Will self-service and automation make the recruitment industry a target to hackers?

Recruitment stands on the brink of a new era of cloud-based automation that’s set to transform the industry from its foundations up.

Up until now, protecting its ability to exchange data in order to do business has been the priority. How will this emphasis shift as recruitment moves towards commercialisation, and what will it mean for security?

Recruitment data must be protected

When data is your business and you store information on millions of people, a potential loss of data is also your main weakness — as recent high-profile breaches show. Around the world, recruitment companies have been hit by hacks leading to personal information such as bank details, addresses, birth certificates and social security details being exposed or stolen.

The implications of this are serious and wide reaching. From a GDPR point of view the financial impact could be significant, with fines for data breaches reaching up to four per cent of turnover. This would hit any business hard, but in the margin-thin recruitment sector, this could be potentially crippling. Looking beyond the financial, a data loss also has a reputational impact. In an industry based on trust and the sharing of highly personal information, a breach could hit confidence in the company hard, driving business to competitors. At the extreme, in the event of a denial of service attack, a recruitment company could be brought to a standstill, with no way to process applications or for applicants to use online systems to get in touch. 

The workforce is a strength and a security weakness

Interestingly, however, it’s rare for recruitment companies to be hit by a premeditated cyber attack. Instead, their vulnerabilities continue (and will continue) to stem from a combination of human actions and a rapidly expanding IT operating environment. 

In the recruitment sector, your staff are both vital to your business and a significant security risk factor. Your security is only as good as the security awareness and habits of your employees, and it’s this behavioural component of cyber defence that poses a serious threat. Recruitment relies on a constant flow of email communication, making firms highly susceptible to phishing emails. It can take as little as one click on a malicious link to open up the whole company to a malware attack.

Recruitment firms, spearheaded by the CISO, need to foster a culture of security so that all employees understand how important it is to follow security protocol. This is all the more vital given the high staff turnover rates within the industry: you need to protect your business against the naivety of new employees by inducting them into good security habits as soon as possible. Plus, as people leave your business, you need to disable their access to your systems instantaneously to minimise your vulnerability, malicious or accidental.

Commercialisation is driving change in recruitment

From a technological point of view, the biggest threat to security in recruitment right now is the commercialisation of the industry.

Recruitment firms’ reliance on the cloud is growing by the day to support the demands of a more flexible and mobile workforce and the full range of access channels the market wants. Recruiters are accessing their tools and systems across a multitude of devices and a number of networks, creating a serious challenge for the CISO: how can you make sure that these devices are connecting in the approved way across a secure network?

At the same time, the recruitment industry is experiencing globalisation of access, applications and security. This centralisation of resources is opening up new threat vectors — if a cyber criminal gets into one area, they can more easily access all the others. Today’s recruitment CISO needs to follow the lead of cloud-native companies, adopting security solutions that make the network the first barrier to any threats.

Automation — a fresh security challenge

Self-service and automation are the next step in recruitment’s digital transformation, reflecting how the industry is developing. A move to close branch offices and shift employees to working more remotely is matched by job seekers embracing opportunities to play a more active part in finding the right role.

Applicant tracking systems (ATS) are streamlining the recruitment process, unlocking efficiency gains as managers track the progress of applications, review CVs, schedule interviews and generally reduce the number of days it takes to fill a vacancy. Via an ATS self-service portal candidates are submitting applications and monitoring their status, reducing the need for inputs from your staff. Chatbots, too, are taking over repetitive tasks, qualifying candidates by talking and engaging with applicants, and fact-finding to help report building.

However, as dependence on automation increases, recruitment firms will find the security threats they face will also change and grow.

Right now, companies experiencing a failure in automation can easily switch back to consumer-grade products and keep on working; it’s still possible to pick up the phone or send an email to reach applicants and clients. But, as dependency on automation increases, the main security threat to recruitment will switch from data loss to all business processes stopping. What, for example, would happen to a business dependent on chatbots if that facility went down? How would you function if your video interviewing tool was offline?

Securing the future of recruitment

Recruitment firms need security solutions that can fully support them as their businesses develop, delivering low-risk implementations of new technology. They need a security partner that understands the challenges they’re facing and can bring the latest, trusted solutions to the table.

As a priority, find out how to put in place a proactive approach to security that will keep pace with the changing threat landscape. Our security experts are ready to advise you on how to mitigate the two main threats to your recruitment security: preventing denial of service attacks and securely managing your cloud providers.