Your umbrella getting hacked is so yesterday. What now your agency looks next to be hit by cyber-attackers?

With cyber-attacks on umbrella companies crystalising contractors’ concerns about personal data and lack or absence of payment for services rendered, it’s high time to look at another party in the chain where both these risks exist yet would impact a greater number of contractors --staffing companies, writes Matt Collingwood of IT recruitment agency VIQU.

Those umbrella company hacks? It was a case of ‘when’ not ‘if’

Some of the brollies hacked in the past few months might feel that they’ve done their utmost. But as a partner to one among them, our business has had to sit and watch thousands of hard-working contractors either not be paid, or at best, be paid inaccurately if not very late.  

Unfortunately, these cyber-attacks were never a case of ‘if’ they were to happen, but ‘when.’ The fact these hackers were able to gain access, extract/copy private data, and cause ongoing downtime of contractor services raises many questions over security, business continuity, and recovery.

The ramifications of the attacks you know about – and worse; the fact that I know of recruitment agency bosses who have kept cyber-attacks against their operations under wraps, speaks volumes about the vulnerability of providers in the recruitment supply chain. It also highlights as ABSOLUTELY CRTICIAL the need for contractors to employ and then re-employ ‘due diligence’ when looking at engaging both umbrella companies and recruitment agencies.

Why contractor recruitment agencies make prime targets

On first thoughts, you might assume that recruitment agencies would be relatively low on a hacker’s list of recruitment supply chain targets!

However, there are a number of reasons why a recruitment agency makes a prime target for cyber-attackers:

• The data-richness and diversity

Working as a contractor, your agency may hold your proof of ID (passport or birth certificate); your home address, bank details (your PSC’s or personal), your CV, and next of kin details! Once harvested, hackers can use this data for various illegal activities which could have huge financial implications for you.

• Agents have virus-like qualities!

Lack of internal process can easily lead to hapless or rogue recruiters using ‘BYOD’ and taking/incorrectly handling data when they move on to another recruitment job.

• Tech done on the cheap

Minimal investment in technology can lead to vulnerabilities. For instance, of the THREE recruitment agencies I know that have had access blocked to their own systems by hackers, all of them had on-premises systems. Perhaps a lesson in the use of SaaS products?!

• Dependence on data, databases

Data is a recruiter’s bread and butter! Take away access to an agency’s systems and the hacker is essentially preventing the business from operating and making money.

• That which precedes you…

Reputation is everything in recruitment. Falling victim to a cyber-attack is bad for business, and hackers can use this to their advantage. Why else did those three agency bosses whose operations came under attack keep quiet?!

The ugly truth

While coronavirus was transforming the world of work, it fuelled another pandemic -- of cyber-attacks and data breaches. In the first three-quarters of 2020, cyber-attacks increased by a staggering 51% compared to the same time period in 2019 (according to Risk Based Security).

The biggest fine issued by the Information Commissioner Office (so far) is £184 million. It was issued by the ICO against British Airways. Personal details of over 500,000 customers were harvested by the attackers by diverting website visitors to a fraudulent website.

Well, the law on data breaches is very clear -- when an organisation is entrusted with personal data, they must look after it. If they fail to do so, they face scrutiny and penalties that can reach into the millions of pounds!

A terrible trio

Well, I would impress upon contractors that there is a very small but real percentage of recruitment agencies which have suffered from data breaches but that have not disclosed them. They didn’t disclose them over fear of reputational damage and fines from the ICO.

Of the three agencies referred to here (which operate either within the IT sector or my local region of the West Midlands), I understand that two of them which had access to their database blocked by hackers paid sizeable fees of £10,000 in bitcoin -- only for the blackmailer to then demand a further £50,000!

Two of the agencies also had to eventually instruct cyber recovery experts in order for the business to gain access to its own systems. All three of the agencies suffered significantly from down time, and one had their system offline for more than two weeks.

My understanding and indeed a common denominator of all three, was that their database had not been backed up for MONTHS. All three also had either a weak business continuity plan or a business continuity plan which was made up almost on the spot. Perhaps more worryingly for contractors, the ICO has not been involved with any of the three agencies because in all three cases, the ICO was not notified.

What can contractors do to protect themselves?

• Be very mindful of what information you give to each recruitment agency you work with. My recommendation is that you make use of the Right to be Forgotten under UK GDPR.
• Use a business address (your company’s registered address) for all contractor work – but ideally this would be your accountant’s address.
• Don’t be afraid to ask an agency if they have ‘Cyber Essentials’ or at least a basic policy. In an ‘event’, do they have a business continuity plan?

Last month, ContractorUK published guidance from us on the best course of action for contractors dealing with agencies unwilling to use their umbrella of choice. And believe it or not, a similar approach is applicable here!

Contractors should do as much ‘due diligence’ as possible to ensure they have a strong understanding of the suppliers they work with and knowledge of their suppliers’ compliancy.

Final thought

With stats showing four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months alone, surely identifying compliant, security-conscious, and ethical recruitment agencies to work with should not be anything less than a top priority for IT contractors.