Cyber Security – What’s the big deal?

Cyber security – what’s the big deal about it? For recruitment businesses and temporary labour supply chain intermediaries (we include ourselves in that), it’s a question that demands serious consideration. 

Cyber criminals are constantly targeting organisations where they can access large amounts of sensitive information, and the contingent labour supply space is prime pickings. Candidate data is the most valuable intellectual property asset for a recruitment agency. A breach could bring a business to its knees overnight, and even a quick recovery might not prevent long-term reputational damage and risks to candidates and clients.

Given the wide range of risk factors recruitment businesses face, it’s crucial to evaluate your current position regarding some of the most likely threats and how you can enhance your security measures. 

The Value of Confidential Data

Recruiters handle a vast amount of confidential data. If compromised, this could cause significant issues for both candidates and clients. In order to best serve their clients, recruitment agencies hold information that may not be in the public domain, such as new roles, restructuring projects or business plans. Additionally, salary information and related budgets, if exposed, could provide a competitive advantage to other recruiters. Being on a preferred supplier list, or having long-term contracts means this information needs to be protected to avoid losing business to competitors. 

Specialist recruiters, with access to information about many companies within a certain sector present an even more attractive target for cyber criminals. Protecting this sensitive data is paramount.

Candidate Trust and Responsibility

We all appreciate that candidates place a great deal of trust in their recruitment agency and umbrella company. This trust comes with the responsibility to handle their personal information securely. The range of personal information held for one candidate could include:

• Contact details
• Home address
• Income 
• Personal history
• ID – passport or driving licence
• Bank details

This sort of  information requires careful handling. Imagine this at scale, with hundreds or thousands of candidates in one database. Such a database is an attractive target for cyber criminals, both for selling the information and for ransomware attacks. Aside from personal details, recruiters also store employment contracts, which include sensitive information about salaries, bonuses and benefits. 

The Shift to Online Systems

Thankfully in this day and age, information is now stored in online systems rather than paper files! The security controls available in these systems, if implemented and maintained well, offer many layers of protection against cyber attacks. 

However, the complexity of online business, with interconnected systems and devices, means that agencies need to consider more than just their own systems. Access to client systems and information sharing increases the attack surface for cyber criminals.

Outsourced IT Management

Many businesses within the contingent labour supply chain, often due to their size and focus, outsource their IT management. However without some due diligence, this could pose a risk in itself. Outsourcing IT without sufficient knowledge could be a bit like outsourcing salary negotiations without oversight – the damage could be significant, but avoidable.
It’s important to seek support and invest in understanding IT security ahead of appointing a supplier. Key areas to question include device management, backups and patch management.

Lack of Industry Standards

Despite handling so much personal and sensitive data, the recruitment industry and supporting businesses lack support and guidance from professional bodies on cyber security. While GDPR provides some support, it doesn’t fully address the need for heightened security levels within the industry.

Taking on the Challenge

Addressing cyber security in your business may seem daunting, but it doesn’t have to be. Start by raising awareness of the risks within your teams. Although your cyber attacks are delivered through digital means, they often pass through humans. Phishing emails ransomware, invoice fraud and social engineering can be mitigated by investing in awareness training and cultivating a security-conscious culture. This will better protect you, your candidate and your clients in the event of an attack. 

Pro Insight – Getting started with Cyber Security 

Now we’ve established that cyber security is a big deal, let’s bring in an expert!  

Mike Blake, 7-6 Tech

Mike Blake is Managing Director of leading IT firm 7-6 Tech, which provides expert support with IT, telecoms, networking, cybersecurity and mobile across the South. Specialising in supporting payroll businesses, accountants and umbrella companies, Mike has a deep understanding of the unique needs of businesses within the contingent labour supply chain.

He explains how to start with the basics when it comes to cyber security:

“Before chucking loads of money at Cyber Security, make sure you have your basics sorted first. Cyber Essentials is a great place to start, although the clue is in the name….”Essentials”. Just because you have the chufty badge (Cyber Essentials Certificate), doesn’t mean you won’t get breached. Unless you need the chufty badge to tick a box for a tender, you’re better off speaking with your IT/Cyber Security provider about how you can really protect your company data, rather than how you can get a certificate. Cyber Essentials is a catch all, but every company is different. Get a Cyber Security strategy tailored to your business.

 These 3 steps are a good starting point and you won’t find all of this in Cyber Essentials: 

Step 1: A common method of attack is to trick your users into opening the front door, gaining the keys to the kingdom: “Hello Hacker, take a seat, make yourself at home, take what you want”. For that reason, your number 1 priority should be getting the people you trust with your data (your staff) trained to a degree where they can prove they’re trustworthy….trust being earnt and all that. Once they’re trained, train them again. It does not matter what technical controls you put in place, they’re flawed if your users are opening the door. 

Step 2: Rule out the possibility of breach as best as possible. In other words, implement tools to stop the hacking attempts in the first place. But this is where you need to fight off the “buy everything” brigade and decide what is reasonable. Reasonable effort, defence, expenditure, value for money etc. Do you need to have the best Cyber Defence products in the world? Insert Pareto principle cliché. Microsofts Business Premium licences plus Defender Plan 2 gives you a really good value for money “all-in” package here. 

Step 3: Carefully manage WHO accesses your data, WHAT devices they use and WHERE they access from. This will rule out a significant number of methods of accessing your data. Here’s a bit more info on that: 

• WHO: Users

• 2FA Must be enabled

• List must be accurate, remove all old users

• Permissions must be correct for all users. Admin accounts should be for admin purposes only

• Good Password hygiene (Password Managers are a really good idea)

• WHAT: Devices

• Only company recognised devices should work with your company data. Everything else should be blocked….so you can’t just login from your home PC, or any PC anywhere

• Devices must be compliant before company access is allowed:

1.     Endpoint Protection / Anti-Virus & EDR should be enabled
2.     Software Updated

• WHERE: Location – Make sure access to your data is only from pre-defined locations OR through VPN. Then, literally everyone everywhere in the whole world is rejected access.

 They’re no brainers really aren’t they. But you’d be surprised how many people don’t follow those basics.”  

In conclusion

To sum things up, cyber security is an essential concern for recruitment businesses and contingent labour supply intermediaries. Protecting sensitive candidate and client data is crucial for maintaining trust and avoiding severe business repercussions. 

By understanding the risks, implementing robust security measures and embedding a culture of awareness and responsibility, agencies can safeguard their most valuable assets. It’s a critical investment in the future security and reputation of your business.