Cyber and data risks as a recruiter
We all remember poor Fatima the ballerina and how she was threatened intimidatingly with a career in cyber in those government advertisements. While recruiters may be more used to helping people into roles in cyber and data, do you ever stop to think about the cyber and data risks that you’re exposed to as a recruitment firm? Cyber attacks on data are on the increase, with an estimated 62% increase in ransomware attacks globally since 2019, with one expert describing the pandemic as “the perfect storm for cybercriminals”. In this article, we take a look at some of how staffing businesses are vulnerable to data breaches, and how you can mitigate these risks.
Dealing with data
Data is a recruiter’s most valuable asset, and we need to protect it. What would happen if your database of contractors, including sensitive data like their passport numbers and telephone numbers, got into the wrong hands? How would your end clients feel if they knew their privacy had been breached? What financial losses might your company incur if that data was held to ransom?
GDPR rules brought in a whole raft of measures to try to protect personal data. Recruitment firms did a lot of compliance work when the regulations first came in in 2018, but as things become business as usual, we know that the risk of data leaks increases. People become more relaxed about the risks, or good compliance procedures have been established but aren’t always followed in practice. The COVID-19 lockdowns and the massive increase in home and remote-working has also meant that data is in our homes and sometimes on personal devices in a way that it might not have been 18 months ago.
Have you adapted your processes to take into account this additional risk? We’d advise all recruitment firms to review their procedures for data management and security to take into account new working conditions. This is particularly important as things open up again post-COVID and many recruitment businesses blend remote and office working, meaning that data may be transported between different locations and sometimes on public transport.
Awareness is key
Scammers are becoming more and more sophisticated in their methods. It used to be easier to spot a phishing email from its poor written English, clumsily worded requests for money transfers and email addresses filled with random characters. While these attempts still exist, many scams now are virtually indistinguishable from a genuine interaction. Scammers appear to be calling direct from your bank on the correct number. The infamous Royal Mail scam convinces users to input their details into a website that flawlessly replicates the institution's corporate branding. You need to have your wits about you. Making awareness of cyber and data security a regular part of the working week helps to keep the possibility of such scams and dupes in the forefront of your teams’ minds, making them less likely to fall victim.
Consider a regular training session - a monthly “compliance and data risk tip” - where you can:
- Update your team on any newly identified scams or security risks.
- Take contributions from the team as to any risks they have identified or come across in the course of their work - and work together to fix them to minimise risk.
- Bring in outside experts where necessary to strengthen your knowledge and risk management skills in this area.
- Training staff in compliance with data security and awareness of cybersecurity risks should be an essential part of the induction process for new team members.
Working with contractors
As they might work for many different clients over a relatively short period of time, contractors are particularly vulnerable to cyber and data security risks. Different clients might have different processes to follow with regards to security, so contractors may struggle to keep up with the different requirements for different jobs, introducing an extra element of risk into proceedings. Contractors may be simultaneously handling lots of different sensitive data for different clients, and it's important to prevent these from getting mixed up. They might also be using their equipment rather than a company-provided computer and/or mobile phone (as this is an IR35 indicator).
Onboarding and cyber liability insurance
This is where stringent onboarding processes can help - supporting recruiters to vet, train and upskill contractors in data and cybersecurity. Make sure contractors are fully briefed about the risks and contracted to adhere to minimum standards of data security that you set out for them. You can also recommend (or require) your contractors take out cyber liability insurance. This can be chosen as an easy add-on to Kingsbridge’s existing comprehensive and compliant insurance packages for contractors and offers cover for business interruption, system and data rectification costs, regulatory defence and penalties and extortion and ransom costs.
Contractors holding our cyber liability insurance will also have access to ReSecure, a dedicated 24-hour helpline and specialist cyber incident report service. In the event of an attack, ReSecure will identify the cause of the breach, help recover lost data and get systems back up and running. Having cyber liability insurance means that your contractors can hand over the problem to the experts to solve, allowing them to return to work more quickly. Recommending this insurance to your contractors means that both you as the recruiter and your end clients have an extra layer of security in the battle against cybercriminals.
No one wants to find themselves the victim of a scam, attack or breach of data, but there are simple measures that recruiters can take to make sure that they, their staff and their contractors are not easy targets. Stringent applied and regularly updated compliance processes, regular collaborative training and a robust onboarding process can help you take these risks in hand. And, because no defence is completely watertight, our cyber liability insurance can be there to shoulder the burden and help your contractors to put things right again if the worst does happen.