It seems as though we’re constantly being bombarded by media reports of major security breaches all over the internet. So it was last week when the largest web recruiter, Monster.com, was compromised, leading to the personal details of hundreds of thousands of candidates being captured and subsequently used for phishing attacks (see the Symantec Blog for full details). Monster.com was compromised on two fronts; firstly some employer account login credentials were captured. Secondly it provided open access to full candidate information to all employers, making it simple for the intruders to get hold of candidates’ details once they had the employers’ logon details.

We spoke with Igor Drokov, CEO of security company Cronto, to find out what candidates and employers should do to protect themselves from these and future threats.

J4Q: Who should be responsible for safeguarding personal data on the internet, is it the individual or organisations?

Igor: As pointed out by the recent report on Personal Internet Security, placing responsibility for personal Internet security with the individual is “no longer realistic” and instead organisations providing Internet services should take the lead. Unfortunately, many service providers online and offline rely on what could be described as “identification circus” - using weak personal details (e.g. mother’s maiden name, date of birth) for verifying individual’s identity. These businesses expose themselves and their users to potential identity theft and should, ideally, abandon such practices. In the meantime, however, the only way for users to reduce these risks is to limit publicly available personal information and choose providers that implement better privacy policies.

Most users probably wouldn’t be happy if they saw a bus carrying a poster with their address, phone number, date of birth, favourite colour etc., yet this is the exact type of information available on many public web sites such as e.g. Facebook. Even when some details are already accessible from other sources (e.g. the Electoral Register), why make it easier for fraudsters by putting all of them available from a single place?

J4Q: But in some case, for example recruitment, individuals have to expose their personal details. What should we expect from organisations who are charged with holding this information?

Igor: In case of a valid need for your personal details, e.g. a recruitment service, a user can evaluate the measures implemented by the service provider to protect their data. This does not have to be technical, but rather policy-driven: who can access the information you provide, how they gain this access, does a user have any control about the way their information is accessed?

At the same time, businesses should be evaluating their practices and having a clear accessible way of communicating them to the users. With personal internet security being a focus of legislators, failing to implement adequate controls could be result in high fines, as it was demonstrated by the recent £980,000 fine of the Nationwide Building Society (for losing a laptop with details of nearly 11 million customers).

Here at Just4Qualifieds we have always believed in securing the confidentiality of our candidates and have employed a very strict privacy policy. We ensure that candidate contact information is only made available to employers when the candidate has made an application or when the candidate has agreed that this information can be displayed. This gives candidates true control over who will see their personal details, making attacks like that on Monster.com much harder to perpetrate.

This entry was posted on Thursday, August 23rd, 2007 at 5:04 pm and is filed under Accountancy & Finance, Accountancy Firms, Accountancy jobs, Finance jobs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.