Skip to main content
Recrutiment & Employment Confederation

The risks facing recruitment agency directors when delegating cyber security

Business advice

This is a guest blog by business partner Atlas Cloud 

Thanks in part to our partnership with the REC, Atlas Cloud has performed cyber security audits on over 2,500 UK-based recruitment agencies. From micro agencies to the big ones, we’ve seen it all.  

Having liaised with many agency leaders in this process, the remarkable disparity of how SME agency directors treat the subject has become very apparent. While many take a once-a-year approach to review cyber risks (which is perfectly adequate), many still choose to fully delegate the process – internally or externally – and instead trust someone else.  

While that may keep the agency secure – after all, the expert probably knows more about the subject than a non-technical director – it still exposes agency directors more than they probably realise. Allow us to explain.  

A reminder of the risks 

No doubt you’ll be aware of the GDPR and the UK version that quickly followed post-Brexit. Reasonable steps must be taken to ensure personal data is secure. As a recruitment business, that means candidate CVs and, if processing payroll, bank details/IDs too. In other words, high-value information with lots of personal information.  

If you’re breached, you are bound by law to inform affected individuals (candidates) and the ICO. From there, the governing body with heavy fining powers will investigate and look for evidence that the reasonable steps that you’re obligated to were upheld. We’ve also seen examples where affected candidates pursued compensation claims through law firms. 

So it would be up to you, the responsible director, to provide evidence on both fronts of the reasonable steps taken.  

“We have an IT company that handles that” 

If delegating externally, the cracks often quickly start to show. Unless explicitly made clear, IT vendors only manage the aspects of technology that they are directly responsible for. Even if they wanted to do more, they won’t have permission to do so nor the access to do anything about it.  

For example, while your IT company might manage laptops, they might not manage smartphones (which might access email) and rarely corporate websites (which often process CVs), key business applications (which usually store CVs) and a bunch of other things too. Even things which don’t directly store or process personal data can be used as a gateway for a cybercriminal to get from one place to another.  

So, while an external vendor will manage their areas, there will still be gaps in your organisation’s security provision unless that vendor is explicitly responsible for reviewing risks holistically. Usually, they aren’t. Further, as risk is judgement-based, there would need to be a clear procedure for whether developing risks should be accepted or mitigated. Without that cherry on top, you would have nothing to demonstrate if ever investigated. 

“Oh, but our IT Manager does that” 

On the other hand, many have designated technical personnel in-house that operate below board level. In our experience, in-house teams usually get caught up in the day-to-day service provision to be able adequately to perform cyber risk assessments. Often, it isn’t even in their actual job descriptions, it is just assumed. Even when it is, it’s rarely clear enough for them to be assumed full responsibility.  

Again, it comes down to the simple fact that risk is judgement-based and that directors have the ultimate responsibility. So, without a clear decision-making process in place, it is the director once again who is left exposed.  

The simple solution 

Given the grey areas and associated risks, it is surprising that so many directors choose to fully delegate cyber security. That is especially so when you consider how simple the solution is. 

The simplest flip side to the scenarios outlined above is for someone technical – internal or external – to annually audit the agency’s threat posture and put together a small health report, which is then reviewed in conjunction with a director. Together, decisions are made to accept the risk or remediate it. Even if all risks are accepted, directors are in a much stronger position as they have evidence that they took steps.  

If you too would like to take a more hands-on approach by reviewing a simple but clear framework once a year, Atlas Cloud offers Cyber Security MOTs for this exact reason. Usually £80, but free for REC members, our in-house cyber security expert gives your agency the once-over and provides a health report with advisories clearly listed. Just like a car MOT. For the risk-conscious, there are optional service packages on top of this. 

Book a Cyber Security MOT with Atlas Cloud today