The recruitment sector is particularly vulnerable to cyber attacks due to recruiters processing large quantities of valuable data, making you a big target for cybercriminals.

With 82% of UK recruitment firms adopting some form of hybrid working, you also need to ensure any staff working from home are secure.

Recruitment agencies are built on trust – your clients and candidates need to know their personal data is safe in your hands. If you haven’t considered your cyber resilience before, you must learn about the cyber security dangers for recruitment agencies and how you can mitigate them.

What are the Cyber Security Dangers for Recruitment Agencies?

• Sensitive data management
  • A lot of the data that is stored in the recruitment is Personable Identifiable Information (salaries, gender, contact information, job description, previous employers, references etc.). Therefore it is critically important that only those who are authorised to do so can access it. This means ensuring all accounts have strong, unique passwords and Multi-Factor Authentication enabled. The best practice would also be implementing a data classification tool to prevent sensitive data from leaving your organisation intentionally or accidentally.
• Phishing attacks / Malware (email attachments)
  • As a recruiter, you will receive vast amounts of CVs as email attachments. As any one of these could be disguised malware, you need to stay vigilant in checking them. The same goes for hiring managers and finance staff or recruitment businesses, as these staff and departments are also more likely to receive malicious email attachments
• ,Remote working - lots of staff working remotely, high volume of client meetings
  • A lot of staff working remotely brings a lot of cyber security risks as senior leaders will have less tangible control over where their employees work, meaning they could be working from unsecured public wifi, they could be working on a crowded train leaking sensitive data to anyone closeby who happens to be shoulder surfing, they could be leaving devices unattended in public working spaces.
• A high volume of client turnover - data
• The high volume of staff turnover - taking leads, clients with them, devices
  • Recruitment is an industry that has historically seen a high staff turnover rate, with top recruitment consultants often being headhunted by rival firms. With this in mind, it is vitally important to secure your data and restrict a staff member's access to data and devices as soon as possible; to limit the amount of client & candidate data they can exfiltrate and take with them.
• Scams facing firms/candidates
  • The past 3 - 4 months have seen a rise in the number of scam job postings aimed at harvesting key Personal Identifiable Information from candidates who apply. ,Read more here

How can a recruitment firm mitigate these risks?

• Security Awareness Training - from board level down
  • A company's cyber security posture must be emboldened by all staff, ideally from the board level down, with multiple security champions. ,Security Awareness Training should be done quarterly, and ideally, content should be amended each quarter to reflect gaps in staff members' knowledge.
• Devices - Anti-virus and firewalls
  • Anti-malware (anti-virus) should be installed on all work devices as a mandatory defence; this should also have automatic updates enabled. Another defensive measure ensures firewalls are activated locally on all laptops and desktop computers. These are set to the most secure settings to prevent as many unauthorised connections as possible.
• Controlling devices - encryption, backups, auto-updates, remote locking, MFA
  • All devices should ideally be enrolled in a Mobile Device Management (MDM) solution, as this allows the organisation control over what devices can be used for, what software can be installed, and how often updates for Operating Systems & anti-virus are installed. Other features can include: ensuring encryption is enabled on all devices and ensuring all devices are backed up as frequently as possible within business processes
• Implementing key security policies with all new hires
  • Security policies are a must within businesses, especially for new hires. They can state acceptable use, account password strength, processes to follow with phishing emails and much more. They are a fundamental component of having all staff members working towards a coherent cyber security stance.
• Remote working - VPN, security screens
  • In addition to firewalls and anti-virus, it is important to have a VPN enabled on all devices used by staff working remotely. This provides security by changing the devices IP address and encrypting all data sent, so colleagues working on unsecured public WiFi vastly reduce their exposure to threats/attacks
  • The best practice for ,remote workers is also to consider installing security screens on all devices; this will reduce the risk of shoulder surfing and sensitive data exposure as only the screen will be un-viewable to anyone but the user.
• Cyber Essentials
  • Cyber Essentials is a government-backed scheme that allows your business to become certified, displaying to your clients that you have robust security measures in place. For more information, read ,here.

Scenario(s) for cyber attacks or data breaches in recruitment

A recruiter based in Manchester has an external meeting in Birmingham on Monday morning. He travels by train to and from the meeting, returning to the office in the evening. When he returns to the office, he realises he has left his laptop on the train.

What controls should be put in place to mitigate the risk if this happens?

