to restore everything back to a given point in time. This can be particularly useful when a corruption or a cyber infection has occurred, since it allows the system or individual files to be restored back to a point in time before the problem occurred.

Realtime Replication

Real-time replication to another server works well when no downtime can be tolerated, but bear in mind if a corruption or accidental deletion of a file occurs, that this will be replicated in real-time to the backup server too.

Recovering Your Data in a Disaster

Backups are vital, but if you cannot recover them in a timely fashion, or without undue data loss, then they are of little use.

So in your GDPR preparation, it is important to consider for how long your agency could cope without access to each of your IT systems and/or data repositories. This is likely to vary from system to system; for example you may be able to tolerate no downtime on your email server, but it may be acceptable for an archived projects folder to be restored within 72 hours. So your plan needs to go through each system you use, considering how long you could live without it. The second key consideration is around data loss. Again for each system you need to be clear how much data loss, if any, would be acceptable and tailor your disaster recovery systems accordingly. If no data loss is acceptable, then a real-time replication solution should be considered. If some data loss is acceptable in a disaster scenario, then you may be able to live with backups that run daily or hourly.

Finally, never underestimate the importance of having a written disaster recovery plan and having tested it on a regular basis. Testing, in my experience, almost always highlights errors or omissions in the plan which would cause an issue in a live disaster recovery invocation. So regular testing is paramount, bearing in mind that your IT systems are constantly evolving and being updated.

I hope this gives you some key pointers for preparing your IT systems for GDPR from a data backup and recovery perspective. Should your agency require help in clarifying its current backup strategy and ensuring it is aligned to your agency’s current business needs, as well as GDPR compliance requirements, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on at@xc360.co.uk or ab@xc360.co.uk when we will be happy to help.

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client and candidate data is centralized and secure. For more information please visit our website www.xc30.co.uk/recruitment

Wednesday, 28 June 2017

Preparing your Recruitment Agency for GDPR: Protecting your Data from Insider Threats



Over recent blogs, for obvious reasons, I've been talking a lot about cyber security. But today I wanted to go back to the topic of preparing for GDPR, as I know it is an issue that is concerning many of you at the moment.

In preparing your recruitment agency for GDPR it is important to realise that as well as securing your personal data from external cyber threats, you also need to be securing it from insider threats. So what do I mean by insider security threats?

Well this can be something like a rogue employee, or a disgruntled ex-member of staff, but more likely it will be a genuine member of staff who accidentally causes a security breach or data loss.

Human error, or our natural tendency as human beings to take the easy option, is actually one of the commonest causes of such an incident, so it is good practice to put in place policies and controls that will minimise the risks of such an occurrence.

Password policies would be one such control. I'm sure for ease of memorability, we would all naturally tend towards an obvious password, but these are very easily guessable and as such do not provide the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes, certainly doesn't demonstrate due care of confidential data under GDPR!

Having appropriate processes and procedures around starters and leavers is also key in ensuring that only authorised personnel have access to your confidential data. Equally, it is best practice to only give staff the minimum access to systems and data that is needed to do their job, in order to minimise risk from a data breach or deletion, whether accidental or deliberate.

Staff education is also vital in ensuring that your systems are not compromised by security threats like malware or ransomware, which are often transmitted via rogue emails. I know many of you have seen and downloaded my white paper "Best Practice for Staying Safe Online", a copy of which can be found here if you missed it first time round.

The mobile working revolution has also opened up a plethora of new challenges, and preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and data often being held on laptops to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid or stolen. Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop and may be unwittingly backing up or synchronising confidential company data to an unsuitable or insecure location, or even outside the EEA.

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your IT systems or data. In this case this needs to be secured in just the same way as it is for your own staff , so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

If you would like to discuss ways in which Xara Computers can help you secure your agency’s data, and prepare for GDPR compliance, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on at@xc360.co.uk or ab@xc360.co.uk when we will be happy to help.

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client data is centralized and secure. For more information please visit our website https://www.xc360.co.uk/recruitment/

Friday, 2 June 2017

Protecting your Recruitment Agency from Cyber Threats.... Free Staff Training Resources



As those of you who have read my previous blog, "Cyber Security for Recruitment Agencies… 8 Top Tips to keep your Agency Safe", will know, effective protection against cybercrime involves much more than just technology.

Indeed, we only have to look at the devastation caused to the NHS and many other organisations by the recent WannaCry ransomware attack, to see that simply having a firewall and some antivirus software is nowhere near enough to protect against today's complex cyber security threats.

