It seems as though we’re constantly being bombarded by media reports of major security breaches all over the internet. So it was last week when the largest web recruiter, Monster.com, was compromised, leading to the personal details of hundreds of thousands of candidates being captured and subsequently used for phishing attacks (see the Symantec Blog for full details). Monster.com was compromised on two fronts; firstly some employer account login credentials were captured. Secondly it provided open access to full candidate information to all employers, making it simple for the intruders to get hold of candidates’ details once they had the employers’ logon details.

We spoke with Igor Drokov, CEO of security company Cronto, to find out what candidates and employers should do to protect themselves from these and future threats.

J4Q: Who should be responsible for safeguarding personal data on the internet, is it the individual or organisations?

Igor: As pointed out by the recent report on Personal Internet Security, placing responsibility for personal Internet security with the individual is “no longer realistic” and instead organisations providing Internet services should take the lead. Unfortunately, many service providers online and offline rely on what could be described as “identification circus” - using weak personal details (e.g. mother’s maiden name, date of birth) for verifying individual’s identity. These businesses expose themselves and their users to potential identity theft and should, ideally, abandon such practices. In the meantime, however, the only way for users to reduce these risks is to limit publicly available personal information and choose providers that implement better privacy policies.

Most users probably wouldn’t be happy if they saw a bus carrying a poster with their address, phone number, date of birth, favourite colour etc., yet this is the exact type of information available on many public web sites such as e.g. Facebook. Even when some details are already accessible from other sources (e.g. the Electoral Register), why make it easier for fraudsters by putting all of them available from a single place?

J4Q: But in some case, for example recruitment, individuals have to expose their personal details. What should we expect from organisations who are charged with holding this information?

Igor: In case of a valid need for your personal details, e.g. a recruitment service, a user can evaluate the measures implemented by the service provider to protect their data. This does not have to be technical, but rather policy-driven: who can access the information you provide, how they gain this access, does a user have any control about the way their information is accessed?

At the same time, businesses should be evaluating their practices and having a clear accessible way of communicating them to the users. With personal internet security being a focus of legislators, failing to implement adequate controls could be result in high fines, as it was demonstrated by the recent £980,000 fine of the Nationwide Building Society (for losing a laptop with details of nearly 11 million customers).

Here at Just4Qualifieds we have always believed in securing the confidentiality of our candidates and have employed a very strict privacy policy. We ensure that candidate contact information is only made available to employers when the candidate has made an application or when the candidate has agreed that this information can be displayed. This gives candidates true control over who will see their personal details, making attacks like that on Monster.com much harder to perpetrate.

It appears that many more accountancy and finance organisations are turning to the web to perform background checks on prospective employees. Gone are the days when employers relied solely on a candidate’s CV to build a profile of the individual. There are now so many publicly available sources of information, each of them accessible through a simple Google search, that employers can easily perform some rudimentary background checks.

See for yourself: just Google your name and see what information is available about you.

With so many people directly or indirectly publishing personal information on the web, either through: web sites, blogs or profiles on social networking sites, there’s a wealth of information available to anyone who needs to find out more about your background.

Much has recently been written about the legitimacy of using the web to profile employees, citing the Mullins case in the US, where it was alleged that a Mr. Mullins lost his job after his employer Googled his name and found that he had been fired from his previous two jobs. In fact, this case rests more on the issue that Mr. Mullins had 102 cases of misconduct rather than what was discovered through Google.

 However, this does highlight some important concerns: information about you (whether good or bad) is available on the web; once indexed, this information is often difficult to remove and, furthermore, employers are starting to use this information to better understand their employees and prospective employees. This becomes very significant for professional services organisations (e.g. accountancy practices, consultancies, legal firms) where their clients could perform similar checks on the consultants/ advisors who are assigned to them. 

For candidates we advocate a cautionary approach when publishing information on the web. Remember that on the web there are no boundaries between your personal and professional life; so before you add your real name to anything that you publish, be sure to evaluate the impact. The information you publish is likely to be available to all and may be there for a long time. 

For employers there are several factors to consider. Although these checks can provide some quick, basic background information, can you be certain that the information relates to the candidate in question? Names are seldom unique and you could be tracking the wrong person or mixing information about several individuals. Also, if you collate or store information from the web you may be contravening privacy or data protection legislation. 

The trend suggests that sooner or later most accountancy and finance organisations will use the web to check details of prospective employees. So candidates beware of what you publish on the web.