Jim Tiller, Global CISO, and Ben Shepherd, Data Protection Director, Harvey Nash Group outline the key challenges for information security in the recruitment sector. This article first appeared in the March edition of Global Recruiter's Compliance Report 2022 on page 22.
It was a trend already in motion, but one the pandemic has hugely accelerated: technology is in use everywhere within the recruitment industry.
Discussions, interviews and profiling with clients and candidates; internal communication and collaboration; the storage and processing of huge amounts of data – all of these are increasingly conducted through technology platforms and hosted in the cloud.
Without doubt, this unlocks significant efficiencies and enables recruiters to become more agile, responsive and fleet of foot. But what of the security and data privacy implications and risks, and how should these be managed?
Firstly, security. No one really needs reminding that cyber attacks are almost endemic. In the 2021 Harvey Nash Group Digital Leadership Report, a quarter of tech leaders said their organisation had suffered a major IT security incident or cyber attack in the previous two years. This has edged down slightly – a sign perhaps of the rising investments being made.
But attacks remain almost a fact of life. It has become increasingly easy for cyber criminals, hacktivists and others to deploy sophisticated tools to infiltrate systems, deny service or embed ransomware.
And the goalposts have shifted: whereas in the past, the main targets were financial organisations and others whose business was money, now data has become the new oil. In the digital age, all businesses hold data.
As a result, no organisation can be complacent about cyber security. With so much confidential information circulating in their systems, recruitment firms must be continually vigilant. This need has been heightened by the growing shift to digitisation.
Things that may previously have been discussed verbally in the office are now more likely to be communicated in an electronic message. Face to face interviews are likely to take place over Teams/Zoom or via a virtual interviewing platform instead. And massively more data is held in the cloud.
In many respects, it’s simply a case of getting the basics right. Simplify and standardise your systems where possible: complexity is security’s nemesis.
Test your systems, check your firewalls, make sure updates and patches are promptly applied. Ensure communications are encrypted. Make sure your identity and access/authorisation controls are rigorous and up to date.
In some senses, the task is becoming easier because with the migration to the cloud, most of us now have access to the security capabilities and provisions of the tech giants like Amazon, Microsoft and Google – and their controls will at times exceed what some organisations currently have in place.
Of course, the critically important aspect is knowing how to take advantage of those security features. Over time, optionality and user choices may become more limited – but the specification and security of solutions will be continually enhanced too.
Nevertheless, no one can afford to rest on their laurels. The risks and the potential damage to reputation are simply too high. You need to work tirelessly at maintaining and enhancing the cyber resilience of everything you do.
Then there is data privacy. It’s another hot topic that’s become especially prevalent in the digital age. We are all, as business users and consumers, more aware of how our data is used and shared.
And again, with so many more communications and discussions taking place electronically and remotely now rather than face-to-face, the risk rises with it of inappropriate data sharing or unwitting breaches of confidentiality.
That’s why you need very clear protocols that are understood by all. Obviously, we can’t go far here without mentioning the GDPR.
As an organisation, you need to be clear in all cases what your lawful basis is for data collection and processing – whether that’s consent or another basis under GDPR such as legitimate interests.
And whether it’s data retention, fair processing, privacy notices, subject access requests or maintaining records, it’s simply a pre-requisite to ensure that everything is compliant with your regulatory obligations.
But of course, having the right policies and data architecture in place is one thing – making sure that staff on the ground (and, increasingly, on their own at home these days) understand the rules and follow them is another.
That’s why a programme of training, support and guidance is essential, across both privacy and security. At Harvey Nash Group, we have mandatory annual training that applies to all staff, right up to the CEO.
We have a set of company rules on security and privacy that is communicated to everyone as well as a foundational set of privacy principles for staff to follow.
It’s often said that ‘culture eats strategy for breakfast’ – that’s especially true in this area. The best and most effective way to ensure that people are mindful of security and follow data sharing rules is to embed it into the prevailing culture of the business.
Encourage team leaders and line managers to include it regularly in conversations with their teams, formal and informal. Those ‘water cooler’ moments can be especially impactful. For example, a simple reminder: Don’t put anything in an email that you wouldn’t want to see in the press tomorrow.
The growing digitisation of recruitment is also raising new issues that businesses need to tackle. One of these is that the hybrid and remote working era means candidates from a much wider geographical area may apply for a role.
Clients are aware of this too and some are expanding the perimeters of their search. In our Digital Leadership Report, over a third of digital leaders said they have widened the geographical net.
This means that recruitment firms are increasingly likely to be interacting with individuals based in potentially less familiar overseas jurisdictions – so following the right data protection rules is essential.
If you use the GDPR as the ‘gold standard’ and base policy on that, you are unlikely to go far wrong. Nevertheless, some changes may need to be made.
For example, in the US, California has specific rules around individuals’ data rights. We have an office there, and so needed to update the web pages of our US site with required disclaimers.
Other issues are more conceptual – and may need collective discussion and debate as an industry to chart the way forward. Primarily, these revolve around the growing automation of profiling, screening and even job-offering to candidates. With increasingly sophisticated algorithms available, it may become possible to conduct almost a complete recruitment process through machine intelligence.
This type of advance in technology may clash with data subject rights under the GDPR. Clearly, good recruiters will always ensure that their talented people make the ultimate decisions and recommendations to clients.
But, as the technology develops, where will the line be drawn over what degree of autonomous AI decision-making is acceptable? It’s certainly one to watch.
Recruitment has always been a dynamic industry and the sector is living up to its reputation through its rapid and successful embracing of technology.
Nevertheless, this brings some challenges that have to be carefully managed.
At Harvey Nash Group, we’re huge advocates for the benefits of digitisation – but equally, we continually monitor, measure and test it to ensure it’s generating the outcomes desired.