The reality is that, to be effectively mitigating cyber threats, recruitment agencies need to implement a complex jigsaw of pieces consisting of multiple technologies and a raft of policies and procedures around issues such as mobile working, Bring Your Own Device (BYOD), applying system updates in a timely manner, managing starters and leavers, controlling data access by third parties, effective password and authentication procedures and much, much more.

On top of all this, implementing staff training around cyber security is a critical part of the jigsaw in successfully reducing the threats that cybercrime poses to any business.

It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary administrative worker who opens a seemingly legitimate attachment or website link which turns out to be something much more sinister.

For this reason we thought it would be useful to produce a white paper "Best Security Practices for Staying Safe Online", which outlines some of the key user education issues around protecting your business from cybercrime. We are making this free resource available to all our contacts to help them reduce their risk from cybercrime, and as such the white paper may be distributed to your staff and/or used as a training resource.

To request your free copy of the white paper, please email at@xc360.co.uk.

If you would like to discuss further ways in which Xara Computers can help you secure your recruitment agency’s data, as well as prepare for GDPR compliance, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on at@xc360.co.uk or ab@xc360.co.uk when we will be happy to help.

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client data is centralized and secure. For more information please visit our website https://www.xc360.co.uk/recruitment/

Friday, 5 May 2017

Preparing for GDPR: Securing your Recruitment Agency’s Data Part 1



In my previous blog, Cyber Security for Recruitment Agencies…. 8 Top Tips to Keep Your Agency Safe, I gave some pointers to help recruitment agencies safeguard their confidential client and candidate information.

Since then, many of you have been in touch asking for more information on this topic, especially in light of the imminent enforcement of GDPR. Therefore today I thought it would be useful to share some more information about the specifics of securing your agency’s data. This broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access).

Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your recruitment agency’s data, and forms an important part of preparing your agency’s information systems for GDPR compliance.

GDPR places accountability on recruitment agencies to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that the recruitment industry is fundamentally all about dealing with the storage and movement of personal data, this is likely to cover the vast majority of an agency’s data and activities.

Therefore, for each of your computer systems, it is important to understand, and have documented, who has access to that system and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to the system to do their job. Allowing staff wider access to systems puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats. As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.

Nowadays, it is also likely that external organisations and third parties such as outsourced payroll providers or organisations carrying out background checks will have access to some of your IT systems or data. In this case this needs to be secured in just the same way, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to company security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures all those little databases or spreadsheets that have been developed by an individual or department and which contain personal data.

If you would like to discuss ways in which Xara Computers can help you secure your agency’s data, and prepare for GDPR compliance, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on at@xc360.co.uk or ab@xc360.co.uk when we will be happy to help.

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client data is centralized and secure. For more information please do not hesitate to contact me on 0208 732 5656 or email at@xc360.co.uk

Friday, 7 April 2017

Cyber Security for Recruitment Agencies ….. 8 Top Tips to keep your Agency Safe

 
When I am talking to recruitment agencies, one of the most frequent questions I get asked is how agencies can manage the ever increasing risks from cyber crime.

Safeguarding confidential client and candidate information is pivotal for recruitment agencies to protect themselves from reputational damage, disruption to business operations and the potentially crippling fines that will be levied for security breaches once the GDPR comes into force next year. (If you missed my previous blog outlining what GDPR is all about for recruitment agencies you can read it here).

Unfortunately, recruitment firms are a natural target for cyber criminals, as they are dealing with so much confidential material, ranging from the personal data of individual candidates, to details of clients, not to mention much commercially confidential information such as contracts and the contents of emails.

Indeed a study published by Osterman Research Inc in August 2016 showing that 72% of UK based organisations had suffered a security attack in the previous 12 months. The types of attacks experienced are diverse, ranging from "phishing" attacks, where criminals attempt to obtain access to confidential information or passwords, through to "ransomware" attacks (as covered in my previous blog) where criminals hold your data to ransom by encrypting it and demanding money for its decryption. The motivation behind these attacks varies from quick money-making scams, through to much more sophisticated espionage.

As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Board level involvement with establishing and maintaining an effective information risk management regime around cyber security.

Such policies will involve a multifaceted approach, which needs to include:-

1. Identifying where your data is held.
This could include in-house servers, company and employee owned portable devices such as laptops, tablets and smartphones, data that has been copied to removable media such as USB sticks, data that has been shared with business partners and other third-party organisations, copies of data taken for backup purposes and data that is stored in the cloud. Until you have identified where your data is, it is nigh on impossible to protect it adequately. Indeed, because it is so hard to control information which is dispersed over a wide range of devices and/or geographical locations, many firms are choosing to now pull all their information together into a central, UK based repository which makes it much easier to protect.

