The RCSA have warned recruiters to be aware of the danger of cyber attacks on their businesses. They are keen to point out that many businesses are effectively locking the doors of their businesses while, metaphorically speaking, leaving the windows wide open.
From February 22, all Australian businesses with an annual turnover in excess of $3 million will be required to notify the government within 30 days of any breaches where client’s personal data has been accessed. This means the government is effectively forcing businesses to make sure both their windows and doors, in a cyber-sense, are well and truly locked keeping the private information of clients protected.
“We believe the recruitment industry is ready for what is a significant change,” Mark Laudrum, director of RCSA Insurance, said. “Over 50 per cent of our recruitment clients are actively purchasing cyber insurance to support them for if and when their data is breached. Whether their IT systems are adequately secure and their staff appropriately trained to prevent breaches is, of course, another question.”
What the new law means?
Under the Mandatory Data Breach Notification scheme, businesses have 30 days to report any known data breaches to the government.
“Training and education are the best ways of minimising an agency’s risk of cyber-attack,” Laudrum explains. “The majority of data breaches occur through human error or lack of education about the best firewalls and data security technology; which can be easily breached when a team member opens a malicious file or website link.”
The sheer volume of personal data collected by recruitment agencies can make them attractive targets for ransom ware attacks. “We have been working with RCSA to highlight this to members,” Laudrum said. “We know that cyber threats pose a much greater risk to members than property risks and it is something we discuss with every member.
“This ongoing risk awareness is a key contributing factor in the high level of cyber insurance purchasing we have seen in recent months.”
For companies whose systems have been breached by a cyber-attack, the implications for the business can be devastating. “The absolute worst case scenario for a company which has been the victim of a cyber-attack would be the loss of all or some of their data as well as their IT systems including candidate databases,” Laudrum said.
“This would include the loss of accounting and payroll systems, software and your website, possible erroneous transfer of funds to a fictitious supplier or employee and untold brand damage.
“These threats could halt a business in its tracks, cease any employee payments for weeks as the systems are rebuilt or result in the loss of major contracts by the agency’s failure to place candidates on time.”
While cyber insurance is clearly no magic solution to protect your business from cyber-attack, it does ensure you are covered should the worst occur and, as importantly, will force you to look at you current security systems and see how they can be improved to offer protection.
“Cyber insurance offers risk minimisation,” Laudrum explained. “Ransomware payments are insurable and may lead to systems being opened up quickly once a ransom has been paid.
“However, the best case scenario for a breach leading to loss of data doesn’t always have quite such a favorable outcome. If adequate and secure back up procedures were in place, databases and software can be reinstalled from these clean backups, perhaps enabling a business to be up and running again in a few days.”
One of the best preventative strategies against cyber-attack is the encryption of sensitive data which ensures personal information is much harder to access.
Laudrum said while there was a clear understanding in society about the need to insure against theft, illness, loss of income or accident, cyber threats continue to be misunderstood and continually evolving to challenge new security measures.
“We often suggest our clients consider their current annual insurance spend and if this doesn’t allow for the purchase of a dedicated cyber insurance policy, they consider diverting some of that spend away from their manageable risks such as property loss/damage, into the much less manageable risk of cyber-crime,” he said.
Where to start?
Laudrum suggested some easy steps recruitment agencies can undertake now to ensure they are cyber secure. These include:
A cyber-insurance policy includes access to an incident response team at all times made up of IT security professional, forensic experts, PR firms and specialist legal advisors.
“Board directors should be treating cyber-security as an enterprise-wide risk management issue and not just an IT issue,” Laudrum said. “They should understand the legal implications of cyber-risk and ensure they have access to cyber security experts.”
Prevention is still the best cure - insurance is peace of mind.