Recruitment agencies and their candidates are a key target for today’s cyber criminals


For the recruitment industry, candidate data is what differentiates a successful recruitment agency or recruiter from those that fail to hit target. Recruitment agencies spend many years building up and nurturing their lists, and therefore they are valuable IP.

Once upon a time this data existed in the filing cabinets that used to flank the walls of a recruiter’s office. Contained in each would be the candidates’ CVs and contact details, as well as client information that was equally as valuable. To get hold of this data – without permission – would necessitate a break-in or an insider job, where a criminal or disgruntled employee steals files or photocopies documents.

These days this data is all stored digitally. It has made the recruitment consultant’s job easier; allowing them to work remotely, access information out of office hours when candidates may prefer to be contacted, and pull up data on a mobile device rather than being tied to a desktop computer.

It has also made it easier for those with malicious intent to access or threaten this valuable IP too. Attacks could come from external or internal threats. Recruitment agencies may be targeted by cybercriminals who know that a ransomware attack would disrupt business so severely that a ransom is likely to be paid. Cyber criminals who understand the value of your data and have potential customers prepared to pay for it. Or an employee, thinking of setting up a recruitment business alone or moving to a competitor, might be tempted to take candidate or client information with them to further their career.

Accessing data illicitly is potentially easier than when it was when locked in a filing cabinet.

Protecting your IP with cyber security tools

Fortunately, there are tools available to protect data and militate against the scenarios outlined above. Besides, there are other compelling reasons to do so. The deadline for businesses to be GDPR compliant is fast approaching (25th May, 2018) and this requires all UK recruitment agencies to ensure (amongst other things) that their candidate and client data is safe. As cybercriminals know that recruiters hold large amounts of data, it is inevitable that they are targets for data theft. Once GDPR is in force recruitment agencies face hefty fines (up to 4 per cent of gross annual turnover or €20 million) for data breaches: enough to put a recruiter out of business.

GDPR covers personal data: “…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Digital CVs and recruiter databases are full of this data and therefore recruitment agencies must ensure they are compliant. Whether an external player initiates a data breach or an insider steals information for competitors or themselves; it still falls under GDPR and exposes the business to the potential fines that none compliance can bring.

Putting appropriate measures and processes in place to protect personal data will not only ensure that your business is protected from GDPR fines, but at the same time these solutions will also protect your IP.

Dealing with external threats

There are plenty of cyber security tools that can be deployed to detect and prevent external attacks. I would recommend exploring solutions that combine 24/7/365 cyber security monitoring with threat intelligence and machine learning.

However, as many cyber security threats rely on someone inside a company to trigger them (ransomware being a good example), your businesses cyber security policies are the first line of defence.

On-going cyber security awareness training should be a priority, giving staff the tools to spot potential threats, keep data safe and avoid introducing malware or other viruses into the company’s systems. This may be a challenge in the recruitment industry, which is known for having a high employee churn rate, but necessary to comply with data protection legislation and protect business assets.

Managing insider threats

Data protection and cyber security training is also important for protecting businesses from non-malicious insider threats (such as sharing passwords or using mobile devices in public places) which may result in data falling into the wrong hands.

However, recruitment agencies also need to protect their data from malicious insider attacks, or from being stolen by an employee who understands the value of this IP. To this end, agencies must be vigilant about identity and access management, and protect valuable data where possible. This might involve restricting access to certain candidate information, controlling what data can be accessed on remote devices, and ensuring that if an employee announces they are leaving for another job their access is reviewed.

Security monitoring can also be used to detect unusual activity; such as an employee accessing data that is not normal behaviour for them, or making multiple attempts to log in to secure areas of the network.

Again awareness also plays an important part. By communicating your cyber security policies to employees and ensuring that they understand how seriously your agency takes its data protection responsibilities, it can be a deterrent to opportunists.

Moreover, your business will have a clear picture of who has accessed your data, as well as when and where; making it easier to pinpoint any disgruntled employees, or those that might be motivated to steal information.  

Ian McGregor, Invinsec
Image Credit: Maksim Kabakou / Shutterstock