Are Cyber Security Recruitment Agencies A Security Risk?
In this blogpost I discuss the rapid growth of the cyber security recruitment industry and the potential risks this poses to security and privacy professionals and the organisations they support. I discuss two key risks, their impacts and potential options to manage the risk.
You can listen to a podcast version of this blog here
Let me start by stating to all those security industry recruiters that it is not my intention to alienate your businesses or bring you negative press. As a security professional I want to share something which has got me thinking for some time and I want to create some debate and discussion around this topic. So at the risk of all security recruiters ceasing all contact with me, I will continue.
In my last post I discussed how the security industry has really come leaps and bounds over the last decade. With the increased profile of security and the associated challenges organisations face, there is a demand for security professionals at all levels. In fact in the recent 2016 Cybersecurity Snapshot survey results published by Isaca,
of nearly 3000 respondents, 45% stated that they will look to hire more security professionals in 2016 but that it would be difficult to hire skilled candidates.
With this increased demand, recruitment professionals have spotted the opportunity and started capitalising by setting up security focussed recruitment organisations. There is of course nothing wrong with this, its capitalism, its supply and demand. However my concern is two fold:
- What if some of these recruiters aren’t recruiters at all. What if they are cyber criminals’ phishing for information from or about security professionals, or even using security professionals as an attack vector?
- Are these security recruitment start-ups mature enough to know how to manage the personal and sensitive information they process about individuals going through the recruitment process?
Lets look at both of these situations in more detail.
Risk 1: When a recruiter is not a recruiter
I was recently listening to the Defensive Security podcast – if you haven’t heard of this podcast, you should really have a listen. Jerry Bell and Andrew Kalat’s bromance and analysis of security news and articles is both humorous and insightful. They reference an article from the Verizon Data Breach Digest which describes a real life social engineering scenario which could be from an episode of 24 or modern James Bond film.
I’ve summarised the full article below:
Verizons RISK team were contacted by a construction client who was concerned by the fact that their major competitor in another continent launched new major construction equipment which appeared to be an exact replica of equipment recently designed by the client. The competitor has not ventured into this specific part of the market before and had no experience in this area and so the client was suspicious. The concern was not only that the competitor had obtained their designs illicitly from the client but that they may have access to future designs.
After investigating, the Verizon team narrowed in on the chief design engineer of the equipment. The engineer was actively seeking employment elsewhere and was contacted by a recruiter on Linkedin and they proceeded to exchange emails. A look at the engineers system and associated firewall logs revealed a backdoor on the system and evidence that the design plans had been copied by the attacker.
The recruiter had provided the engineer with many false job opportunities via email attachment. On one email, the attachment contained malware with hard coded Chinese IP addresses which setup the backdoor, copied the designs and transmitted the files to a well-known Chinese hacking group.
This could happen to anyone but consider the impact if this happened to a security professional who either had passwords for the firewall on their machine or complete schematic of the organisations defences, risks and issues.
The slight of hand and optical illusion tactics used by recruiters can fool even the most diligent security professional. I receive connection requests through Linkedin on a daily basis. In the main I want to network with peers in the industry and so I have a quick glance at their job title and if appropriate, click Accept. However, as the examples below will show – its very difficult to tell if someone is a professional peer or a recruiter.
You have a new LinkedIn Request:
So this chap is the Head of Security at …. Yes sure, he looks fine, I’ll accept….
Wait a second!
He’s the Head of Security division at generic two posh names ltd
Ah, a Security consultant – great,
No, darn it!
He’s a Security Consultant at obscure (doesn’t sound like, but is a Recruitment company) ltd
When I come across this – this is usually my reaction:
Without a lot of time and close attention, it is very difficult to tell who the industry peers are from recruiters and who the recruiters are from potential cyber attackers.
What can Security Professionals Do?
As security professionals, we wouldn’t take on a new supplier at our respective organisations without some due diligence, so for me the same principle should apply to organisations such as recruiters who process a fair amount of personal and sometimes sensitive information about us. Checks could include:
- Company background checks at Companies House
- Speak to anyone in your network who may have used the recruiter in the past
- Ask the recruiter for a reference (that’s a novel idea)
- Security check the website and email domain for any malware using tools such as virustotal.com
- Seek assurance from Cyber Essentials certification or equivalent
Risk 2: Security maturity of the agencies
Anyone who has read the James Caan’s autobiography (The Real Deal: My Story From Brick Lane to Dragons Den) about how he setup Alexander Mann Solutions, will know that there are three things which make a successful recruiter:
- Sales ability
- Good network (or can build one quickly)
- A phone
With the above and now a laptop, you can be an entrepreneur with a registered address in the city and pay as you go meeting rooms (or a coffee shop/pub depending on your client) with very low start-up costs. All you now need is a memorable name. I think many of these new recruiters are following James Caan’s book like a bible as I’ve seen a slew of recruitment firms pop up with posh gentlemen “establishment” sounding names. I won’t name them, you know who you / they are.