2. Identifying who has access to your systems, both within and outside the company.
What level of access does each system user have? How is this reviewed? What SOPs do you have for starters and leavers?

3. Regularly reviewing how your network is secured.
Nowadays having a firewall and some anti-virus software is just the tip of the iceberg, and a much wider array of technologies is needed to provide full protection from today’s sophisticated threats.

4. Having in place strict and timely procedures for applying security software updates to your systems.

5. Putting in place safeguards, procedures and policies around mobile working.

6. Implementing procedures around physical security of your servers and IT equipment.

7. Implementing ongoing staff training around cyber security threats.
It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary administrative worker who unwittingly opens a seemingly legitimate attachment or website link which turns out to be something much more sinister.

8. Having contingency plans to fall back on should the worst happen.
These should include incident response plans, frequent backups and full disaster recovery plans.

It is also worth remembering that that securing your recruitment agency against cyber security threats is not a one-off task, as with the constantly changing security threat landscape, it is critical that all risk management activities around cyber security are reviewed and updated on a continual basis.

If you would like to discuss ways in which Xara Computers can help you reduce your recruitment business’s risk from cyber security threats, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on at@xc360.co.uk  or ab@xc360.co.uk when we will be happy to help.

Friday, 17 March 2017

Don't let your Recruitment Agency be held Hostage!


In my last blog, I talked about the steps that recruiters need to be taking in order to prepare their businesses for GDPR compliance

One of the key steps is to identify threats to the personal data you hold, and as such today I wanted to alert recruiters to one particular cyber security threat that is very prevalent at the moment, and is proving extremely costly to recruiters: namely “ransomware”.

Ransomware is a form of malicious software (malware), which effectively hijacks your data by encrypting it and demanding payment of a ransom in return for the security key needed to decrypt it.

A survey last year conducted by Osterman Research revealed that 54% of organisations in the UK were attacked in the previous 12 months, some of them on multiple occasions. Such an attack will almost always cause significant disruption and financial losses to a recruiter, so it is well worth understanding the risks and the steps that can be taken to mitigate them before you are attacked.

Be under no illusion, hijacking your data is big business for the cyber criminals behind it, as it provides them with a relatively easy way to earn large sums of money quickly. According to the Trustwave Global Security report, the return on investment for ransomware authors and practitioners is estimated to be over 1400%, which helps to bring clarity as to why this threat is so prevalent and is growing at such an alarming rate. Compared with other types of cybercrime, ransomware is also relatively low risk to the attacker, with none of the complications of trying to sell on the stolen information, and payments being made in the near untraceable "bit coin" currency.

Now while cyber criminals are happily making money from ransomware, let’s not lose sight of the damage they are causing your business in the process: if you were one of the 54% of businesses to experience one of these attacks last year, you basically will have had two choices: pay the ransom or recover your systems from back up.

If you choose the latter option, then you will undoubtedly have a period of downtime whilst everything is restored, even assuming a full recovery is successful, which is by no means guaranteed. This option is far from ideal as the impact of IT downtime is dramatic with one recent study showing that of those businesses who experienced downtime:

• 52% experienced a loss of employee productivity

• 34% lost revenue as a direct result of the outage

• 23% experienced a loss of customer confidence or loyalty

• 10% lost a new business opportunity

However, the alternative is to pay the ransom; a decision which may have a significant financial impact on your business, as well as serving to perpetuate the business of the cyber criminals. To give you an idea, according to a study undertaken by Osterman Research last year, two in five UK-based organisations experienced ransom demands in excess of £3500 and 3% were presented with demands in excess of £35,000. Somewhat worryingly, the study also showed that 58% of firms in the UK opted to pay the ransom, which would seem to suggest that the risks around this threat had not been fully assessed or planned for, and contrasts sharply with data from the US where only 3% of victims paid the ransom. It is also worth noting that in some cases businesses have paid ransoms but their data has not been decrypted, leaving them bearing both the financial losses of the ransom and the impact of losing their data.

So with either option being far from ideal and likely to cause significant disruption and financial losses to a recruiter, the mantra "prevention is better than cure" certainly holds true in this case.

So is it just a case of installing some anti-virus software or setting up a firewall rule to block these sort of threats? Sadly not. The way these threats are structured means that they can easily circumvent these basic technological safeguards.

As someone who runs a secure private cloud solution for Recruitment Businesses, understanding cyber security threats such as ransomware, and implementing the complex blend of technologies, processes, procedures and training that are needed to minimise the risks from these threats, are paramount to my firm’s success.

