Protect your Staffing Company and Clients from Data Theft

By: Melanie Berkowitz, Esq.

Think your staffing company’s data isn’t of interest to hackers? Think again, warn the experts. 

When it comes to cybercrime, “hackers thrive on opportunity” says Bill Carey, vice president of marketing for the Roboform password manager. “If hackers have the chance to get into your system, they will take it.”

The task can be doubly tricky for staffing companies that manage millions of individual pieces of confidential data about potential placements and must keep track of who sees each one. Many staffing companies also offer comprehensive onboarding and other HR services that require them to have access to their clients’ computer systems. 

The good news is that protecting your business from security threats — and the confidential information of your clients and their placements — doesn’t have to cost a fortune.

It does however require some effort up front and on an ongoing basis. Here are five things to do to protect your staffing company from cyber-hacks: 

1.  Know What to Protect
“Know what you need to protect and why that information is at risk,” says cyber security expert Ray Cavanagh, member of the American Society for Industrial Security and its cloud computing subcommittee.  

He suggests sitting down with employees in charge of HR, IT, operations and security and identifying how your business transfers data or shares information and the person or department responsible for protecting it. This list will form the basis of a cyber security plan.

Of particular importance for staffing companies is that they have access to their clients' computer systems to know who has authority to log-in to each system, the IP address of the computer being used and the scope of the data being viewed or transferred.

2.  Create a Written Plan
Both Carey and Cavanagh agree that any cyber security plan should be written out. It should list every step required to keep information secure.  Free resources on the Internet can help you develop a plan, which should cover protections from both external and internal threats including:

  • Firewalls
  • Anti-virus software (and updating)
  • Malware protection
  • Password managers
  • Social media controls
  • Employee training
  • Authentication protocols


In cases where a certain employee or group may regularly work with a client's computer system or data, a comprehensive plan might also address limiting log-ins to certain IP addresses. Controls can also be put in place regarding the amount of time that a particular staffing employee is given access to a specific client.

3.  Be Diligent About Due Diligence
How are smaller companies managing this effort? Brandon Metcalf, founder of staffing and recruitment “software as a service” company Talent Rover completed a lengthy review and due diligence process before deciding to build the company’s business on’s cloud-based platform.

The decision means that, not Talent Rover, is responsible for protecting all of the company’s online activities, including log-ins, data management, information storage and transfer, IP address tracking and password protection. Thus when a Talent Rover employee works with a client to implement a comprehensive staffing plan, or logs into a client's system, these activities take place thorugh

But Metcalf warns it’s not enough to rely on a buzzword such as “cloud-based” as assurance that a service provider truly incorporates sufficient cloud protections. 

Ray Cavanagh agrees. “Make sure you investigate every company or provider who will handle your data or interact with your servers. Just because a provider says they have migrated their services to the cloud or take security seriously doesn’t mean they offer comprehensive cyber protections.” 

4.  Train Employees
Carey, Cavanagh and Metcalf all stress the important of proper employee training around issues of cyber security. 

“Do not assume your employees will always use common sense when it comes to protecting against security breaches,” warns Carey. He suggests having in-person meetings to explain the company’s cyber policy including examples of threats, risky behaviors and the company’s “bring your own device” (BYOD) policy. 

Cyber safety best practices for employees are similar to those for personal computer use. They include:

  • Teaching employees how to create strong, memorable passwords when creating account credentials. These should be based on things other than family or pet names and dates that can easily be gleaned from social media.
  • Instructing employees that they should never “click on a link” to access a client’s website or to enter a work or customer system. Better to type the new address themselves.
  • Providing specific examples of “phishing” language or malware that can trick employees into infecting computer systems
  • Prohibiting downloads of anything onto a work computer or network without explicit authorization

5.  Know What to Do if Your System is Breached
If, despite your best efforts, you find yourself the victim of a cybercrime, Ray Cavanagh recommends unplugging your servers and going “offline” as quickly as possible until the threat is located and isolated.  

Bill Carey also suggests immediately changing the passwords for all hacked systems and communicating openly and honestly with employees and customers about what happened and what is being done to fix the situation. 

Such a scenario may require that you call in an outside expert to help find the source of the leak and fix it, both experts say.

Legal Disclaimer: None of the information provided herein constitutes legal advice on behalf of Monster.