delegating cyber security
Thanks to our partnerships with both APSCo and now the REC, Atlas Cloud has performed cyber security audits on over 2,500 UK-based recruitment agencies.
From micro agencies to the big ones, we’ve seen it all. See a sample of our findings.
Having liaised with many agency leaders in this process, the remarkable disparity of how SME agency directors treat the subject has become very apparent. While many take a once-a-year approach to review cyber risks (which is perfectly adequate), many still choose to fully delegate the process – internally or externally – and instead trust someone else.
While that may keep the agency secure – after all, the expert probably knows more about the subject than a non-technical director – it still exposes agency directors more than they probably realise. Allow us to explain.
A reminder of the risks
No doubt you’ll be aware of the GDPR and the UK version that quickly followed post-Brexit.
Reasonable steps must be taken to ensure personal data is secure. As a recruitment business, that means candidate CVs and, if processing payroll, bank details/IDs too. In other words, high-value information with lots of personal information.
So it would be up to you, the responsible director, to provide evidence on both fronts of the reasonable steps taken
“We have an IT company that handles that...”
If delegating externally, the cracks often quickly start to show.
Unless explicitly made clear, IT vendors would only ever manage the aspects of technology that they are directly responsible for. Even if they wanted to do more, they won’t have permission to do so nor the ability to do anything about it.
For example, while your IT company might manage laptops, they might not manage smartphones (which might access email) and rarely corporate websites (which often process CVs), key business applications (which usually store CVs) and a bunch of other things too. Even things which don’t directly store or process personal data can be used as a gateway for a cybercriminal to get from one place to another.
So, while an external vendor will manage their areas, there will still be gaps in your organisation’s provision unless that vendor is explicitly responsible for reviewing risks holistically. Usually, they aren’t. Further, as risk is judgement-based, there would need to be a clear procedure for whether developing risks should be accepted or mitigated. Without that cherry on top, you would have nothing to demonstrate if ever investigated.
“Oh, but our IT Manager does that...”
On the other hand, many have designated technical personnel in-house that operate below board level.
While they will probably have a broader direct responsibility than an external vendor, it is never usually complete – it only takes one employee to begin using an application outside of their knowledge for the cracks to show.
That said, in our experience, in-house teams usually get caught up in the day-to-day service provision to dedicate the necessary resource to periodic cyber risk assessments. Sometimes it isn’t even in their actual job descriptions, it is just assumed; even when it is, it’s rarely clear enough for them to be assumed full responsibility.
Again, it comes down to the simple fact that risk is judgement-based and that directors have the ultimate responsibility. So, without a clear decision-making process in place, it is the director once again who is left exposed.
The simple solution
Given the grey areas and associated risks, it is interesting that some directors continue to fully delegate cyber security. Especially so when you consider how simple the solution is.
The simplest flip side to the scenarios outlined above is for someone technical – internal or external – to annually audit the agency’s threat posture and put together a small health report, which is then reviewed in conjunction with a director. Together, decisions are made to accept or remediate risk.
The most-interesting part is this: Even if all risks are accepted, directors are in a much stronger position as they have evidence that they took steps.
If you too would like to take a more hands-on approach by reviewing a simple but clear framework once a year, Atlas Cloud offers Cyber Security MOTs for this exact reason. For just £80, our in-house cyber security expert gives your agency the once-over and provides a health report with advisories clearly listed. Just like a car MOT. For the risk-conscious, there are optional service packages on top of this.
Like parts wearing on a car, IT systems develop security risks over time.
In both instances, annual inspection helps steer clear of future breakdowns.
Atlas Cloud’s 12-point Cyber Security MOT will check your agency’s roadworthiness and rubber-stamp business continuity for the road ahead.