For the recruitment industry, candidate data is what differentiates a successful recruitment agency or recruiter from those that fail to hit target. Recruitment agencies spend many years building up and nurturing their lists, and therefore they are valuable IP.
Once upon a time this data existed in the filing cabinets that used to flank the walls of a recruiter’s office. Contained in each would be the candidates’ CVs and contact details, as well as client information that was equally as valuable. To get hold of this data – without permission – would necessitate a break-in or an insider job, where a criminal or disgruntled employee steals files or photocopies documents.
These days this data is all stored digitally. It has made the recruitment consultant’s job easier; allowing them to work remotely, access information out of office hours when candidates may prefer to be contacted, and pull up data on a mobile device rather than being tied to a desktop computer.
It has also made it easier for those with malicious intent to access or threaten this valuable IP too. Attacks could come from external or internal threats. Recruitment agencies may be targeted by cybercriminals who know that a ransomware attack would disrupt business so severely that a ransom is likely to be paid. Or an employee, thinking of setting up a recruitment business alone or moving to a competitor, might be tempted to take candidate or client information with them to further their career. Accessing data illicitly is potentially easier than when it was when locked in a filing cabinet.
Protecting Your IP With Cyber Security Tools
Fortunately, there are tools available to protect data and militate against the scenarios outlined above. Besides, there are more compelling reasons to do so. The deadline for businesses to be GDPR compliant is fast approaching (25th May, 2018) and this requires all UK recruitment agencies to ensure (amongst other things) that their candidate and client data is safe. As cybercriminals know that recruiters hold large amounts of data, it is inevitable that they are targets for data theft. Once GDPR is in force recruitment agencies face hefty fines (up to 4% of gross annual turnover or €20 million) for data breaches: enough to put a recruiter out of business.
Dealing With External Threats
There are plenty of cyber security tools that can be deployed to detect and prevent external attacks. I would recommend exploring solutions that combine 24/7/365 cyber security monitoring with threat intelligence and machine learning.
However, as many cyber security threats rely on someone inside a company to trigger them (ransomware being a good example), your businesses cyber security policies are the first line of defence.
On-going cyber security awareness training should be a priority, giving staff the tools to spot potential threats, keep data safe and avoid introducing malware or other viruses into the company’s systems. This may be a challenge in the recruitment industry, which is known for having a high employee churn rate, but necessary to comply with data protection legislation and protect business assets.
Managing Insider Threats
Data protection and cyber security training is also important for protecting businesses from non-malicious insider threats (such as sharing passwords or using mobile devices in public places) which may result in data falling into the wrong hands.
However, recruitment agencies also need to protect their data from malicious insider attacks, or from being stolen by an employee who understands the value of this IP. To this end, agencies must be vigilant about identity and access management, and protect valuable data where possible. This might involve restricting access to certain candidate information, controlling what data can be accessed on remote devices, and ensuring that if an employee announces they are leaving for another job their access is reviewed.
Security monitoring can also be used to detect unusual activity; such as an employee accessing data that is not normal behaviour for them, or making multiple attempts to log in to secure areas of the network.
Again awareness also plays an important part. By communicating your cyber security policies to employees and ensuring that they understand how seriously your agency takes its data protection responsibilities, it can be a deterrent to opportunists.
If you’re concerned about cyber security threats, specifically in the recruitment sector, and would like to discuss this in more detail please contact our team by either calling 0808 16 48732 or emailing firstname.lastname@example.org. We are happy to talk through your concerns, explore how best to protect your business and share our expertise.