Cybersecurity In The Recruitment Sector
In insight / By Lydia Cooper / 30 May 2017
It’s said that the lifeblood of any recruiter is their candidate data. The lists, the contact information, the CVs – it’s all valuable IP. Without this data, how can recruiters compete?
This is why recruitment agencies go to such lengths to lock down company information, to better protect it from not only external competitors and other agencies, but from their own staff.
A report from Deloitte shows that staff churn is still a big concern for recruiters, and all estimates suggest it’s increasing as the market becomes more buoyant. Nearly a quarter of those surveyed in the report said staff left their businesses within 12 months of joining, compared to 18% the year before (1). Other reports show staff churn rates in the recruitment sector reaching 40% - when the average employee churn rate is closer to 15% (2).
So we have a situation where the data held by recruiters is what sets them apart, combined with the fact that staff turnover is high - meaning data needs to be securely protected. Then we layer over the challenge that recruiters are often contacting candidates outside of working hours, so candidate data needs to be accessible to recruiters outside of normal business hours, and probably outside of the office and accessible by mobile devices.
It’s a unique situation that recruiters find themselves in when trying to protect their data. One that requires an intelligent solution.
There are a number of important considerations to think about:
Cybersecurity can affect any business
Recruiters need to be as prepared as any business operating online and storing data digitally, but because they hold so much personal information on candidates, recruiters will be in the spotlight when the General Data Protection Regulation (GDPR) comes into effect in 2018. The GDPR isn’t just about making sure that data is handled correctly, it’s about protecting it from cybercriminals – and it’s the data holder’s responsibility to keep it safe. Criminals recognise that recruiters hold huge amounts of this information and so agencies are naturally going to be targets.
Recruiter work patterns
Because of high staff turnover rates, many agencies are encouraging employees to now bring their own devices to work, in a bid to reduce the cost base. After all, there’s no point buying new laptops and phones for a recruiter to leave after two months. Furthermore, the capital outlay associated with new tech purchases doesn’t align to most recruiters’ business models that rely on steady incoming revenue and regular monthly outgoings.
A Bring Your Own Device (BYOD) policy introduces security concerns for agencies if not handled effectively. On the one hand, it can be much more secure than having apps and data stored on local devices if effective app and desktop virtualisation and security technologies can be used. On the other hand, it can be incredibly dangerous from a data protection point of view if staff are given free rein to access company applications and data from their personal devices with no controls in place.
It’s about putting in place a solution that gives you full end to end control over the data and applications being shared with staff. At Nasstar, we use Citrix technology on HPE enterprise infrastructure to deliver secure virtual desktop delivery to users’ devices.
Keeping staff cyber-vigilant
A report from IBM showed that 95% of all security incidents involved human error – so keeping staff cyber-vigilant is the only way to better protect your organisation as technology alone can’t stop the threat of cyberattacks (3).
Because of high employee churn rates, agencies are looking for ways to offer ongoing and regular cyber awareness training that keeps all employees up to date on the latest threats to look out for, regardless of their tenure at the agency.
Many of our customers moved to Nasstar to reduce security risks across their IT, and whilst we can deliver exceptionally high levels of security through our managed hosting service, we also talk to customers about how they can reduce their risk by offering training for staff and helping customers to get accredited through schemes such as the Cyber Essentials certification.
Protecting an online business
Many bricks and mortar recruitment agencies now rely heavily on their online presence, whether that’s online job boards, their website or CRM systems. We see a lot of agencies developing their own software across business administration, candidate management and CRM systems – but these can be an open door to attackers if they aren’t regularly penetration-tested to look for potential gaps in code.
Additionally, a recruiters’ website is often the weakest link; enabling hackers to get access to internal information and candidate data. Agencies need to continually assess their website’s durability against attack to leave no door open for would-be hackers.
How Nasstar supports the recruitment sector
Cyberattacks are not going away, even in the last month we’ve seen the havoc wreaked by malware attacks hitting public sector departments and hospitals across the world. If anything, the rate of attacks are increasing at a worrying speed as hackers become more sophisticated in their approach.
To counter this, Nasstar proactively monitors everything across our hosting and cloud environments; looking at all events on our servers, switches and firewalls, which we then layer across data analytics and employ machine learning to spot potential threats before they start to impact customer operations. It’s about using security technology in conjunction with the data we hold about events hitting our systems to alert us to attacks before they can materialise. This is often not possible within just one organisation’s internal IT department, but because we deliver managed IT services for many customers, we can pool the event data together to quickly build up a view of what’s occurring across the entire environment.
Built on HPE enterprise infrastructure, we deliver highly secure services from our Telford HQ datacentre, which is purpose-built to deliver an enterprise-ready, secure service to customers.
So what are our quick recommendations for keeping agencies safe from a cyberattack?
Train staff – regularly and consistently. One training session a year will not be sufficient if staff turnover is high.
Be proactive, not reactive – look for IT service providers who can proactively guard against cyberattacks rather than reactively responding to issues once they occur.
Understand cybersecurity at a board level – accept that the risk is always going to be there, but recognise that cybersecurity has to be taken seriously and needs to be a focus area for the business.
Work with an experienced IT service provider who can outsource the management and security monitoring of your systems on a proactive basis, and who has the accreditations and experience to deliver a highly secure service.
HPE and Nasstar
Nasstar is one of the UK’s leading managed IT service providers. We deliver bespoke clouds, professional services, managed IT and a range of technical products to organisations operating within four strategic industry sectors - with a particular focus on the recruitment and legal sectors. Powered by HPE enterprise technology, across HPE servers, HPE 3PAR and more.