David Martin-Woodgate
General
Cyber Attacks can have a devastating impact on the reputation of any business, including those in the recruitment sector. These attacks can not only damage relationships with clients but can also have an impact upon gaining and maintaining future clients.
This has been seen recently where the global recruitment giant Randstad was hit with a cyber attack in December 2020 that led to “unauthorised and unlawful access” to data related to operations in the US, Poland, Italy and France. If a company as dominant as this can be infiltrated, then why not you?
So Why Attack Recruitment Agencies?
Cyber criminals target businesses that are heavily reliant on their online systems, applications and infrastructure. As a recruitment agency, it is important to understand that you are instantly presenting yourself as a direct target for cyber criminals to attack. Overall, UK businesses are hit every 50 seconds and as the recruitment sector takes up a significant percent of the overall UK market, this sector is very susceptible to being attacked upon a regular basis.
This time last year, the recruitment sector looked completely different. COVID-19 and the movement for racial justice have changed recruitment practices significantly. The pandemic resulted in people recruiting remote workers virtually, resulting in this becoming the “new norm” for many individuals around the world. The recruitment industry was found to be very adaptable to change, managing to thrive and growing when many other more ‘rigid’ elements of the UK economy were found to be struggling to adapt to the changes required.
Is it a wonder why UK recruitment agencies are being targeted by cyber criminals? However good the recruitment agencies are at filling employment positions, they are alas, not aligned fully to security, trading the fundamental pillars of Information security of the networks for the functionality of the applications and systems that are utilised by agencies and groups to entice potential clients (employers and employees), to use the services – Speed is the aim of the game here!!
10 Considerations to Take
So, in order to progress forwards, it is important to understand the vulnerabilities and prepare for what is coming now, and onwards into 2022 at such a volatile time. Added to this, the recruitment industry is bigger than ever, worth over £35 billion to the UK economy. This document will provide an overview of the most probable vulnerable aspects of a recruitment agency, surrounding cyber security:
Physical Security – The physical element has to be considered when assessing the security risk. The organisation should have an enhanced understanding of the environment in which employees are using company equipment, processing the corporate data and the access that other non-organisational individuals will have to the equipment.
Home Networking – The home networks (wireless and cabled), are being shared by individuals undertaking work activity, gaming, learning or streaming services. This in conjunction with the additional weak devices (IoT Devices) placed onto the network can increase the risk to the corporate equipment. Special provisions should be made to advise employees how to isolate wireless networks in order to minimise any contamination of communication and decrease the potential of compromise from less secure devices being present upon the network.
Secure Remote Connections – The applications used to connect the employee into the agency network needs to be secured. Not just from the perspective of encryption systems in use, but by utilising additional strong authentication methods to validate the user being provided with access to the corporate network. One way to secure data as it moves between your core systems and externally based employees is to deploy a VPN. Most larger organisations would already have a VPN service in place and should check they have sufficient seats (licenses), to provide this protection across their complete employee base. Smaller agencies may have to identify a VPN solution, if there is nothing in place.
Network Management and Remote Monitoring Solutions – IT administration needs to be undertaken in a secure manner, allowing only necessary users, with the correct permissions to be able to effect changes to the network, either within an administrative function or as a management function upon the data.
Cloud Services – Connection to cloud services remain a vulnerability for many industries, let alone the recruitment sector. There has been an increase of allowing connections to corporate services from untrusted domains, such as employees houses or ad-hoc working areas. As much as an organisation can, access to the cloud services needs to be secured as much as possible, although it needs to maintain the ability to allow staff to operate effectively within a secure collaborative environment.
PII/Data Handling and Processing – The handling of the data has now been passed to a higher range of terminals and devices, of which are located externally to the organisations company walls. It is therefore easier for the handling of the information to be undertaken outside of the accepted normal practices, leading potentially to data being received, processed, shared, stored and viewed upon unauthorised devices. It is recommended that data is processed and stored within a secure collaborative environment, such as O365, due to the security of which the platform provides to the data.
Lack of Training - The human error threat to recruitment companies is down to a lack of cyber security training. Not everyone is aware of the dangers of malicious software and as security exercises have displayed, a fair proportion of employees cannot spot a phishing email in their inbox. It is understood that the more tech-savvy employees are more likely to understand cyber threats, there will remain the old guard, who require greater awareness training. It’s still no guarantee that the digital natives know everything, so training should be implemented for all staff.
Governance - If the organisation doesn’t maintain the correct governance in place to cover risks, then enough will not be done to protect your recruitment agency with regards to the Policies, Plans and Processes used within the new-normal working environment. With data stored digitally, a recruiter’s job is made easier as they can access information out of hours, remotely and over a variety of access mediums. (if a candidate can only be contacted then) on a mobile device. However, the ease of user also opens up potential opportunities for cyber criminals to attack; there is a lack of remote working policies and procedures in place.
Threat Management – Only when an organisation can understand the weaknesses, can it make a reasoned approach to managing the risk against the organisation. Recruitment companies spread their wings over the majority (if not all), industries within the UK, allowing for the potential of the reach to act as a vulnerability to the organisation. Regular checking of threat intelligence feeds, maintaining a ‘round-the-clock’ capability should be considered, to allow for the reporting of out of hours incidents and also allow for the proactive searching for leaked credentials upon the Dark Web.
Incident Response – Of course, as the Randstad attack displayed, if an attacker wants to get into an organisation, where the will is there, so will a way. Therefore, as an organisation, you will need to have a pre-defined response plan to an incident. This will allow the organisation to recover back to business-as-usual activities as quickly as possible, with as minimal impact upon the day-to-day operations of the organisation as possible.
If the agency is not aligned to an incident plan, it is highly likely that the recovery to BAU will take longer and there will also remain a possibility that the original point of infection will never be closed, thereby allowing access through the original, or other backdoor placed onto the company servers.
Recommendations
Data will always be a valuable target to an attacker. Therefore, the organisation will need to ensure that they are positioned well to protect the data with as many reasonable precautions as it can afford, allow the staff to understand how to access the data securely, process and share the information correctly and allow the organisation to be in a position to be able to respond to an incident when it occurs.
The list provided above is not ever going to be a finite list of security considerations, and neither does the above present itself primarily to the recruitment agency; this can be replicated across multiple industry sectors and as such can also be exploited by cyber criminals.
For an independent assessment of your organisation, it is recommended that each of the elements above are assessed, and that a mitigation plan is put into place of which allows the organisation to be able to introduce the necessary controls within an organised and structured approach. This will allow the organisation to understand its position within the maturity levels of cyber security and incident response and understand the gaps to which it needs to occupy with a solution or mitigation plan.
For a more detailed conversation, please do contact us for further information.