Recruitment agencies are built on trust – your clients and candidates need to know their personal data is safe in your hands. If you haven’t thought about your cyber resilience before, you must know the cyber security risks the recruitment sector faces and how to mitigate them.
What cyber security risks does the recruitment sector face?
Sensitive data management
A lot of the data that is stored in the recruitment is Personable Identifiable Information (salaries, gender, contact information, job description, previous employers, references etc.). Therefore it is critically important that only those who are authorised to do so can access it. This means ensuring all accounts have strong, unique passwords and Multi-Factor Authentication enabled. The best practice would also be implementing a data classification tool to prevent sensitive data from leaving your organisation intentionally or accidentally.
Phishing attacks / Malware (email attachments)
As a recruiter, you will receive vast amounts of CVs as email attachments. As any one of these could be disguised malware, you need to stay vigilant in checking them. The same goes for hiring managers and finance staff or recruitment businesses, as these staff and departments are also more likely to receive malicious email attachments
Remote working - lots of staff working remotely, high volume of client meetings
A lot of staff working remotely brings a lot of cyber security risks as senior leaders will have less tangible control over where their employees work, meaning they could be working from unsecured public wifi, they could be working on a crowded train leaking sensitive data to anyone closeby who happens to be shoulder surfing, they could be leaving devices unattended in public working spaces.
A high volume of client turnover - data
The high volume of staff turnover - taking leads, clients with them, devices
Recruitment is an industry that has historically seen a high staff turnover rate, with top recruitment consultants often being headhunted by rival firms. With this in mind, it is vitally important to secure your data and restrict a staff member's access to data and devices as soon as possible; to limit the amount of client & candidate data they can exfiltrate and take with them.
Scams facing firms/candidates
The past 3 - 4 months have seen a rise in the number of scam job postings aimed at harvesting key Personal Identifiable Information from candidates who apply. Read more here
How can a recruitment firm mitigate these risks?
Security Awareness Training - from board level down
A company's cyber security posture must be emboldened by all staff, ideally from the board level down, with multiple security champions. Security Awareness Training should be done quarterly, and ideally, content should be amended each quarter to reflect gaps in staff members' knowledge.
Devices - Anti-virus and firewalls
Anti-malware (anti-virus) should be installed on all work devices as a mandatory defence; this should also have automatic updates enabled. Another defensive measure ensures firewalls are activated locally on all laptops and desktop computers. These are set to the most secure settings to prevent as many unauthorised connections as possible.
Controlling devices - encryption, backups, auto-updates, remote locking, MFA
All devices should ideally be enrolled in a Mobile Device Management (MDM) solution, as this allows the organisation control over what devices can be used for, what software can be installed, and how often updates for Operating Systems & anti-virus are installed. Other features can include: ensuring encryption is enabled on all devices and ensuring all devices are backed up as frequently as possible within business processes
Implementing key security policies with all new hires
Security policies are a must within businesses, especially for new hires. They can state acceptable use, password strength for accounts, processes to follow with phishing emails and much more. They are a fundamental component of having all staff members working towards a coherent cyber security stance.
Remote working - VPN, security screens
In addition to firewalls and anti-virus, it is important to have a VPN enabled on all devices used by staff working remotely. This provides security by changing the devices IP address and encrypting all data sent, so colleagues working on unsecured public WiFi vastly reduce their exposure to threats/attacks
The best practice for remote workers is also to consider installing security screens on all devices; this will reduce the risk of shoulder surfing and sensitive data exposure as only the screen will be un-viewable to anyone but the user.
Cyber Essentials
Cyber Essentials is a government-backed scheme that allows your business to become certified, displaying to your clients that you have robust security measures in place. For more information, read here.