Action urged as large numbers in Recruitment found to have cyber vulnerabilities

New Research: Monday 30th May 2022

Over three-quarters of recruitment firms have stolen password information available over the dark web, according to a new study by IT services company Atlas Cloud.

Newly-certified APSCo Trusted Partner, Atlas Cloud, surveyed the industry membership organisation’s UK portfolio of almost 600 recruitment agencies, assessing obvious cyber security vulnerabilities. They evaluated website and domain vulnerabilities as well as employee password breaches.

Of the 584 recruitment firms, 76.1% had one or more instances of employee usernames and passwords evident in lists circulating the dark web. Cybercriminals use this information to enter victim companies’ IT systems – in the same way an employee would – gaining access to valuable information. They commonly hold data to ransom or look to intercept communications for their financial gain.

Shockingly, almost exactly half (50.1%) of agencies surveyed had over 10 different employee username and password combinations available over the dark web and well over a quarter (28.7%) had 50 or more combinations available. 1 in 6 firms (15.6%) had over 100 stolen passwords, giving attackers several opportunities to access systems.

Pete Watson, CEO of Atlas Cloud, has some strong advice for recruitment bosses:

“We’re not at all surprised to see so many breached passwords in the industry. Any organisation dealing with as much Personally Identifiable Information as Recruitment is extremely valuable to criminals. They will always find gaps and try to take advantage.

“What matters is how agency bosses react. The simplest form is ensuring regular password changes, although not just adding an additional number to the same sequence. That said, our minimum recommendation now is to enable additional, or ‘multi-factor’ authentication rules like one-time codes or biometrics.

“Forward thinkers are now considering a password-less future, relying only on these more secure methods and, for the users’ benefit, removing passwords altogether.”

Pete Watson – CEO, Atlas Cloud

The study found further alarming insights. Web servers, used to host a company’s website, are often responsible for the processing (and sometimes storing) of vital company information. In the case of Recruitment, candidate CVs are often processed and stored on agency web servers.

Astonishingly, almost all (97.4%) of the firms surveyed had web server vulnerabilities, with the average number being 8.5 vulnerabilities.

“The web server findings were surprising.

“They’re often such simple fixes; like updating website content management systems to the latest version. It’s not just access to Personally Identifiable Information at risk here, criminals could take your website offline and hold it to ransom – making your firm appear to have ceased trading to the outside world.

“Given the ease of solution, it’s a risk no agency leader should accept.”

Pete Watson – CEO, Atlas Cloud

The Atlas Cloud research also found a number of domain-based vulnerabilities, again seemingly widespread across the industry. Domains are used in a firm’s web address and email addresses.

Over a quarter (26.0%) of firms had 10 or more vulnerabilities, deemed ‘High Risk’ by Atlas Cloud experts. One specific domain issue assessed is that of DMARC policy enablement. The study found under one-quarter (23.8%) of recruitment firms had the protective factor in place.

Pete Watson, Atlas Cloud’s CEO, remarks:

“DMARC’s been around since 2015 and stops attackers being able to imitate your organisation by email. Without it, criminals can send emails that can look exactly like they’re from one of your employees.

“There’s a small testing process to enable it with small costs associated but, if you’re at all concerned about outsider damage to your brand, there’s no excuse for not having it in place.”

Pete Watson – CEO, Atlas Cloud

The full, aggregated findings are available on Atlas Cloud’s website and, for a short period of time, the team will share individual company analyses with confirmed agency management at request.

Commenting on the findings in general, APSCo Global CEO Ann Swain, said:

“We thank Atlas Cloud for highlighting this information about our members. It’s not easy reading but thankfully the answers are there in black-and-white; a small focus on these essential cyber vulnerabilities will bolster your business for years to come.

“The sad truth with this is you’d only know about it when it’s too late so, with cyber, it really does pay to be proactive. We even took our business through the process directly with Atlas Cloud so we could have full confidence we’re handling membership information in the correct way.”

Ann Swain – Global CEO, APSCo

Cyber Audit X Report

MEMBERS: REVIEW YOUR CYBER REPORT

As UK-based APSCo members are included in the study, relevant representatives are entitled to review the results relevant to their organisation for a limited time.

Reports are automated but, due to the nature of the content, we will be validating that requesting individuals are representatives of the organisation they’re wishing to review. 

STATE OF CYBER SECURITY IN RECRUITMENT

Atlas Cloud is proud to be an APSCo Trusted Partner.

NEW RESEARCH

STATE OF CYBER SECURITY: RECRUITMENT

/ Action urged as large numbers found to have cyber vulnerabilities

In collaboration with APSCo, the voice for the Professional Recruitment market.

Cyber Audit X Report

ACCESS YOUR PERSONALISED CYBER REPORT

We deliver to your email address to verify that you work for the same organisation. Enter your phone number if you would like to discuss the findings with an expert.

Sign up to newsletter?*
Privacy Notice: We won’t sign you up to any marketing mailing lists (unless you ask us to*) but we may email you to make sure you have been able to access the content successfully. View our privacy policy.

New Research

Our recent, nationwide research shows what can be learnt from working during lockdown. Download the report today.

Sign up to newsletter?*
Privacy Notice: We won’t sign you up to any marketing mailing lists (unless you ask us to*) but we may email you to make sure you have been able to access the content successfully. View our privacy policy.