As shown by the recent rise of cyber-attacks on umbrella companies (which caused severe disruption and delays in payments to contractors), attacks of this nature are becoming increasingly common and damaging for businesses operating in the recruitment sector. This is particularly the case for employment agencies, umbrella companies and accountancy firms, as they hold sizeable amounts of personal data that cyber criminals seek to access and exploit, often for monetary gain.
These latest incidents serve as a timely reminder to recruitment companies that they should be alive to the potential risks and impact of cyber-attacks on their computer and IT systems. It would also be prudent to consider any steps to mitigate the impact of the incident and protect the business and other relevant stakeholders.
What are cyber-attacks and what impact can they have?
Before delving into the measures companies could take to prevent and mitigate a cyber-attack, it is helpful to identify and understand what a cyber-attack is. Whilst there is no agreed definition, it typically involves a deliberate entry by a third party into a computer system with malicious intent.
The attackers seek to identify and exploit any vulnerabilities in a computer system and network to:
- Gain unlawful access to restricted (and often confidential) information or personal data.
- Steal, destroy, compromise, change or manipulate data and computer systems.
- Deny or restrict access to the data or computer system resulting in system and network issues.
A cyber-attack can occur in a number of different ways and forms, with varying degrees of sophistication, including phishing; malware; ransomware; spyware; Trojans; and viruses. For example, criminal ransomware is a particular concern (as shown in the recent umbrella company attacks) whereby the attackers encrypt data on a target's computer system in order to demand a ransom in return for releasing or restoring the system.
How to prevent them?
Given that companies operating in the recruitment space often process large quantities of personal data, there are a number of preventative measures that can be taken to reduce the likelihood and impact of an incident whilst increasing the obstacles a bad actor would have to overcome.
- Cyber strategy and regular reviews. Prepare a comprehensive cyber strategy. Conduct regular and extensive reviews of the computer systems and network security to identify and remedy any weaknesses and vulnerabilities, and ensure that appropriate measures are in place to protect the system and the data. For example, the National Cyber Security Centre offers guidance and advice on the measures that companies can take and experts can provide advice, and experts may simulate an incident to stress test the response and highlight gaps in the infrastructure.
- Response Plan. Prepare a cyber-attack response plan that can be effectively implemented in the event of a cyber-attack. This will assist with allowing prompt and decisive action to contain and minimise the extent of the disruption. Measures to take include identifying an experienced expert that can be quickly instructed and allocating responsibility internally within the business along with an appropriate escalation process.
- Processes and procedures. Implement appropriate procedures and processes to recognise and identify instances of cyber-attacks and security breaches, review the businesses' supply chain, prepare a framework to conduct an investigation and set out methods of reporting.
- Cyber Insurance. Despite not being a preventive measure, companies should obtain appropriate cyber security insurance to protect itself against financial loss.
- Legal support. Ensure you have a lawyer included in the response plan, who is available to provide support for the process, to maximise the chance of advice received being protected by legal privilege and not disclosable in the event of any court proceedings.
What to do if your business is affected?
Whilst preventative measures are preferable to reactive ones, businesses should consider what actions and steps it would take in the event that it experiences a cyber-attack.
- Response plan. Follow and adhere to any cyber-attack response plan that the business has in place.
- Incident response. Work with experienced experts to swiftly investigate the incident in detail and identify the cause and extent of any breaches or malicious activity (with particular attention drawn to any breaches regarding personal data).
- Suspension. Depending on the extent of the incident, businesses may suspend the system or network to prevent further malicious activity, despite the impact this is likely to have.
- Notification. Inform and notify the relevant authorities and personnel to ensure compliance with regulatory requirements. Depending on the scale and nature of the incident, businesses may need to make a reference to the UK National Cyber Security Centre. Additionally, under UK GDPR (being the UK's retained version of the EU's GDPR), businesses that experience certain personal data breaches must report these to the Information Commissioner's Office within 72 hours of becoming aware of it, and if an individual's (such as a contractor's, employee's or candidate's) rights and freedoms are put at high risk, then the business must notify those individuals without undue delay.
- Cyber Insurance. Notify insurers of the incident as they may have actions or steps they require the business to take.
- Communication. Managing the fall out of a cyber-attack will be critical, particularly in respect of any suppliers, customers, employees and contractors as well as the businesses reputation.
- Legal support. Again, making sure you have a lawyer on-board who both understands the data issues and the risks of litigation, will improve your chances of dealing with the legal exposures of a cyber-attack.
Further information on the cyber security services we offer are available here. If you would like to discuss any cyber or information security matters, please do get in touch with a member of our Data team or MDR Cyber team.