Guest Blog: Why Cybersecurity is Different to IT Support

Many recruitment businesses have suffered the consequences of mistakenly assuming that their IT provider is also looking after their cybersecurity, when in almost every case, they are not. And nor should they be, because IT support and cybersecurity are 2 entirely different, and independent, functions.

A good cyber security company will work alongside your IT people to ensure that you have the right protective measures in place (and ensure that you are not breaking the law).

Ask yourself the following questions about your cyber security.

1. Who is currently undertaking your cybersecurity risk assessment?

If the answer is " no one ", you're actually breaking the law. The rules regarding the security of personal data require you to assess the risks in your systems and have a risk management framework in place. In addition, candidate data, client data, business secrets, competitor analysis, pricing information, business plans, financial theft and destroyed reputation are all at risk if you are breached.  A good cyber security company will have risk management experience and be able to advise you on the right balance between open IT functionality and mitigating risk.

2. Are you complying with your professional requirements?

A good cyber security advisor will have the right legal expertise to know about your sector security obligations, including the REC Code of Professional Practice and ensure that you are satisfying them.

3. Who is pressure testing your technology?

Security is not achieved simply by having firewalls and anti-virus software. Everyone has that, and it does not stop them from being breached (or prevent their staff from clicking the button that installs ransomware). It is a sobering fact that 86% of cybersecurity victims have computer security software in place – but it does not provide the protection they thought. We usually find that the defence software is not set up or configured properly, that security updates are not regularly installed.  Other common vulnerabilities include Wi-Fi, use of cloud services with weak or no passwords, unintended open access to candidate personal data and confidential financial information, unauthorised personal device connections, inadequate backup arrangements, lack of encryption, use of unauthorised memory sticks, access to payroll information, etc.  This list is long.  So, penetration testing and scanning, coupled with a regular review through the eyes of a cybersecurity specialist, will find out where the leaks and open back (and front!) doors are.

4. Who is doing your cybersecurity awareness training?

That's not the same as IT training of course, which covers using software and hardware. This is all about making sure your staff are aware of the type of dangers which exist, including the tricks fraudsters are using to gain access to your systems, data, and finances, and the ways in which staff can stay vigilant to avoid random and more targeted attacks. It is estimated that more than 60% of breaches are caused by staff error or staff falling for tricks. Examples include false and impersonated emails, opening dodgy attachments, connecting an infected device, or using a weak password. So training is a key part of your defences. Again, this is now also a legal obligation so if you're not doing training, you're breaking the law.

5.  Have you got the right cyber policies and procedures in place?

Another important way of defending against cyber-attacks is by having the correct policies and procedures in place (and it's another legal obligation). They're there to protect your organisation, your staff and your customers. They should cover things like the rules on Bring Your Own Device (BYOD), password control, remote working, use of cloud platforms etc. And get your staff to sign for policies, so everyone knows what the rules are and what's expected of them.

6.  Are you paying too much for security?

Many people seem to think that buying some additional software will of itself provide additional security. But that is not so.  Frequently we find businesses have purchased a patchwork of expensive but overlapping security software when actually their existing technology has perfectly good protection built in, if only it were correctly configured (and in some cases, actually switched on!).

7. Who is monitoring your security?

Your technology and the state of its security changes over time, and the threats you face are constantly evolving. So making your system secure is not a one-off fix. An independent pair of eyes in the form of a cybersecurity specialist can ensure that your defences are kept up to speed. Don't ask your IT support to mark their own homework - it's not fair on them, and it's not good risk management.

As the recruitment sector becomes more digitised, recruiters become more exposed to the increasing number of cyber threats.  Greater use of the cloud can increase your attack surface.  And cybercriminals are becoming more sophisticated all the time, with artificial intelligence and machine learning providing them with better tools to attack your business.

Cybersecurity is a serious concern for all recruiters, and it requires Board-level attention. Take action now to avoid being hit.