It doesn’t get much attention in the corporate recruiting field, but hacking is on everyone’s mind these days. The CIA claims that Russian hackers influenced the outcome of the U.S. election. Last year, Twitter, Reddit, and Spotify suffered hacks that took them offline for unprecedented amounts of time. In February 2016, hackers stole $81 million from Bangladesh Bank. Even the National Security Agency (NSA) appears to have been hacked during 2016.
It should go without saying, but when recruiters find themselves in possession of personal information for hundreds or thousands of clients and candidates, they have a responsibility to protect that data by using secure vendors and maintaining control of data within their own offices.
“All recruiting and hiring platforms store personally identifiable information (PII), information that can identify a specific person,” says Bill Loller, chief product officer for Jobvite, a provider of recruiting software solutions. “That includes names, addresses, phone numbers, and social security numbers – all the information you would need to take out a credit line or buy a home in someone’s name.”
While most people think hackers are after credit card numbers and email accounts, the truth is that PII is one of the most valuable types of data for cyber criminals. Loller says that’s because PII has a “long-term value” that credit card numbers and similar data do not have.
“A stolen bank account or credit card number can be used once, but then the victim is notified and can cancel the account or change their information,” Loller says. “Stealing PII, on the other hand, allows criminals to impersonate a victim, opening credit, buying property, or even declaring bankruptcy in their name.”
As the above examples illustrate, data security is more important than ever.
“The last several years have witnessed a dramatic shift in cybercrime targeting, as criminals move away from individual consumers and focus instead on enterprise opportunities, targeting systems that store large amounts of PII,” Loller says. “Recent breaches at large data warehouses have resulted in the theft of hundreds of millions of pieces of PII. If a breach like that happens at your company, it could make recruiting and hiring more difficult for years to come.”
Taking Responsibility for Your Own Data
Many recruiters believe that their client and candidate data is protected by vendors and cloud services providers, but it isn’t that simple.
“Most cloud-based ATS and human resource information systems [HRIS] vendors offer platform security, which means that the host, such as Amazon Web Services, agrees to protect the hardware on which the information is stored and the data center in which the hardware resides,” Loller explains. “But while this protects the vendor from physical risks like overheating and break-ins, they’re still vulnerable to cyberattacks.”
Of course, many ATS and HRIS vendors do take steps to protect against these threats.
“The next level beyond platform security is application-level security, which indicates that the vendor has taken it upon themselves to encrypt, monitor, and securely develop their data,” Loller explains. “This protects against malicious traffic, unauthorized attempts, malware, and other dangers.”
The providers that don’t take extra steps are gambling with client and candidate data.
“Ultimately, any provider who is relying on the cloud provider to provide security is securing only about 25 percent of the threat landscape, leaving many opportunities for application attack, vulnerability exposure, and data leakage,” says Loller.
Recently, Jobvite engaged a third-party audit firm to validate its security as an SaaS provider. The organization earned a Service Organization Controls (SOC) 2 certification. SOC 2 certification requires a third-party provider to have advanced IT policies and strategies in place to protect client data. Jobvite is currently the only recruiting platform of its kind to have obtained the SOC 2 certification.
Where Data Responsibility Relies
Hosts (e.g., Amazon Web Services) are responsible for:
- Physical data center security
- Hardware security
- Network (to the edge or internet) security
- Security related to hardware used for storage
SaaS providers (e.g., Jobvite) are responsible for:
- Network traffic inspection and security: firewall, intrusion detection system (IDS), web app firewall (WAF), distributed denial of service (DDOS) protection
- Encryption of data in transit to the application and connections to the application
- Encryption of data at rest
- Secure operating systems
- Identity and access management
- Platform security
- Application security
- Customer data security