Recruiters up their game but cyber security risks still run rife

Posted: 17th Jul 2023
Teaming up with APSCo, Atlas Cloud audited the leading industry body’s member portfolio for cyber security risks for the second year running.
This is an extended version of an article published by Recruiter magazine.

New Research: Wednesday 20th July 2023

Over three-quarters of recruitment firms have at least one employee password leaked into publicly available sources, a new study by recruitment-specialist IT services company Atlas Cloud has found.

Teaming up with APSCo, Atlas Cloud audited the leading industry body’s member portfolio for cyber security risks for the second year running. The study – the largest of its kind in the UK recruitment and staffing industry – looked at breached passwords, phishing protection, web server and domain issues as part of a non-intrusive audit of almost 600 agencies.

Of the 584 firms audited, 76.4% had one or more instances of employee usernames and passwords evident in lists circulating on the Dark Web. This represents a modest increase from 76.1% on exactly the same group of firms when audited at the same time last year. Over half (51.5%) had 10 or more breached passwords, again a modest increase on the year before (50.1%).

Cybercriminals use username and password information to enter corporate IT systems, looking to gain access to valuable information. In the recruitment industry, that usually means candidate CVs and payroll details, if providing temp services. Without the right protective factors, 3 in 4 agencies could have open doors to this key information.

Pete Watson, CEO of Atlas Cloud, has some strong advice for recruitment bosses:

“We’re all bound by the GDPR, which the UK adopted post-Brexit, to protect personal data. Directors often delegate cyber risks yet are the ones answering the ICO if anything ever happens – we need to break this dichotomy.

“Since our study last year, we’ve had a real-world reminder of what happens when candidate information unlawfully gets into the wrong hands. Costs spiral the moment you inform affected candidates, as you’re duly bound to do. From direct costs like candidate compensation claims to indirect costs like clients, candidates – eventually – consultants preferring to work with agencies without tainted reputations.”

Pete Watson – CEO, Atlas Cloud

The study found more alarming cyber vulnerabilities. Newly included this year, Atlas Cloud looked for evidence of specialised phishing protection technologies, finding that at least 2 in 3 agencies (66.0%) had no evidence of this on their mail servers. Of the remaining 34%, it was not possible to validate whether phishing protection was in place for certain.

According to Official UK statistics, phishing is the number one cause of breach (Cyber Security Breaches Survey, 2023) and has been for many years. Phishing is a tech industry term for spoofing, commonly through email, that is responsible for tricking unsuspecting employees into actions like financial transactions. It costs firms thousands each year. To stop this, experts recommend phishing protection that bolts on to popular email systems like Microsoft 365 and Google Workspace.

Remarking on the subject of phishing, Watson argues:

“On the face of it, you think your own employees are smart enough to detect spoofing and therefore write off the need for specialised protection. But you’re devaluing the power of social engineering.

“Sure, catch-all attempts will be ignored by your employees but criminals are far more sophisticated these days, especially when they can earn so much. They’ll typically look to find out key information in advance from other employees, like who the company banks with and what days it makes pay runs. Then use this information in the phishing attempt.

“So, when you get an email request from the CEO containing information only known internally, you tend not to question it. It costs thousands.”

Pete Watson – CEO, Atlas Cloud

The study this year also found positive examples of the industry fortifying cyber defences.

DMARC, a key protective factor that stops criminals from hijacking corporate domains, has now been implemented by 2 in 3 (66.7%) recruitment agencies. This represents a significant step from less than 1 in 4 (24%) of the same firms at the same time last year.

Elsewhere in the research, 9 in every 10 agencies (89.7%) were found to have website vulnerabilities, but this has reduced from a significant 97.4% in the previous year. In recruitment, corporate websites are often responsible for processing candidate CVs, which contain valuable personally identifiable information. In most instances, vulnerabilities like this can be eliminated simply by updating website backends like WordPress to the latest versions.

“It’s great to see our research from last year may have been making an impact but next year I think we’ll need a more concerted effort from directors to go be hands-on with cyber and re-risk their firms altogether.”

Pete Watson – CEO, Atlas Cloud

Commenting on the findings in general, APSCo Global CEO, Ann Swain, said:

“I’m delighted to see our groundbreaking industry research return for a second year running. We’re already seeing positive steps by the industry de-risking, but it doesn’t take a cyber expert to realise that more can and should be done.”

Ann Swain – Global CEO, APSCo

more information

Atlas Cloud specialises in managed IT and cyber security services for recruitment agencies.

If you’re an agency director looking to take a more hands-on approach to managing cyber risks (whether technically-minded or not), Atlas Cloud offers helpful beginner resources.

A webinar in September offers an overview of what directors need to know. APSCo members can claim a free report on the information we gathered about their agency for this study or, upgrade by claiming one of a limited number of freely-available Cyber Security MOTs.

Cyber Security MOT

To celebrate the research, Atlas Cloud is offering 300 of their popular Cyber Security MOTs (usually £80) for free. Claim yours and Security Manager, James Thompson, will audit your agency (from the outside) and talk you through the results in a 15-minute appointment.

At the end, you’ll receive a detailed cyber health report and a certificate to show the date you had your cyber risks externally validated by a third party. 

Links to helpful resources


Badge in white


Atlas Cloud’s 12-point Cyber Security MOT  checks an agency’s roadworthiness, rubber-stamping business continuity for the road ahead.

To celebrate the second year of auditing the recruitment industry, Atlas Cloud is giving away 300 FREE Cyber Security MOTs to APSCo member agencies. 

About The Author

Ben is passionate about technology that enables people to work more productively and collaboratively from anywhere in the world. He’s a karaoke king and an avid explorer, despite the fact that every holiday he takes seems to end in disaster.

New Research

Our recent, nationwide research shows what can be learnt from working during lockdown. Download the report today.

Sign up to newsletter?*
Privacy Notice: We won’t sign you up to any marketing mailing lists (unless you ask us to*) but we may email you to make sure you have been able to access the content successfully. View our privacy policy.