Staffing companies are perfect candidates for a cyberattack due to their repository of sensitive personal information. This has become evident by the frequency of cyberattacks on this sector. Recent examples include:

• A Massachusetts-based staffing company was impacted by a data breach when an unauthorized party gained access to their data containing names, Social Security numbers, and financial account information.
• Another staffing company headquartered in Illinois was the victim of a ransomware attack as well as a compromise of their data containing names, addresses, birthdates, and Social Security numbers.

In addition to having to defend against the conventional cybersecurity risks that plague every business, staffing companies must deal with an additional threat specific to their industry: the steady flow of email communications from prospective candidates and clients. These messages will often include email attachments containing resumes or job orders, many of which will originate from unknown senders. Each of these attached documents poses a risk, as Microsoft Word and Adobe PDF documents can be weaponized into the digital equivalent of a Trojan Horse. Outwardly, the files appear benign, but they can potentially house sophisticated malware capable of inflicting catastrophic damage.

Staffing firms that are dependent upon the receipt of copious email attachments should consider adopting a cybersecurity strategy involving multiple layers of defense. Companies should implement a secure email gateway such as Mimecast or Proofpoint to act as the first line of defense, as these gateways will examine and filter emails before they arrive in a user’s inbox. From there, ensure that any system receiving these emails has strong endpoint security enabled to counteract any infected documents that made it past the secure email gateway. Finally, companies should make sure they have a robust cybersecurity awareness program, since even the most effective technological defenses can be circumnavigated by social engineering attacks such as spear phishing. The training from the program will help establish an effective human firewall to help thwart these tactics.

In addition to bolstering defenses against email attacks, there are additional proactive measures that staffing companies can take to help mitigate the chance of an attack. While defensive efforts such as endpoint protection, multi-factor authentication, and strong logical security are necessary staples of a cybersecurity strategy, tactical proactive actions can strengthen a company’s ability to defend their data. The following preemptive measures are examples of what a business can do to fortify their ability to avoid attack and increase their chances of remaining safe and secure.

• Cybersecurity Risk Assessments
  • If you don’t know what data and assets you have or how well they are being defended, it is virtually impossible to protect your business from cyberattacks. Completing a cybersecurity risk assessment will help you identify your most critical systems and data, recognize and prioritize gaps, and build a roadmap to a safer and more secure environment.
• Security Awareness Training
  • Since the genesis of over 91% of data breaches is a spear phishing attack, it is imperative to train employees to identify and avoid this threat. Every employee, including those being newly onboarded, should be provided with the training needed to recognize and avoid these attacks.
• Spear Phishing Simulations
  • Once you have established a cybersecurity awareness training program, it’s critically important to then incorporate a “trust but verify” approach. The best verification method to ensure all employees can identify spear phishing emails is to simulate these types of attacks. These simulations will reinforce the training concepts and identify employees that need additional guidance.
• Penetration Testing
  • A misconfigured network device or missing security patch can open the door for cybercriminals to enter your business. Conduct penetration testing and vulnerability assessments on a regular basis to identify and address any vulnerabilities before an actual attacker can leverage them.

To help sharpen your staffing company’s proactive cybersecurity strategy, consider setting up a meeting to discuss how Citrin Cooperman can help your business by reaching out to Kevin Ricci at kricci@citrincooperman.com.