Data security: don’t keep your head in the cloud

Peter Crush

Anyone who has previously heralded the ‘cloud’ as the great IT advancement of our time must surely be wondering where it’s all gone wrong.

For it now seems that not a month goes by without yet more cloud-related ‘security breach’ stories; in particular, Apple’s much-publicised iCloud hack (where X-rated images of celebrities were leaked online); followed swiftly by the Snappening, the posting of thousands of images and videos – all thought by users to have been deleted – posted via the Snapchat app.

Although security breaches are nothing new – IT breaches have increased every year since 2011 (and last year more than half a billion records of personally-identifiable information were leaked – source: IBM’s X-Force research) – the link between them and the cloud is becoming intrinsic, and for data heavy/commercially sensitive businesses like recruitment agencies, this should be a cause for concern.

‘Clients ask us about security’

“Perception about data security has now reached a point where clients are actually coming to us, asking what procedures we have in place to ensure their personal information is kept safe,” says Michael Barrington-Hibbert, managing partner, Barrington Hibbert Associates.

“We hold the mobile phone numbers, addresses and family members of CEOs, FDs and chairmen of virtually everyone in the Square Mile, and worry about data breaches has certainly caused them to question our procedures.”

Barrington-Hibbert does have a cloud-based system, but says his firm has spent thousands of pounds ensuring the security settings he has make his company as impenetrable as it can be.

“The reality is, we know we get attacks all the time – but that’s only because we have the systems in place that actually tell us about this,” he says. [According to IBM’s Economics of IT Risk & Reputation report 2014, most instances of data loss aren’t picked up until days after the event even happened.]

He adds: “I’m not sure if the wider industry believes data loss is something likely to happen to them, but to me, it’s all about applying proportionality. The data agencies have is how they make their money; it’s essential more agencies take an interest in their security.”

Complacency

It’s likely many agencies still have a ‘it won’t happen to me’ approach, because while bodies like the British Standards Institute name security as one of their emerging trends this year, industry-specific data can still cause complacency.

According to the latest data from the Information Commissioner’s Office (published November 4), for first two quarters of this year there were ‘just’ three incidents of data loss among recruitment agencies, and this is four less than Q3 and Q4 of 2013. Of 43 sectors measured, recruitment agency breaches were small compared to the top most attacked sector – health (195 breaches in Q1 & Q2), followed by local government (55), general business (28), education (21) and solicitors (17).

However according to Janek Formella, managing director at recruitment agency Cornucopia IT Resourcing (which actually specialises in supplying IT security personnel to clients), agencies are sometimes forced to take difficult decisions about cost vs risk: “Our own research shows one in three companies are completely unprepared or adequately protected against a security breach, but as any small business will understand, agencies have to factor in whether they can afford to employ a dedicated person just doing this.

“We’re a ten-person agency, and we’re not yet big enough to have a permanent IT security resource, and that’s what many agencies are having to weigh up.”

Formella’s company holds more than half a million personal records, so it recently hired an external consultant to examine how strong their own IT security was, and the agency was recommended Office 365, which is now used to host all their CVs/data on the cloud. But some of the audit revealed some simpler things all agencies could do to improve their data security.

“One of the biggest threats identified was actually the rise of BYOD (Bring Your Own Device), where staff use their own smartphones or laptops to access the agency network.” He says: “It might seem useful to enable staff to work from home, but it’s a massive security risk if their laptop is lost or gets stolen, or left on the back seat of a cab. The system we have in place enables any laptops to be wiped of any server-data they might have been accessing immediately, so if hardware is stolen, it won’t have any of our clients’ personal data.”

At Barrington-Hibbert staff are banned from taking laptops out of the office completely, and other steps agencies can take include becoming familiar with the security that sites they regularly use – such as Monster has in place.

For instance, Monster has a password register. The aim is to prevent passwords (that access its CVs) from being passed around, because it can identify and shut down access to their servers if they suspect someone has tried to use it from a different IP address.

Forearmed is forewarned

According to the Data Protection Act, agencies have an obligation to keep personal data as ‘secure’ and that ‘as far as is practicable access to the data should be limited,’ which is not the most precise of requirements. However EU penalties on ‘data controllers’ could soon be severe. Draft legislation has called for fines for significant data losses to be 5% of a company’s turnover (up from the original proposal of 2%).

Maybe this is just the sort of threat that will make agency bosses sit up and take notice of data security.

“Agencies definitely need a more proactive auditing strategy,” says Formella.

Adds Barrington-Hibbert: “It may just be the case that smaller agencies are just not aware of the significance of all the data they hold being lost, or attacked, but I really do stand behind the need to put investment behind this. We all need to use our data faster, more efficiently, and smarter, and this means having a plan for security.”