The risks facing recruitment agency directors when delegating cyber security

Posted: 11th Apr 2023
Having liaised with many agency leaders, the disparity of cyber security has become apparent. We discuss how many agency directors are more exposed than they probably realise.

delegating cyber security

Thanks to our partnerships with both APSCo and now the REC, Atlas Cloud has performed cyber security audits on over 2,500 UK-based recruitment agencies. 

From micro agencies to the big ones, we’ve seen it all. See a sample of our findings.

Having liaised with many agency leaders in this process, the remarkable disparity of how SME agency directors treat the subject has become very apparent. While many take a once-a-year approach to review cyber risks (which is perfectly adequate), many still choose to fully delegate the process – internally or externally – and instead trust someone else.

While that may keep the agency secure – after all, the expert probably knows more about the subject than a non-technical director – it still exposes agency directors more than they probably realise. Allow us to explain.

A reminder of the risks

No doubt you’ll be aware of the GDPR and the UK version that quickly followed post-Brexit.

Reasonable steps must be taken to ensure personal data is secure. As a recruitment business, that means candidate CVs and, if processing payroll, bank details/IDs too. In other words, high-value information with lots of personal information.

If you’re breached, you are bound by law to inform affected individuals (candidates) and the ICO. From there, the governing body with the power to fine up to £8.7 million or 2% of the previous year’s turnover (whichever is higher) will investigate and look for evidence that the reasonable steps that you’re obligated to were upheld. We’ve also seen examples where affected candidates pursued compensation claims through law firms.

So it would be up to you, the responsible director, to provide evidence on both fronts of the reasonable steps taken

“We have an IT company that handles that...”

If delegating externally, the cracks often quickly start to show. 

Unless explicitly made clear, IT vendors would only ever manage the aspects of technology that they are directly responsible for. Even if they wanted to do more, they won’t have permission to do so nor the ability to do anything about it.

For example, while your IT company might manage laptops, they might not manage smartphones (which might access email) and rarely corporate websites (which often process CVs), key business applications (which usually store CVs) and a bunch of other things too. Even things which don’t directly store or process personal data can be used as a gateway for a cybercriminal to get from one place to another.

So, while an external vendor will manage their areas, there will still be gaps in your organisation’s provision unless that vendor is explicitly responsible for reviewing risks holistically. Usually, they aren’t. Further, as risk is judgement-based, there would need to be a clear procedure for whether developing risks should be accepted or mitigated. Without that cherry on top, you would have nothing to demonstrate if ever investigated.

“Oh, but our IT Manager does that...”

On the other hand, many have designated technical personnel in-house that operate below board level.

While they will probably have a broader direct responsibility than an external vendor, it is never usually complete – it only takes one employee to begin using an application outside of their knowledge for the cracks to show.

That said, in our experience, in-house teams usually get caught up in the day-to-day service provision to dedicate the necessary resource to periodic cyber risk assessments. Sometimes it isn’t even in their actual job descriptions, it is just assumed; even when it is, it’s rarely clear enough for them to be assumed full responsibility.

Again, it comes down to the simple fact that risk is judgement-based and that directors have the ultimate responsibility. So, without a clear decision-making process in place, it is the director once again who is left exposed.

The simple solution

Given the grey areas and associated risks, it is interesting that some directors continue to fully delegate cyber security. Especially so when you consider how simple the solution is.

The simplest flip side to the scenarios outlined above is for someone technical – internal or external – to annually audit the agency’s threat posture and put together a small health report, which is then reviewed in conjunction with a director. Together, decisions are made to accept or remediate risk. 

The most-interesting part is this: Even if all risks are accepted, directors are in a much stronger position as they have evidence that they took steps.

If you too would like to take a more hands-on approach by reviewing a simple but clear framework once a year, Atlas Cloud offers Cyber Security MOTs for this exact reason. For just £80, our in-house cyber security expert gives your agency the once-over and provides a health report with advisories clearly listed. Just like a car MOT. For the risk-conscious, there are optional service packages on top of this.

Badge in white


Like parts wearing on a car, IT systems develop security risks over time.

In both instances, annual inspection helps steer clear of future breakdowns.

Atlas Cloud’s 12-point Cyber Security MOT will check your agency’s roadworthiness and rubber-stamp business continuity for the road ahead.

About The Author

Ben is passionate about technology that enables people to work more productively and collaboratively from anywhere in the world. He’s a karaoke king and an avid explorer, despite the fact that every holiday he takes seems to end in disaster.

New Research

Our recent, nationwide research shows what can be learnt from working during lockdown. Download the report today.

Sign up to newsletter?*
Privacy Notice: We won’t sign you up to any marketing mailing lists (unless you ask us to*) but we may email you to make sure you have been able to access the content successfully. View our privacy policy.