The recruitment industry handles a huge amount of client and candidate data containing sensitive business and personal information. Daniel Richardson, Chief Technology Officer, Bond International Software, looks at how implementing the right security measures enables both recruiters and software providers alike to remain credible and lead the way.
The concept of information security has evolved over the last few years to the point where it’s now increasingly at the forefront of people’s minds. There are very few people who haven’t been affected, directly or indirectly, by a data breach – such is the prevalence of online data in many global sectors, from banking to retail to utilities.
Recruitment and staffing organisations store a huge amount of data regarding individuals and, traditionally, their view has been that this information is in the public domain. Candidates may have posted CVs online, or recruiters may have obtained them through public sources, so their contents were not considered particularly sensitive. Perception is now changing because more expansive information is being stored alongside CVs within cloud-hosted recruitment software systems.
Candidate records often hold banking and payroll information for example, but recruiter notes can be equally sensitive. Recruiter notes contain information captured during conversations with candidates and may include personal details regarding job roles candidates are seeking, or reasons why they are leaving their current employer. If leaked, this information could significantly affect a candidate’s ability to find a future position.
The right culture for the right security
Recruitment companies need to take information security more seriously. Bottom line, the two key stakeholders, clients and candidates, expect their data to be stored securely. Recent legislation is taking a much stricter view of data loss and substantial fines have been imposed. If a recruitment company loses data, the Information Commissioner will undoubtedly be interested and fines could be levied.
Recruiters must ensure they have the best security practices in place. Further to the security of their cloud hosted software, the whole company culture should focus on the fact they are looking after sensitive data on behalf of their clients and candidates.
There are two clear strands to the security offered by cloud recruitment software providers. Firstly, functional security which you would expect to see in every cloud system:
- Can users be grouped together?
- Can one particular group of users see another particular group of users’ data?
- When users run searches, are they able to access data they should not be able to access?
Most recruitment software providers have been delivering this type of security to a high standard for many years. However, when providers connect CRM applications and databases to the internet and operate Software as a Service (Saas) via the cloud, higher levels of security must be considered and implemented.
The first strand of security is still important but usually part of the product, and the second strand comes down to one overriding point:
- Can someone illegally access the data?
Can someone with no ties to the provider’s organisation, in effect, compromise the system? Bearing in mind, from a recruitment perspective, very IT literate users may be accessing these systems and fully aware of how to test their vulnerabilities.
Security-based coding plus penetration testing
At Bond, we do not simply pay lip-service to the concept of security. We have spent many years working to ensure our SaaS products remain truly secure. A substantial part of our research and development budget is allocated to this area.
Firstly, all Bond software developers are skilled in security-based coding, which enables us to catch and fix any vulnerabilities at source. Secondly, we regularly employ third-party penetration testing (also known as ethical hacking) companies to conduct tests on our software and infrastructure.
We provide legitimate user names and passwords and ask the company to use those, plus any and all penetration testing skills and tools available, to attempt to access data they shouldn’t be able to access. Also, we ask them to attempt to access and extract data from third-party, back office systems (such as payroll software) via integrations with our front office CRM.
To test our SaaS infrastructure, we provide the penetration testing company with an IP address and ask them to use all possible means to access the system. Can they access admin tools, user-names or passwords?
The penetration testing space is huge. There are many existing and future methods which could be used to exploit weaknesses in cloud software security. As comprehensive a service these companies provide, we still typically change the one we use around every two years. There is no room for complacency in security and we believe it’s important to get a fresh pair of eyes on the solution.
Security = Credibility
Providing the best recruitment-specific CRM possible simply isn’t enough if data is leaking or unauthorised users are able to access it. It’s very important for recruitment agencies to understand exactly what their suppliers are doing to ensure data security, because their credibility and ability to secure future business could be irreparably damaged if their client or candidate data is compromised.