Safeguarding confidential client and candidate information is pivotal for recruitment agencies to protect themselves from reputational damage, disruption to business operations and the potentially crippling fines that will be levied for security breaches once the GDPR comes into force next year. (If you missed my previous blog outlining what GDPR is all about for recruitment agencies you can read it here).
Unfortunately, recruitment firms are a natural target for cyber criminals, as they are dealing with so much confidential material, ranging from the personal data of individual candidates, to details of clients, not to mention much commercially confidential information such as contracts and the contents of emails.
Indeed a study published by Osterman Research Inc in August 2016 showing that 72% of UK based organisations had suffered a security attack in the previous 12 months. The types of attacks experienced are diverse, ranging from "phishing" attacks, where criminals attempt to obtain access to confidential information or passwords, through to "ransomware" attacks (as covered in my previous blog) where criminals hold your data to ransom by encrypting it and demanding money for its decryption. The motivation behind these attacks varies from quick money-making scams, through to much more sophisticated espionage.
As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Board level involvement with establishing and maintaining an effective information risk management regime around cyber security.
Such policies will involve a multifaceted approach, which needs to include:-
1. Identifying where your data is held.
This could include in-house servers, company and employee owned portable devices such as laptops, tablets and smartphones, data that has been copied to removable media such as USB sticks, data that has been shared with business partners and other third-party organisations, copies of data taken for backup purposes and data that is stored in the cloud. Until you have identified where your data is, it is nigh on impossible to protect it adequately. Indeed, because it is so hard to control information which is dispersed over a wide range of devices and/or geographical locations, many firms are choosing to now pull all their information together into a central, UK based repository which makes it much easier to protect.
2. Identifying who has access to your systems, both within and outside the company.
What level of access does each system user have? How is this reviewed? What SOPs do you have for starters and leavers?
3. Regularly reviewing how your network is secured.
Nowadays having a firewall and some anti-virus software is just the tip of the iceberg, and a much wider array of technologies is needed to provide full protection from today’s sophisticated threats.
4. Having in place strict and timely procedures for applying security software updates to your systems.
5. Putting in place safeguards, procedures and policies around mobile working.
6. Implementing procedures around physical security of your servers and IT equipment.
7. Implementing ongoing staff training around cyber security threats.
It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary administrative worker who unwittingly opens a seemingly legitimate attachment or website link which turns out to be something much more sinister.
8. Having contingency plans to fall back on should the worst happen.
These should include incident response plans, frequent backups and full disaster recovery plans.
It is also worth remembering that that securing your recruitment agency against cyber security threats is not a one-off task, as with the constantly changing security threat landscape, it is critical that all risk management activities around cyber security are reviewed and updated on a continual basis.
If you would like to discuss ways in which Xara Computers can help you reduce your recruitment business’s risk from cyber security threats, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on firstname.lastname@example.org or email@example.com when we will be happy to help.