It's Time to Fortify your Staffing Firm's Cybersecurity
By: John Rossheim
As a staffing firm executive, all of your energies are focused on matching clients with great talent. But then the unnerving news headlines catch your eye: ransomware attacks like May’s WannaCry and June’s Petya hit thousands of organizations, with direct and indirect costs often reaching six or seven figures per company.
Unfortunately, most businesses, regardless of industry, are hit by one sort of cyberattack or another. Not surprisingly, the threat has increased demand for cybersecurity hiring.
Where do you begin to build cybersecurity for your staffing company? And how can you enhance your existing measures against the advancing threat? Here are some guiding principles to protect your staffing company.
Recognize that your staffing firm holds sensitive data. In addition to internal company data, your firm’s strategic assets include confidential data on both client companies and job candidates. Bad actors may be tempted to try to steal that data and exploit it for any number of purposes.
“You can tell a lot about a person from their resume,” says Darren Hayes, director of cybersecurity and an assistant professor at Pace University in New York. “You may find their email address, Social Security number, skills set.”
Be aware that staffing firms are very vulnerable to a cyberattack. Sectors such as financial services and government are widely recognized as targets of cyber criminals; the staffing industry not so much. This has led to woeful unpreparedness for the ever-morphing cyber threats.
“It’s a challenge for staffing firms just to be able to track the assets they provide to staff, the information stored on laptops or phones, to make sure it’s secure and is retained by the staffing firm,” even when workers leave the company, says Christopher Roach, national IT practice leader for CBIZ Inc.’s Risk & Advisory Services.
Don’t assume that your IT folks have got you covered. Your technologists have demands coming at them from every direction.
“Even the technical specialists responsible for security are likely spread too thin to fully comprehend and appreciate the new threats to digital organizations,” says a report from trade group CompTIA.
It’s up to your top management to give IT the resources required to make information security a top priority. For starters, “make sure backups are happening,” says Roach.
Don’t assume your workers are acting prudently with every keystroke. Employee cybersecurity literacy in safe practices should be a key element of your cybersecurity strategy, but it’s not enough.
More than three-quarters of users who said they understood the risks of clicking on links in emails clicked on them anyway, according to a research summary by security vendor Barkly. Be sure employees know how to respond to suspect emails.
Bring in an outside expert to assess your cybersecurity. “At larger firms with multiple offices, it makes sense to bring someone in to do a vulnerability assessment,” says Roach.
“The best kind of security protection is help from the outside,” says Hayes. “Outside providers can give you better phishing protection. Internal network people tend to think cyber threats don’t apply to them.”
Demand proof of all of your vendors’ security measures. If your agency is like most, you share data with vendors and may even have given them access to some of your internal systems. Beware.
“Staffing firms need to vet any vendors they use for information security,” says Roach. With cloud-based applications, ask for a detailed explanation of security measures -- before you buy.
Counter your agency’s potential role as a third party to a hack. Your firm’s liabilities for exposed data may go beyond your clients and candidates.
Analyzing stolen resume data, hackers can easily learn what kinds of systems candidates were working on at previous employers, which can enable them to identify potential vulnerabilities at those companies, according to Roach. “Attackers like to go to third parties to find vulnerabilities,” he says.
Keep up with emerging security threats. Last year’s cyber threats, and even yesterday’s, may not top the list of newfangled hacks that your organization should prepare for. Witness WannaCry and other ransomware attacks of 2017. “Ransomware is a threat that can really stop your business unless you’re prepared to respond,” says Roach.
Budget for ongoing employee security training. Do your employees know what company rules say about BYOD security? Laptops brought home? Apps brought in to work? Make sure they do.
“A key vulnerability is the employee who doesn’t know the company’s acceptable use policy,” says Roach. “More and more companies are extending training efforts to the overall workforce,” the CompTIA report says.
Treat cybersecurity as an investment. Cyber threats are so numerous and varied that it’s not possible for any one firm to fully address them all. “You can overspend on cybersecurity,” Roach says. “There’s a diminishing rate of return. So we try to set a baseline, but then the company has to own it.”
It’s wise to retain a consultant to periodically recheck the company’s systems, policies and practices for vulnerabilities.