• Multi-Factor Authentication, Encryption, ‘Find my’ enabled, fingerprint, a strong account password, online account passwords saved in a password manager, VPN, external backups done weekly

What could happen if these controls aren’t in place?

• Weak passwords, no MFA and no fingerprint = easy access
• Backups = loss of data
• No VPN = company data stored on the device
• No Password manager = passwords stored on a note
• No ‘Find my’ = unable to pinpoint where the device has ended up

Watch out for Fake Profiles on LinkedIn making connection requests

Rachel, a Liverpool-based recruiter, is checking their personal LinkedIn account on Thursday afternoon. Earlier that day, Rachel had attended a local networking event, and she noticed several new connection requests and messages in her inbox. Scanning through the names, they all look like people she met that morning, so she clicks accept on all the requests without any further checks.

Amongst these requests, there are several fake profiles; the attackers behind these profiles quickly scan Rachel’s full profile, downloading key personal information (including; full name, a recent vacation, home address, work address, children’s names, pet name and details about her new company car) as part of their social engineering efforts.

• Using this information, attackers send multiple phishing emails to Rachel’s work account to gain access to her email account or find out further personal information - bank details or other financial information.
• Using the personal details they’ve found about Rachel, attackers then create a word list of potential passwords she may use. This will then be used to try and unlock her email and other online accounts.

What controls should be implemented to mitigate the risk if this happens?

• Rachel ensures that all of her accounts (or all accounts that offer MFA) should have MFA enabled
  • Ideally, this will be using an Authenticator Application, such as Google Authenticator, as these are more secure than SMS MFA as mobile numbers can be publicly available
• Rachel should follow NCSC guidance when choosing her passwords to be strong, unique and random. In addition to this, because she uses random passwords, they are not related to her in any way, which would render the Attacker's custom-made wordlist useless

What could happen if these controls aren’t in place?

• Because the Attacker is using a custom-made wordlist, specifically using information related to Rachel, the risk that they successfully crack one of her passwords is much higher
• If the Attacker cracks one password, and Rachel re-uses that password across all of her accounts, then all of her accounts are now compromised; meaning the Attacker could access highly confidential PII, steal money from her bank accounts, and could also change all the credentials to access/recover the account - meaning Rachel loses access forever

Watch out for LinkedIn Phishing Messages in your inbox

A Chester-based recruiter is checking his personal LinkedIn account on a Monday morning after posting a new job advert last week; he notices several new connection requests and messages in his inbox.

Scanning through his inbox, he sees some replies, including CVS. Without checking the message, he opens the CV file ‘Ben Nevis.pdf’; upon downloading this file, his computer quickly crashes. Unbeknown to him, malware has now spread into his computer and his company’s computer network.

What controls should be implemented to mitigate the risk if this happens?

• The recruiter's computer should have a reputable Antivirus solution in place; this will scan the computer regularly, allowing it to identify and quarantine the malicious file
• The recruiter's company should also have a backup system in place, which would ideally be air-gapped (not connected to the daily company network) so the malware cannot infect it; this can be done using the cloud, or a storage device kept separate from the network.
  • Backups should also be taken as often as possible, aligning with business needs/capabilities. Ideally, this would be every 12 hours, meaning the recruiter's company could restore the infected devices to a safe state and only lose 12 hours of work instead of the entire network

What could happen if these controls aren’t in place?

• Antivirus is the first line of defence in a malware attack, however depending on the type of malware and type of antivirus in use, it may be bypassed
  • If the malware does not use AI, it may not recognise the malware signature and thus will not detect it
  • If the attacker develops an entirely new type of malware, the signature will be brand new and will not be “stored” by the Antivirus, meaning it will be undetected
• If the recruiter's company does not have backups, then they will not be able to restore to a safe state, meaning all of their files will be encrypted and lost
  • If the backups are connected to the network, then there is the chance that the malware can infect and encrypt them as well, meaning everything will be lost
  • If the recruiter's (& subsequently the company's) files are all encrypted, the Attacker may demand a ransom so large that it will cripple the company if paid, meaning the business will cease to exist, and numerous people could lose their jobs

Start your Cyber Security journey with these resources:

• Free Members Newsletter - Join over 700 businesses already signed up to receive our weekly security updates.
• Cyber Incident Response Plan - contains documents to help support your business plan's response to a cyber incident.
• Cyber Health Check - this can provide your business with a summary of your Cyber Risks and an action plan to help protect you against the latest cyber threats.