Does your HR department protect Candidate Data?

A hand places the last piece in a human resources puzzle.
Tadamichi / Getty Images

Let’s face it – data is a gold mine. Whether it’s credit card information, login credentials or a list of names with email addresses, all data must be treated equally. However, this isn’t always the case.

One valuable piece of data that is regularly overlooked is candidate data – the personal information received by the HR departments in the form of resumes, cover letters and university transcripts.

Consider for a moment the amount of sensitive data contained in a candidate’s resume – their entire work history, mobile phone number, email address, or even their home address. This is a jackpot for cyber criminals who can use this information to execute highly targeted attacks.

Therefore, each time a candidate applies for a role, they unintentionally expose themselves by giving their data to unknown corporate figures, to companies they aren’t familiar with or to potentially unsecure email addresses. A candidate’s data could then remain in an employer’s inbox, on a desktop or in a company database, and be potentially vulnerable to a cyber-attack years after they’ve sent it.

The concerning part is that a HR department will typically receive anywhere between 50 – 150 applications per role, dependant on the size of the organisation. This means that companies are storing thousands of candidate records and are most likely unaware of the risk this poses.

With the start of the year being the busiest time for the job market across Australia, what can companies do to protect candidate data?

Spreading awareness of Candidate Data

Awareness for cyber security continues to be a common shortcoming for most organisations. According to research, globally only 57% of Chief Human Resource Officers reported rolling out employee training that addresses cyber security awareness in the workplace, which means employees are unaware of how to properly manage data.

Take the typical hiring process as an example – a job description is posted online, resumes are received, applicants are shortlisted, interviews are conducted, then a position is offered to the most suitable candidate.

Lack of awareness or a lack of data security policies means the sensitive information collected in the early stage of the hiring process could be stored inefficiently by HR departments and forgotten once a candidate is selected.

Therefore, HR departments, as well as those higher up the decision-making chain, should be educated on how to securely manage and store the candidate data that’s received for the role and manage it responsibly once the hiring process is complete.

A Protected Candidate Experience

Data security should be an essential factor in the modern candidate journey and an important consideration for HR & Talent teams. It is also just as important for a candidate to be aware of the risks of sharing data with a company.

One way to ensure this is to employ an external talent system to manage the application process. An external system, such as Australian company LiveHire, gives the candidate full control of their profile data and their relationship with potential employers. As the candidate owns their data, it’s entirely their decision on how it’s shared and stored.

Data also doesn’t leave the platform, which minimises the risk of candidate data being mismanaged by the HR department and impacted by external threats.

Internal policy management

Compared to having resumes saved across email inboxes or across internal databases, storing sensitive data on a secure platform makes it simpler to manage risk and compliance.

However, it isn’t enough to rely on external providers. It’s still important to assess internal policies to ensure data is being secured and properly managed. This could be as simple as designing a policy for how candidate data is treated once the hiring process is finalised. For example, that could be storing all records on one single database and deleting the information a month after the position has been accepted.

It’s also important for organisations to stay up-to-date with  industry security standards. Companies can execute a gap analysis to assess which parts of the business is not managing data correctly.

Broader Data Management Strategy

Looking at how candidate data is managed should be part of a broader data management and security strategy. Cloud-based applications are increasingly the default location for many organisations’ critical business functions. From a security perspective, the concept of securing an organisational perimeter has largely evaporated. Sensitive data is now typically distributed across a variety of systems, including cloud-based CRMs, HR systems, accounting systems and general document storage systems. Part of the appeal is that access to these systems can be facilitated from anywhere, with any device. For smaller organisations especially, the security capability of dedicated cloud-based application providers may be far greater than what can be delivered on-premise. Of course, the capability of each vendor should not be assumed to be sufficient for an organisation’s needs and carrying out vendor security capability audits is part of any mature approach to utilising cloud-based applications.

Having a clear policy and process for identifying and categorising data according to the risks and responsibilities associated with it is a critical first step to keeping data secure. However, there is little point in using specialised systems such as LiveHire to keep sensitive data under control if access to those systems are not well governed. Managing access to various systems, whether cloud-based applications or on-premise systems, following principles of user authentication and least-privilege, helps to ensure that the benefits of data control are actually realised.

Actively monitoring access and dataflows between applications reinforces data security policies and processes. Cloud Access Security Brokers (CASB) such as Netskope help organisations govern access and usage of cloud applications to ensure that data is not inadvertently (or deliberately) exposed through inappropriate movement of data from one platform to another (e.g. extraction of candidate or customer information to a third-party site).

Ongoing education for all users is key to creating a proactive and informed security culture within each part of the organisation, instead of allowing people to assume that either an external vendor or the internal IT team will just “take care of it”.


Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies