Top 5 Security Questions to ask your Software Supplier
From the risk of a high profile loss of personal data to the theft of candidate information by departing staff, it’s time for recruitment companies to get serious about security. Daniel Richardson, Chief Technology Officer, Bond International Software, insists the industry introduce better information management policies and recruitment companies demand software suppliers prove their commitment to security, from penetration testing to ISO accreditation.
The recruitment industry has traditionally underplayed information security. However, attitudes towards safeguarding personal data are changing and candidates are far more selective about where and with whom information is shared. Furthermore, not only are organisations offering consultants and clients access via web portals and mobile devices but recruitment systems are also increasingly integrated with a number of third party systems, making it far easier to access very sensitive information relating to payroll and banking.
Recruitment companies clearly need to take information security far more seriously. That means understanding the risks, from external threats such as hacking and viruses to the misuse of data by legitimate employees; and assessing how best to balance empowering consultants with real time access to key information, increasingly via mobile, with strong security policies. What level of access to candidate information does a consultant really need and can this be set accordingly?
However, policy alone is not enough. To create a truly secure environment it is time to ask your recruitment software provider some tough questions.
Can the vendor demonstrate its dedicated security investment? Most software products now include essential functions for restricting access to data, by user or by user group, as well as audit trails to identify information misuse, such as a consultant undertaking a search at 3am that brings back 200,000 candidates.
This should be a given. It is far more important to understand how the vendor is working to prevent information misuse in the first place. For several years, Bond has annually invested a substantial proportion of their research and development budget in penetration testing – using dedicated third party security experts to attempt to break into the Bond Adapt recruitment software online infrastructure. Penetration testing is designed to identify any weaknesses in the system that could be exploited either externally via a web portal or by those with legitimate access attempting to read forbidden data. Importantly, Bond typically changes their penetration testing company every two years, to ensure the test is new and does not refer to any previous results.
This ensures high security levels within each new release of the product – and the results are made available to customers and prospects upon request. In addition, during an era of hosted data and remote supplier support services it is essential the vendor has good processes to control and manage system access. Bond has achieved a number of ISO accreditations, including ISO 27001 (Information Technology Security Techniques) which demonstrates the security of Bond’s day to day operational processes. ISO accreditations are also subject to an annual audit before re-certification; security is checked by ISO throughout the year and certification can be revoked.
Given the changing threat landscape and growing candidate and client expectation that recruitment companies have robust processes and systems in place to safeguard personal data, taking security for granted is not an option. Whether information is located on premise, hosted or in the cloud, recruitment companies need tangible evidence of a commitment to security – and if the vendor can’t deliver a penetration testing document or ISO accreditation, can you really be confident in the safety of this business critical information?
Daniel’s top 5 security questions to ask
- Can your supplier prove they are ISO 27001 accredited?
- Can your supplier prove they operate their SaaS solution within an ISO 27001 accredited data centre?
- Can your supplier present a recent penetration test report?
- Do you have access to an audit trail within your recruitment software? Are you able to see if users are accessing areas they shouldn’t?
- Can your supplier demonstrate a robust security patching process within their SaaS infrastructure (for keeping up to date with Microsoft database security standards)?