Cyber criminals operating on the dark web, buying and selling illegally obtained personal data and other commercially sensitive information, is now a well established black market economy. Why should this bother you? It should bother you because recruitment companies are a prime target for cyber criminals because of the extent of the personal data and other valuable information they hold.
So what is the dark web?
It is an online black market place where criminals can operate, buying and selling data and illegal goods and services, such as cyber attack software. It works on the principle of “onion routing” where anonymity is achieved by rerouting someone’s internet activity through many dispersed IP addresses, which hide the identity of the computer which the traffic originates from.
One estimate indicates that there are 1.7million individual connections on the dark web per day with over half of sites being used for illegal purposes.
The attack on your business.
The market for personal data in particular is now well developed, which means that if a cyber thief can access your data, they can sell it on to others. It is then aggregated with other information bought illegally (e.g. the ID of compromised servers), or publicly available information (e.g. social media posts by your staff). This enables criminals to undertake more sophisticated attacks on your business such as socially engineered phishing. In this way, random attacks are followed by more focussed attacks.
Other attacks may include encrypting your data and seeking a ransom for its release. Spyware and unlawful money transfers also result. There are many examples of recruitment businesses who have suffered this fate.
Losing candidate personal data, client data and details of your commercial plans and activities could be catastrophic. And failing to take the necessary steps to protect personal data is now a breach of the law (and incidentally, a breach of the REC code of conduct).
So, how do you protect your business?
It is essential that you carry out a proper risk assessment of your systems and security arrangements, and cure vulnerabilities, in respect of the three key areas.
Technology: firewalls and anti virus software are a given, but unless they are properly set up and configured correctly, criminals will get round them. Undertake penetration testing and scanning to pressure test everything and find out where the leaks are (and there will be some!).
People: give your staff proper cyber awareness training. Have them complete some tests to see what they have learnt. And then test the effectiveness of this by undertaking some simulated phishing attacks to discover what else needs to be done.
Governance: ensure you have the correct policies, procedures and maintenance arrangements in place to cover the risks of e.g. Bring Your Own Device (BYOD), password control, remote working, use of cloud platforms etc.