02 Apr 2020
by Nasstar

Biggest Cyber Security Threats to the Recruitment Sector

Cyber-attacks can have a devastating impact on the reputation of any business, including those in the recruitment sector. It can not only damage relationships with clients because of the possibility of confidential data being lost, but can also have an impact on bringing in future clients. 

Cyber criminals target businesses that are heavily reliant on their online systems and as a recruitment agency, you are instantly a target. Overall, UK businesses are hit every 50 seconds. 

Colin Dennis of cyber security specialists OGL Computer named recruitment agencies as a “prime target” for cyber attackers, because employment agreements and sensitive documents (passport scans, visa details etc) would be left exposed during a breach. 

To protect your agency from cyber attacks, it’s important that you are aware of the cyber security threats that the recruitment industry currently faces. 

Cyber Attacks in the Recruitment Sector

In the last couple of years, there has been an increasing amount of cyber attacks in the recruitment sector. PageUp, an Australian HR company, was affected by an IT security breach in 2018. The breach put the personal details of thousands of people at risk. The company handled data on behalf of Australia’s Treasury Department, broadcaster ABC, Medibank, Australia Post and more. The majority of data exposed included the names, street addresses, telephone numbers, gender and date of birth of job applicants.

In the UK and Ireland, Whitbread suffered a data breach in their online recruitment system which affected brands such as Costa Coffee and Premier Inn. Contact and biographical details were part of the data breach.

In China, half a billion CVs were left exposed by companies using poorly secured ElasticSearch and MongoDB databases. These servers storing information across various companies were breached, giving hackers the personal information of applicants. 

Cyber Attacks

Every business is under threat from cyber criminals, especially a recruitment agency that depends on technology, systems and data. If an attack was successful, it could cripple your business. The most common attacks that could happen include:


Malware is any software designed with malicious intent to damage a computer, server, client or computer network. According to Security Magazine, there were 7.2 billion malware attacks during 2019. All companies should be using anti-malware software and firewalls as part of their cyber attack prevention, alongside keeping all software and systems updated and being aware of potential malicious emails.

DDoS Attacks

A distributed denial of service (DDoS) attack is a method used to bring down websites, email servers and other services connected to the internet. This attack could make your data inaccessible. If a recruitment agency was to have its service taken down, it would be unable to operate because users wouldn’t be able to apply for jobs, and recruiters would lose access to basic operations. 


Phishing is the fraudulent attempt to gain sensitive information including usernames, passwords and credit card details by disguising themselves as a trustworthy person in an electronic communication such as an email. 

Because a recruitment agency has to communicate regularly via email, recruitment agencies are easy targets for an email phishing scam. All it takes is for one convincing looking email with a malicious link to bring down an entire agency.


Ransomware is a malicious software that denies a user access to their computer system or data until a ransom is paid. Ransomware spreads fast via phishing emails or infected websites. Ransomware can have a devastating effect on an individual or company. 

Cyber criminals are likely to use ransomware as an attack strategy on a valuable UP like a recruitment agency. They know that the attack would disrupt the business so severely, that it’s likely an agency will pay up. With the nature of the sensitive data that recruitment agencies have on customers, they’ll be prepared to pay for that information to be returned. 

Human Error

90% of cyber-attacks start because of human error. A breach can happen when a consultant clicks on something they’re not supposed to, but this is typically by accident. An example of this includes clicking a malicious link in a phishing email; just one click can give hackers access to all your internal systems. 

Malicious Behaviour by an Employee

It’s also possible that an employee who is looking to set up their own agency, or are moving to a competitor, could steal the data to further their own career. This behaviour is more common than you think with Pensar finding that 59% of employees who leave or are fired steal company data. Recruitment agencies must put the right measures in place to ensure employees set to leave don’t have access to sensitive information, where possible.

Lack of Training

The human error threat to recruitment companies is down to a lack of cyber security training. Not everyone is aware of the dangers of malicious software and many couldn’t spot a phishing email in their inbox. While younger employees who come in are likely to be digital natives and understand cyber threats, older employees will need greater awareness training. It’s still no guarantee that digital natives know everything, so training should be implemented for all staff.

Legacy Software

Outdated legacy software can leave a system badly exposed to hackers. If your antivirus, operating systems and internet browsers are out of date, it creates easy access for criminals to exploit. 

Does your agency still use Windows 7? Microsoft stopped updating this operating system during January 2020, meaning no more security updates will be implemented. You must upgrade to Windows 10 to remain protected.


If you don’t have the correct cybersecurity policies, procedures and maintenance in place to cover risks, not enough will be done to protect your recruitment agency. With data stored digitally, a recruiter’s job is made easier as they can access information out of hours (if a candidate can only be contacted then) on a mobile device. This opens up potential opportunities for cyber criminals.

There must be policies in place to cover the following risks: Bring Your Own Device (BYOD), remote working, cloud platforms and password control. Without the correct rules in place on how to use these elements, misuse may lead to a huge cyber security breach. 

To ensure your recruitment agency is fully protected, talk to our information security experts at Nasstar who can support your agency with managed IT and managed networks to protect your agency from a cyber attack.

Related topics