Onrec logo The Online Recruitment Resource

How secure is your recruitment system?

When it comes to security, recruitment firms cannot be too safety conscious. Ensuring that the IT infrastructure can’t be compromised by departing employees, other recruiters or third party organisations for any sinister means is critical. A recruitment agency’s value is based so much on its data and information after all

Tim Richards, Managing Director at Bond International Software

When it comes to security, recruitment firms cannot be too safety conscious. Ensuring that the IT infrastructure can’t be compromised by departing employees, other recruiters or third party organisations for any sinister means is critical. A recruitment agency’s value is based so much on its data and information after all.

Such security breaches often happen in the world of recruitment but they tend not to hit the headlines, going unnoticed by recruiters, clients and candidates alike. Not surprisingly, recruiters are unwilling to admit that the systems and processes which they have in place haven’t been sufficiently robust to prevent such attacks or illicit activity. Not only would it deter valuable clients and candidates from trusting them in the future but they may also be liable to a hefty fine from the Information Commissioner’s Office (ICO) for personal data breaches.

With many firms using cloud-based systems and the rise of mobile recruitment, recruiters must be aware of the security risks that exist, and therefore the measures that are – or are not – in place to combat them. Putting your head in the sand and hoping it won’t happen to you simply isn’t good enough. Ensuring you are well-informed and aware of the issues can go a long way to reducing the risk of such threats. Here Tim Richards, Managing Director, Bond International Software suggests five key questions that recruiters should ask their IT system suppliers in order to safeguard themselves and their candidates’ data.

How vulnerable is my system to hacking?

Ask your system supplier when they last had a penetration test carried out by an external and suitably accredited company. Typically, the external tester is provided with a small amount of information on the system and will then try to hack into it and assess how easy/difficult it is to steal data. It will provide a pass/fail report and detail vulnerabilities. Such tests should be carried out at least once a year and whenever software is changed or upgraded. Ask to see a copy of the report and also whether the supplier’s software has a history of attacks. They may be unwilling to give you a straight answer but it shows that you are on the ball.

How stable and resilient is my system?

You also need to assess the robustness of your system. Hackers can flood a system with requests for information (called distributed denial-of-service attacks or DDoS) in an attempt to bring it down which could mean your IT infrastructure comes to a standstill and impacts day-to-day operations. Ask your supplier how vulnerable their system is to such an attack and once again quiz them on the regularity of external independent testing. Also ask them what back-up they have in place if their servers effectively keel over: for instance, is your data being hosted at multiple data centres? And if so, if one centre goes down can another take over without there being any disruption to business?

Is my data safe from internal threats?

While a good software supplier should be committed to ensuring the security and robustness of your IT infrastructure when using a hosted solution, it can do less about the internal threats that lurk. For instance, a supplier can’t stop one of your recruiters printing out a screenshot of your hottest top 50 and taking it out of the building. You must, therefore, ensure you have the right policies, password protection procedures and best practices in place to make sure your data can only be accessed by those authorised to see it. It also comes down to trust: if you are genuinely worried about an individual walking out of the building with valuable candidate information, should they be working for you in the first place? Also be alert to the kind of data that has most value to competitor organisations. The proliferation of professional and social networking sites means that basic candidate details are often already in the public domain but any information revealing the candidate relationship, such as interview notes that might be held on to the system, is far more valuable.

Is my system secure in the mobile environment?

Recruiting is becoming increasingly mobile. You have to accept that recruiters will access your system and data in real-time from a mobile device such as an iPad or iPhone while sat in a coffee shop miles from the office. The advent of bring your own device (BYOD) and what is referred to as the consumerisation of IT means that in some cases there is no longer a distinction between the technology a recruiter uses for home and work. This exposes recruitment companies and their data to a new level of risk so you must ask your supplier whether their security measures extend to the mobile environment and what you need to do to make your data more secure.

What industry standards do you hold?

Ask whether the system supplier holds any recognised certification. One of the best and most reassuring badges to look for is the internationally recognised Information Security Standard ISO 27001:2005. This is only awarded to companies that maintain best practice for their information security management systems and associated processes and follow a strict auditing process. The standard demonstrates an ongoing commitment of an organisation’s efforts to guarantee the security of its products and takes into account legislation around data protection. Some of the bigger agencies, especially those active internationally or who have public sector clients, already stipulate their suppliers hold formal security certification. Whatever size of business you are, however, you have every right to demand the highest standards of security from your supplier.