Recruitment agencies process a lot of personal and confidential data
Recruitment firms have access to lot of information, both about the hiring company and candidates. In fact, legally they have to retain a lot of information for at least a year. Don’t take my word for it, below is a list mandatory information that recruiters need to retain from Gov.UK :
Agencies only have to keep records of work-seekers if they take action to find them work.
For example, if they receive speculative CVs and don’t use these candidates, they don’t have to keep the CVs.
They must keep the following records on work-seekers they either find work for, or try to find work for the candidates:
- the date of application
- name, address and, if under 22, date of birth
- any terms which apply, or will apply, between the agency or employment business and the work-seeker
- any document recording changes to these terms
- details of the candidates training, experience and qualifications and any authorisation to do particular types of work (and copies of any documents provided relating to this)
- details of any requirements specified by candidates in relation to taking up employment
- names of hirers the candidates are introduced or supplied to
- details of any resulting engagements and when they start
- a copy of any contract between the candidates and a hirer that are entered into on the candidates behalf
- the date any applications are withdrawn or contracts are terminated
- details of enquires about the candidate and the position concerned (including copies of all relevant documents and dates they were received or sent)
For Hirer records – click here:
So whats the risk?
Recruiters hold a treasure trove of personal information, from signatures, date of births, salaries, pay details, exact job and education history (including certificates). All this information can easily be used for identity theft, fraud and maybe even impersonation. As I stated, recruitment agencies have to keep hold of this information but I question whether these new startups are mature enough to have good security controls over the data.
Are the laptops and USBs encrypted?
Are they running up to date antivirus?
Are there internal security policies, procedures and security training provided to staff?
What is the staff vetting process like?
The requirement is to hold the information at a minimum for a year – there’s nothing to say that these organisations don’t keep this information forever – just in case it proves to be useful in the future. The risk over the data remains as long recruiters are in possession of the data.
For those who know a little about Privacy / Data Protection, the UK Data Protection Act states that personal information should not be held for longer than is necessary. When does necessary end? And from my own personal search of the information commissioners public register of data controllers (any organisation captures and processes personal data), some of these security recruitment firms aren’t even registered. I’m not an investigative security journalist like Krebs on Security – so I’m not going to name and shame, but you can search the register yourself.
What can recruiters do?
My point is that security recruitment agencies need to be cognisant of the industry their clients and candidates work in. They’re dealing with security and privacy related hirers and candidates every day and so should be proactive in having good security and privacy processes, in order to reduce the risk to their clients and themselves. The above example I used of some agencies not registering with the ICO could land them in a lot of trouble, including a fine of up to £500K (extreme circumstances).
I realise that as a start-up, it’s difficult to know all the things which must be done, but at least on privacy and security topics, there is a lot of helpful information for agencies.
Further information on Privacy / Data Protection
The ICO website has lots of useful information and guidance to help manage personal data.
Further information on Security best practice
If you’re a small recruitment agency, the UK government backed Cyber Essentials can help you meet the basic requirements of security and its possible to obtain independent assurance of your controls too. Call it a small to medium size business, security badge of honour. If you want to know how your security processes fare now – you can complete the online questionnaire and self-assessment.
The UK government is also providing a grant of up to £5000 for small businesses to bolster their security and seek specialist security advice.
For security recruitment agencies who want to personify the industry they serve, help if there is you know where to look.
I appreciate how challenging being recruitment professional must be, I’ve been in sales and I know it’s a hard slog. With current market conditions, there is a need for professional cyber security and privacy recruitment organisations. But a relatively fledgling industry with a huge influx of new players – brings its own risks. Coupled with the tactics used by cyber criminals today, both security recruitment agencies and security professionals should be mindful of and need to be proactive in managing the risk.
See you on my next post and podcast – Stay safe and remember – “Information is a risky business””
If you like what you’ve read, please use the below links to share this post!
About the author:
Jeremy Kajendran has over 13 years of experience Information Security, Privacy and Risk Management. Jeremy leads Ernst & Young’s (EY’s) UK Financial Services Privacy Practice and is a Fellow of Information Privacy (awarded by the International Association of Privacy Professionals).
Views and opinions presented on inforisky.com, talks and podcasts by Jeremy are personal opinions only and in no way represent the views, positions or opinions – expressed or implied – of Jeremy’s previous, current, future employers, consulting customers or anyone else.