Guest Blog | Infosec for Recruiters in Five Steps

Our guest blog on behalf of Reciprocity Labs highlights some of the big data management and information security problems facing recruitment firms today.

Information security (‘infosec’) is a catch-all term for the work we do to secure data. In our digital world, virtually all data has some intrinsic value. And, as with anything that holds value, people will attempt to acquire it – sometimes by illicit or unethical means.

The dash for data means that infosec is an increasingly significant part of business. In fact, it places first among CIOs as their top hiring priority for recruitment in 2019.

This alone should make most recruiters sit up and take notice of infosec. But what about our own, in-house data safety? In this post we have some of the top points of interest for recruiters. And we offer five simple solutions to the most common data management problems that agencies will face.

1) Understand the changing nature of security risks

Risks change over time. Technology is an ever-evolving beast, and bad actors are always seeking to score an advantage by finding vulnerabilities in new systems.

This means that data security is not a final destination. It’s a constant, career-long journey.

Infosec requires some level of understanding about how vulnerabilities are found and exploited. And combating threats can mean changing the way you work at short notice.

This sounds terrible for you, as a business owner or consultant. It makes infosec seem like a lot of life-long learning, and a lot of upheaval.

In truth, much of data security is managing the little details about the way we work. Which devices are you allowing to connect to your databases? Can you see who is using them at any one time? Can you verify that the login details being used really belong to the human that is using them?

These little, day-to-day habits – from multifactor authentication to regularly changing passwords and blocking database access from public wifi – are the foundation of good infosec.

2) Infosec for recruiters: It’s not all about technology

One of the great misconceptions about infosec is that hackers are only targeting your technology. But not every hacker is a shadowy figure sitting at a computer terminal in the dark.

The truth is, some of the most costly data breaches have targeted humans.

It is called social engineering: tricking people into giving out sensitive information or access to data.

A phone call purporting to be from your bank and requesting that you reset your account passwords is a classic social engineering attack. But businesses can be targeted in the same way.

There is only one way to address the risk of social engineering attacks, and that is regular staff training. Infosec consultants can “wargame” social engineering attacks with staff so that they can recognise them and respond appropriately in a real-world situation. In a digital world – where conversations are no longer face-to-face events – this training is invaluable.

It’s as the old proverb says: “Trust, but verify”. You may assume you know who the recipient of your message is. But make sure you double-check and verify before you hit ‘Send’.

3) If you work in recruitment Infosec *is* for you

It’s an awkward truth that infosec should be a major concern for our industry. After all, we process thousands of points of sensitive personal data every day. Yet the reality is that we often allow other issues to take priority, and infosec gets forgotten.

This brings us to our third point. As a recruiter, infosec is something that you cannot simply dismiss as “somebody else’s responsibility”.

But while infosec demands specialist skills, it does not require specialist staff.

What do we mean by this?

That it is often beneficial to train up existing personnel to meet infosec requirements, rather than bring in a pre-trained specialist.

There are, of course, security products and services that will assist you with this. But it is often unrealistic to expect a smaller organisation to hire a full-time specialist. And upskilling offers an added bonus, too. The more people you have with strong infosec skills, the fewer weak points you have in your data ecosystem.

4) Accept that no company is an island in our interconnected world

While our previous point encouraged a bit of infosec DIY, our next point says the opposite.

Our businesses are online: sharing and transferring data is an inevitable part of life. It can be tempting to believe that we lose control of our data security as soon as we share it. And, if that is the case, we can sometimes use this to justify postponing our data security tasks as a fundamentally pointless exercise. ‘Why waste resources’, we may think, ‘when another company could mess it up as soon as our data is sent to them?’

But the opposite is true. With networked sharing of data, security obligations are always interconnected. When data is shared, it becomes everybody’s responsibility, not nobody’s. It is therefore up to you to choose responsible partners in this process. The choices you make impact your data security: even once that data is out of your hands.

We can better illustrate this idea as being a case of risk mitigation versus risk acceptance. Read that blog post: it beautifully explains the underlying concept. Do we want to avoid placing our data in the firing line, or do we accept some risk in return for increased defence?

In the example in the blog, Reciprocity Labs chooses Amazon Web Services (AWS) as an example of a big, obvious target for data miners. But, while the rewards for penetrating AWS defences would be substantial, the probability of this ever happening is small enough to dissuade most hackers from even trying. By accepting a degree of risk, the infosec battle can sometimes be won without even having to be fought.

5) The consequences are more than financial

There are some pretty big reasons why you should care about your data security.

You probably already know more about GDPR than you would like to. You’re no doubt aware of the hefty fines that can be charged for a careless data breach.

But it is not just the threat of legal repercussions that should have recruitment bosses looking for infosec solutions.

There is the risk of serious reputational damage, too.

Personal data is the lifeblood of the recruitment industry. We do not have a product to take to market without it. But, if your company name has been dragged through the mud in a high profile data leak case, you may find it hard to attract willing applicants. Are candidates going to risk uploading their resumés to your database if there is a risk they will all end up published online?

When assessing the cost of infosec, we may be tempted to look only at the outgoing price of services used. It is much harder to measure the price of a data leak that has been prevented from happening, however. It can therefore be tempting to undervalue, or dismiss, infosec obligations – until it is too late. But one thing is clear. If your business shares data, or relies on data, it should take its data security duties seriously.

Solving infosec for recruiters – together

So, what is the key take-away from this journey through information security? Probably this: don’t feel like it is a responsibility that you need to undertake alone. There are established experts in the field who can provide solutions, as well as guidance. Learn about your options, and ensure that your systems offer an acceptable level of risk acceptance and risk mitigation.

And, above all else, constantly update and refresh your understanding of infosec for recruitment.

This post was contributed on behalf of Reciprocity Labs: the infosec automation specialists.