Teaming up with APSCo, Atlas Cloud audited the trade body’s member portfolio for cyber security risks for the second year running. The study looked at breached passwords, phishing protection, web server and domain issues as part of a non-intrusive audit of almost 600 agencies.

Of the 584 firms audited, 76.4% had one or more instances of employee usernames and passwords evident in lists circulating on the Dark Web. This represents a modest increase from 76.1% on exactly the same group of firms when audited at the same time last year. Over half (51.5%) had 10 or more breached passwords, again a modest increase on the year before (50.1%).

Cybercriminals use username and password information to enter corporate IT systems, looking to gain access to valuable information. In the recruitment industry, that usually means candidate CVs and payroll details, if providing temp services. Without the right protective factors, 3 in 4 agencies could have open doors to this key information.

Pete Watson, CEO of Atlas Cloud, has some strong advice for recruitment bosses: “We’re all bound by the GDPR [General Data Protection Regulation], which the UK adopted post-Brexit, to protect personal data. Directors often delegate cyber risks, yet are the ones answering the ICO if anything ever happens – we need to break this dichotomy.

“Since our study last year, we’ve had a real-world reminder of what happens when candidate information unlawfully gets into the wrong hands. Costs spiral the moment you inform affected candidates, as you’re duly bound to do. From direct costs like candidate compensation claims to indirect costs like clients, candidates – eventually – consultants preferring to work with agencies without tainted reputations.”

The study found more alarming cyber vulnerabilities, Atlas Cloud said. Newly included this year, Atlas Cloud looked for evidence of specialised phishing protection technologies, finding that at least 2 in 3 agencies (66%) had no evidence of this on their mail servers. Of the remaining 34%, it was not possible to validate whether phishing protection was in place for certain.

According to official UK statistics, phishing is the number one cause of breach (Cyber Security Breaches Survey, 2023) and has been for many years. Phishing is a tech industry term for spoofing, commonly through email, that is responsible for tricking unsuspecting employees into actions like financial transactions. It costs firms thousands each year. To stop this, experts recommend phishing protection that bolts on to popular email systems like Microsoft 365 and Google Workspace.

The study this year also found positive examples of the industry fortifying cyber defences.

DMARC, a key protective factor that stops criminals from hijacking corporate domains, has now been implemented by 2 in 3 (66.7%) recruitment agencies. This represents a significant step from less than 1 in 4 (24%) of the same firms at the same time last year.

Elsewhere in the research, 9 in every 10 agencies (89.7%) were found to have website vulnerabilities, but this has reduced from a significant 97.4% in the previous year. In recruitment, corporate websites are often responsible for processing candidate CVs, which contain valuable personally identifiable information. In most instances, vulnerabilities like this can be eliminated simply by updating website backends like WordPress to the latest versions.

• Comment below on this story. Or let us know what you think by emailing us at [email protected] or tweet us to tell us your thoughts or share this story with a friend.