招聘机构是建立在信任的基础上的——你的客户和候选人需要知道他们的个人信息在你手中是安全的. 如果你之前没有考虑过你的网络弹性, 你必须了解招聘行业面临的网络安全风险,以及如何缓解这些风险.
招聘行业面临哪些网络安全风险?
Sensitive data management
招聘中存储的许多数据都是个人身份信息(工资), gender, contact information, job description, previous employers, references etc.). 因此,至关重要的是,只有那些被授权的人才能访问它. This means ensuring all accounts have strong, unique passwords and Multi-Factor Authentication enabled. 最佳实践还将实现数据分类工具,以防止敏感数据有意或无意地离开您的组织.
Phishing attacks / Malware (email attachments)
作为一名招聘人员,你会收到大量作为电子邮件附件的简历. 由于其中任何一个都可能是伪装的恶意软件,您需要保持警惕,检查它们. 招聘经理、财务人员或招聘公司也是如此, 因为这些员工和部门也更容易收到恶意电子邮件附件
Remote working -大量员工远程工作,大量客户会议
许多员工远程工作带来了很多网络安全风险,因为高层领导对员工工作地点的实际控制将减少, meaning they could be working from unsecured public wifi, 他们可能在拥挤的火车上工作,把敏感数据泄露给附近任何一个碰巧在肩头冲浪的人, 他们可能会在公共工作场所留下无人看管的设备.
A high volume of client turnover - data
员工的高流动率——流失线索、客户和设备
招聘是一个员工流动率历来很高的行业, 顶尖的招聘顾问经常被竞争对手挖走. With this in mind, it is vitally important to secure your data and restrict a staff member's access to data and devices as soon as possible; to limit the amount of client & candidate data they can exfiltrate and take with them.
Scams facing firms/candidates
在过去的3 - 4个月里,旨在从求职者那里获取关键个人身份信息的招聘广告数量有所增加. Read more here
How can a recruitment firm mitigate these risks?
Security Awareness Training - from board level down
一家公司的网络安全态势必须得到全体员工的支持, ideally from the board level down, with multiple security champions. Security Awareness Training should be done quarterly, and ideally, 每季度都应修改内容,以反映工作人员知识方面的差距.
Devices - Anti-virus and firewalls
Anti-malware (anti-virus) should be installed on all work devices as a mandatory defence; this should also have automatic updates enabled. 另一项防御措施是确保所有笔记本电脑和台式电脑的防火墙都在本地激活. 这些设置为最安全的设置,以防止尽可能多的未经授权的连接.
控制设备——加密,备份,自动更新,远程锁定,MFA
理想情况下,所有设备都应该注册到移动设备管理(MDM)解决方案中, 因为这允许组织控制什么设备可以用于, what software can be installed, and how often updates for Operating Systems & anti-virus are installed. 其他功能包括:确保在所有设备上启用加密,并确保在业务流程中尽可能频繁地备份所有设备
Implementing key security policies with all new hires
安全策略在企业中是必须的,尤其是对于新员工. They can state acceptable use, password strength for accounts, processes to follow with phishing emails and much more. 它们是让所有工作人员朝着一致的网络安全立场努力的一个基本组成部分.
Remote working - VPN, security screens
In addition to firewalls and anti-virus, 在远程工作的员工使用的所有设备上启用VPN是很重要的. 这通过更改设备的IP地址和加密发送的所有数据来提供安全性, 因此,在不安全的公共WiFi上工作的同事大大减少了他们受到威胁/攻击的机会
The best practice for remote workers is also to consider installing security screens on all devices; this will reduce the risk of shoulder surfing and sensitive data exposure as only the screen will be un-viewable to anyone but the user.
Cyber Essentials
Cyber Essentials是一项政府支持的计划,允许您的企业获得认证, 向您的客户显示您已采取了可靠的安全措施. For more information, read here.
