Last March, McDonald’s Canadian career site was hacked. The data breach resulted in the personal information of 95,000 job applicants falling into the wrong hands. Names, home addresses, emails, phone numbers, and the employment history of candidates were all compromised.
The McDonald’s career site hack is part of an ever-growing list. In recent years, a security flaw in Cisco’s mobile job site exposed sensitive information about applicants including passwords and answers to security questions, while in a separate incident, some of Virginia Tech’s 145,000 job applicants had driver’s license numbers and information on criminal convictions leaked among other personal data.
The modus operandi of many cybercriminals is to collect some critical pieces of personal data together that enable them to impersonate the victim and commit identity fraud for financial gain. Companies are responsible for the candidate data they collect and it is therefore imperative that they safeguard their candidates by minimizing cybersecurity risks.
Contacting over 100,000 people to tell them their details have been stolen presents a logistical nightmare; PR is placed in the firing line trying to minimize reputational damage in the media, the Talent Acquisition team must deal with the consequences of the firm’s tarnished employer brand, and candidates are dissuaded from accepting an offer from a company that has failed to protect information it was entrusted with.
What HR can do
HR must realize its role within the firm’s cybersecurity strategy. After all, cybersecurity is not just the responsibility of the IT team but every single employee with computer access. According to the MIT Sloan Management Review, up to 80% of breaches involve either employee negligence or the employees themselves going rogue.
To counter employee carelessness, HR must continuously educate employees on the importance of following IT procedures; for example, using strong passwords and changing them regularly. HR should collaborate closely with the IT team to deliver a suitable Identity Access Management (IAM) system, restricting the access of employees to just the files and programs they need to perform their roles.
In being proactive about cybersecurity, HR should take a step back to the recruitment stage. Interviewers can gauge an applicant’s decision-making by asking questions such as “When is it okay to share passwords with a team member when working on a project?” or “When is it okay to let a colleague borrow your company laptop?” When hiring cybersecurity experts, HR may need to be more flexible. The best hackers, are often self-taught with no formal education. Likewise some of the best cybersecurity experts may have majored in a different discipline. Interviewers need to familiarize themselves with the field so they can ask the right questions to assess a candidate’s experience and determine their aptitude, rather than simply choosing a computer science degree from a reputable school.
HR working with their procurement and IT teams need to also use due diligence when procuring Software as a Service (SaaS), scrutinizing the security credentials of suppliers. Additionally, you should ask vendors about their formal process for fixing vulnerabilities and liaising with customers to address problems. To get an idea of best industry practices, you can take a look at Clinch’s guide to its security architecture and see how the engineering team has built the platform to be as safe and reliable as possible.
At Clinch, we are hyper vigilant with the security required to maintain the integrity of our client’s data. Our Chief Technical Officer and Founder, Damien Glancy, spent many years previous to Clinch responsible for securing the data for one of Ireland’s largest banks. In HRTech, there isn’t a CTO with stronger cyber security credentials, and not only do our Financial Services clients breathe easier knowing this, all Clinch clients do, too, knowing they get the same diligent approach to securing their data.
If you are tempted to cut corners with security, note that Juniper Research estimates that by 2019, the global cost of cybercrime to business will hit $2.1 trillion — almost 4 times 2015 levels. Businesses have little choice but to take all precautions possible to mitigate the increasing risk of disaster.
To find out more about the resources and methods Clinch employs to ensure its customers' data remains secure, download our Security Architecture paper now.