For recruitment agencies, their asset of greatest value is their database. Not only does it hold the results of years of hard work and research but it also holds the key to future success. It’s something that’s built upon, nurtured and protected to the extent that when a member of staff resigns, they’re often escorted off premises! And of course, there is also the Data Protection Act aspect too. The question though, is how many of us have appropriate security measures in place to protect from cyber attack?
We’ve all heard about the high profile cases, including some of the biggest names in technology and communications, such as the much publicised cases for Yahoo, Three Mobile, where names, phone numbers, addresses, and dates of birth of around 134,000 of its customers were accessed, and TalkTalk, where 157,000 customers were affected and that attack did target the bank details of around 15,000. Possibly as a result of these incidents, the general perception amongst SMEs is ‘we’re not big enough to bother with’. Unfortunately, cyber crime statistics do not support that view. In the past twelve months, 38% of the UK’s SMEs experienced some form of cyber attack, yet studies reveal 51% of UK SMEs do not see cyber security as a problem.
In 2016, Rapid7, providers of cyber security systems, looked at the prevalence of insecure networks and Internet channels around the world. By their calculations, the UK ranked as the 23rd most exposed to the threat of hacking. Figures released by Get Safe Online and Action Fraud, the UK’s national fraud and cyber crime reporting centre have stated that in 2016, UK businesses reported losses totalling in excess of £1bn in 2016, representing a 22% increase over the number reported the previous year. Cyber crime is on the ‘up’.
For recruitment agencies, potentially the most worrying statistic is that the third most common online offence in the UK is virus penetration – such as Ransomeware. This type of malicious software infects computers and blocks user access. Usually the hacker then demands a fee be paid before allowing the user access again. In the first six months of 2016, 1,380,000 offenses were reported. Key access points and vulnerabilities hackers took advantage of were out of date email encryption, unencrypted ports and server ports, which directly expose databases to the Internet.
Additionally, many recruiters use WordPress as a blogging platform and this is a popular entry point for fraudsters who use it as a backdoor route to the main database. Poorly secured extensions such as RevSlider and Gravity Forms were the most common access points for hackers. Last year, 16,000 WordPress sites were hacked. Frighteningly, McAfee only caught 11%. Google caught around half. Once hackers have gained access, aside from being able to download ransomeware, they can also access the personal information of candidates, and even download viruses that will transfer to customer’s computers when they access your website. The DPA implications are clear.
Earlier this year, Chancellor Philip Hammond warned that UK businesses must be more proactive in protecting themselves from cyber-attacks and that the government cannot shoulder the responsibility alone. In an effort to tackle the exponential rise in cyber crime, GCHQ has launched the National Cyber Security Centre in London. It’s somewhat ironic, though not necessarily unexpected, that in the first three months of operation the NCSC experienced 188 different cyber attacks!
So, what can you do to protect your business? There are some basic steps that can be taken to make your business’s data less attractive to hackers looking for an easy target.
- Install anti-virus and anti-spyware software and set up guards against spam and phishing emails.
- Educate your staff – many attacks are successful because a user opens a file containing malicious code. Indeed, ransomeware needs to be activated in-house and usually gains access through someone opening an infected email attachment. Recruiters receive hundreds of emails from unknown points of origin, so encourage them to be vigilant and to examine file extensions carefully.
- Teach staff about the dangers of logging on to systems using public wifi. In the age of mobile technology, many people have little understanding of the risks of using an unsecured wifi network and often do not bother to log out of that connection once they’ve left the area.
- Encrypt data to make it more difficult for hackers to use it. Typically, Cloud encryption systems work well as they use a complex algorithm – this can be a tough nut to crack as it requires a significant amount of computer power!
- Install enhanced firewall protection – combining hardware and software configurations offer the best solution.
- Put in place a plan for proactive maintenance of systems and servers so that any attempt at intrusion is quickly identified.
- Back up your files.
- Have a disaster recovery plan so that in the event of a successful attack your business can get back to business sooner rather than later!
There are many resources available to businesses now to help prevent a cyber attack. Take advantage of the government’s fraud awareness resources including cyber security training for business. Ultimately, every recruitment agency is vulnerable. Being prepared is the key!
Further resources: