Is your recruitment website leaving your data open for criminals?

Why would a recruitment agency be a target from cybercrime?

Cyber criminals love personal data and online systems, which places recruitment agencies firmly in the crosshairs. The personal data being held is a treasure trove for criminals with copies of passports, visa details, and employment contracts all sources of sellable secrets.


43% of cyber-attacks are targeted at small businesses (Small Business Trends)


Websites are essential to recruitment, providing a digital shop window to current and prospective clients. They also may provide a portal for worker and clients, whether it is online timesheets or advertising a new role, having a single place for people to interact with your business makes it so easy, but if there is a misconfiguration then you could be leaving your sensitive data open for a criminal.


Common website cyber threats

  1. Weak passwords so criminals just log in to your systems – no technical experience required but easy to fix from your point of view

  2. Your website isn’t updated with the latest security patches – criminals know when security patches are released and will look for those sites which haven’t been updated and therefore have a known security issue that they can exploit.

  3. Your website is vulnerable to SQL injection attacks – this is a technique where a criminal places malicious code into SQL statements via web page inputs and could potentially destroy your database!

  4. Your website is vulnerable to XSS (Cross-site scripting) attacks – this is where the criminal compromises the interactions that users have with your website or application.

  5. Your website has insecure direct object references – this is part of access control implementation mistakes which can lead to access controls being circumvented and a criminal able to access someone else’s data.

Do you know if your website is vulnerable?

The only way to really know is to test your site, but do you really want to know? Nothing bad has happened so far and if you don’t know about it then surely you can’t be guilty of not fixing it?


Ask yourself these questions:

  • How would your candidates feel if their sensitive data was stolen and sold?

  • How would your clients feel if their confidential data was leaked?

  • Would your customers and clients have expected you to do everything you could to protect their data?

The ECRC offers affordable web application vulnerability assessments. We work with University student who carry out the testing and provides you with a detailed report, but explained in plain English, so you understand what the risks are and what you need to do to fix them. Find out more here.


Is there anything I can do for free?

  • Sign up to the Eastern Cyber Resilience Centre – its free and we will give you support and guidance around the areas that you need to consider in every aspect of your business to build your resilience.

  • Get your staff to check their details on haveibeenpwned.com – you can search for your email address and telephone number against data breaches and if your details show up in them you need to change your passwords (everywhere you use the password). Once you have done this implement strong password policies. Passwords should be unique and complex. Watch our short video for more information about this.

  • Enable 2FA on all your important accounts (email, social media, where you have financial information stored) – this will stop a cyber criminal from being able to access your accounts, even if they have your username and password form a data breach. You can find more about 2FA here.

  • Apply the updates to your applications, systems, and devices.

  • Get some free staff training from either the National Cyber Security Centre or through your local cyber protect officer (contact us and we can refer you).


Further guidance & support

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.


We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.


Finally, you may have access to some sort of IT support within your business and we recommend that you speak to them now to discuss how they can implement cyber resilience measures on your behalf.




The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.