Action urged as large numbers in Recruitment found to have cyber vulnerabilities

Over three-quarters of recruitment firms have leaked password information available over the dark web, according to a new study by IT services company Atlas Cloud.

Newly-certified APSCo Trusted Partner, Atlas Cloud, surveyed APSCo’s UK membership portfolio of almost 600 recruitment agencies, assessing obvious cyber security vulnerabilities. They evaluated website and domain vulnerabilities as well as employee password breaches. 
Of the 584 recruitment firms, 76.1% had one or more instances of employee usernames and passwords evident in lists circulating the dark web. Cybercriminals use this information to enter victim companies’ IT systems – in the same way an employee would – gaining access to valuable information. They commonly hold data to ransom or look to intercept communications for their financial gain. 

Shockingly, almost exactly half (50.1%) of agencies surveyed had over 10 different employee username and password combinations available over the dark web and well over a quarter (28.7%) had 50 or more combinations available. 1 in 6 firms (15.6%) had over 100 available, giving attackers many opportunities to access systems. 

Pete Watson, CEO of Atlas Cloud, has some strong advice for recruitment bosses: 

We’re not at all surprised to see so many breached passwords in the industry. Any organisation dealing with as much Personally Identifiable Information as Recruitment is extremely valuable to criminals. They will always find gaps and try to take advantage. 

What matters is how agency bosses react. The simplest form is ensuring regular password changes, although not just adding an additional number to the same sequence. That said, our minimum recommendation now is to enable additional, or ‘multi-factor’, authentication rules like one-time codes or biometrics. Many customer discussions now are around considering a password-less future, relying only on these much more secure methods and, for the users’ benefit, removing passwords altogether.

The study found more alarming vulnerabilities. Web servers, used to host a company’s website, are often responsible for the processing (and sometimes storing) of vital company information. In the case of Recruitment, candidate CVs are often processed and stored on agency web servers. 

Astonishingly, almost all (97.4%) of the firms surveyed had web server vulnerabilities, with the average number being 8.5 vulnerabilities. 

"The web server findings were surprising,” says Watson, adding:

They’re often such simple fixes; like updating website content management systems to the latest version. It’s not just access to Personally Identifiable Information at risk here, criminals could take your website offline and hold it to ransom – making your firm appear to have ceased trading to the outside world.

Given the ease of solution, it’s a risk no agency leader should accept.

The Atlas Cloud research also found a number of domain-based vulnerabilities, again seemingly widespread across the industry. 

Over a quarter (26.0%) of firms had 10 or more vulnerabilities, deemed ‘High Risk’ by Atlas Cloud experts. One specific domain issue assessed is that of DMARC policy enablement. The study found under one-quarter (23.8%) of recruitment firms had the protective factor in place. 

Pete Watson, Atlas Cloud’s CEO, remarks:

DMARC’s been around since 2015 and stops attackers being able to imitate your organisation by email. Without it, criminals can send emails that can look exactly like they’re from one of your employees.

There’s a small testing process to enable it with small costs associated but, if you’re at all concerned about outsider damage to your brand, there’s no excuse for not having it in place.

The full, aggregated findings are available on Atlas Cloud’s website and, for a short period of time, the team will share individual company analyses with confirmed agency management at request. 

Commenting on the findings in general, APSCo Global CEO Ann Swain, said: 

We thank Atlas Cloud for highlighting this information about our members. It’s not easy reading but thankfully the answers are there in black-and-white; a small focus on these essential cyber vulnerabilities will bolster your business for years to come. 

The sad truth with this is you’d only know about it when it’s too late so, with cyber, it really does pay to be proactive. We even took our business through the process directly with Atlas Cloud so we could have full confidence we’re handling membership information in the correct way.