If you would like to discuss ways in which Xara Computers can help you reduce your recruitment business’s risk from cyber security threats, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on at@xc360.co.uk or ab@xc360.co.uk

Friday, 17 February 2017

Is GDPR About To Cost Your Recruitment Consultancy €20 Million?



One subject I frequently get asked about at customer meetings, is GDPR. I know this is something that is concerning most business owners currently, so I thought it would be useful to share some information on what GDPR is all about and what key actions businesses need to be taking to ensure compliance.

The new EU general data protection regulation (GDPR) comes in to effect in the May of 2018 and represents the most radical change in data protection legislation in the last 20 years.

Failure to comply will have potentially catastrophic implications for companies, for two reasons:

  1. For any breach the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.
  2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the company concerned highly exposed to brand damage and potential customer pay outs.

So what do businesses need to be doing in order to mitigate the risks?

Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.

2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if companies are to avoid the fines of up to €20 million that can be levied for unauthorised access to, or disclosure of, personal information.

3. Invest in and implement the right technologies to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats. This is very important if you are to avoid data breaches and hence the crippling fines and reputational damage that would be brought about by this.

4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.

5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection

6. Create a breach notification plan. This is important because If the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your business.

In future blogs I will be exploring these issues in more depth, but if in the meantime you need help with GDPR compliance solutions, please do not hesitate to contact myself or my colleague Andrew Banning on 0208 732 5656. Or email us on at@xc360.co.uk or ab@xc360.co.uk

Friday, 13 January 2017

Recruiters: 6 Top Tips to Keep your Fee Earners Billing at all Times!


In the fiercely competitive world of recruitment, where time is money, I often get asked for advice on what can be done from an IT perspective to keep your top fee earners billing to their maximum potential.

 So here are my top 6 tips for making sure your IT systems are delivering 100% of the time, ensuring your fee earners have everything at their fingertips to be first to secure the deal!

1. Good quality hardware and a well-designed IT infrastructure

When it comes to server hardware, you do get what you pay for. Yes, enterprise class hardware is expensive, but can you really afford to be running your business on hardware that periodically fails? With the short windows of opportunity to do business in the world of recruitment, if your system is down at the vital time you run the risk of missing out to a competitor, so an investment in enterprise-grade, highly resilient hardware, designed in a fault tolerant configuration is a must. And these days, it doesn’t have to be so expensive for SMBs, especially with the advent of cloud solutions that can allow recruiters to benefit from providers’ highly resilient hardware platforms.

2. Remote Working Capability

Long gone are the days of 9-5 office working. Nowadays a deal can happen (or be missed) at any time of day, and as such having secure and easy-to-use remote access into your office systems from home, or anywhere else, plays an important part in maximising your billing potential.

3. The Appropriate Level of Cyber Security

Cyber security is not a subject that excites every business I know, but is one that recruiters ignore at their peril. With over half of UK businesses having experienced cyber attacks in the last year (more on which another day) including threats such as ransomware which can render the entire network inaccessible, it is essential that the right measures are being taken to secure the network. With new security threats emerging daily, this is a constantly moving target, and one where it is important to take specialist advice. With GDPR also now looming large, and the potentially catastrophic level of fines and reputational damage that will be incurred by a security breach, getting cyber security right has never been so important, and as such many businesses chose to outsource their security to a specialist IT company.

4. Proactive Monitoring

There are plenty of packages on the market now that will monitor your servers, and alert you when there’s a problem BEFORE it impacts your fee earners. This prevents costly downtime caused by things like servers running out of disk space, as you will be alerted once certain thresholds are reached so that the issue can be corrected before it impacts the business. One word of caution though – this type of software needs to be configured correctly as it has a tendency to either over-alert, deluging you with endless messages, or to under-alert, which can result in a problem not being spotted.

5. Responsive 24x7 support

As I touched on above, we no longer work in a Monday to Friday 9-5 office based environment, so it’s important that your IT support provision doesn’t either. If your fee earners are working from home of an evening to secure a deal, they need assurance that their IT systems are going to be working and supported too.

6. Disaster Recovery Planning

Finally, we all like to bury our heads in the sand when it comes to disaster recovery…… “It will never happen to me” after all?! Sadly, unplanned downtime did strike 57% of UK businesses in the last 12 months according to the EMC Global Data Protection Index 2016, so having effective plans and being prepared to deal with such an eventuality is critical if you are to minimise the impact on your business.

In coming blogs I will be exploring many of these topics in more depth, but if in the meantime you need any advice on the best ways to ensure your IT systems allow your fee earners to be maximising their billing potential, then please do not hesitate to contact me on 0208 732 5656 or email at@xc360.co.uk