by UHY LLP

The staffing industry obtains some of the most important data for threat actors, personally identifiable information (PII). Additionally, staffing firms work in some of the most cyber attacked industries. With this to factor, it is increasing important to ensure that staffing firms are taking steps to protect not only their data, but data of their clients and placements.

According to the 2022 Verizon Data Breach Investigations Report, approximately 78% of action vectors were through web applications or email during a breach. As these two services are typically heavily used with the staffing industry, we start to see the additional risks that are present.

So, what should a staffing firm do to try to lower these risks? Here are three steps you can put into practice to get started.

Step 1: Multi Factor Authentication (MFA)

One of the keys to lowering your firm’s risk factor is protecting your credentials and MFA has shown to make it more difficult for a threat actor to gain access to information systems, even if passwords are compromised. MFA is a layered approach to securing your online accounts and the associated data. In using MFA, you must provide a combination of two or more authenticators to verify your identity before the service grants you access.

There are three categories of MFA currently in use, from weakest to strongest:

• SMS or Voice
• App-based
• Phishing-resistant

However, even implementing the weakest MFA category (SMS or Voice) still makes it more difficult for threat actors, in that they now must have two separate authenticators instead of one.

Step 2: SaaS Vendor Management

Many staffing firms rely on Software as a Service (SaaS) to assist in their day-to-day operations. The ease of purchase of SaaS product can lead to a challenge in managing the growing number of vendors and more importantly, the number of vendors with your data. Some considerations for your SaaS vendor management should include:

• Are the necessary security considerations in place in the contract to reflect the staffing firm’s security requirements and/or customer’s requirements?
• Does your staffing firm understand the controls that must be in place to ensure the SaaS application is implemented as designed (such as access controls of user accounts, etc.)?
• Does your staffing firm understand what data is being provided to the SaaS, how long it is retained, can it be deleted, verification of data disposal, and can data be extracted if moving to a new application?

Implementing a SaaS vendor management program can assist in ensuring that your staffing firm has a process to review and monitor these vendors and lower your data leakage risks.

Step 3: Security Assessment

Gaining an understanding of the risks, threats, vulnerabilities, and controls of your staffing firm provides the necessary information to make an informed decision in how to strengthen your cyber security posture. A security assessment can be based on several different frameworks, however key areas of consideration in the assessment should include:

• Inventory of software, hardware, and vendors
• Risk management
• Access controls
• Security awareness training
• Detection and response
• Recover and respond

In reviewing these areas, the security assessment should provide you with the strengths and weaknesses of your environment. Using this information, you can build a roadmap of projects that can continue to target and lower specific risks.

While there are several threats and risks to staffing firms, and at times it can seem overwhelming where to start, addressing these three areas is a great way to begin to increase your security posture.