Back in 2008 and 2009 – a very long time ago, I realize – Monster had two data breaches. Roughly 2 million Monster users had their data exposed. The incidents received widespread exposure at the time, accompanied by lots of tut-tutting and calls for greater security measures.
Fast forward to now. Ladders (yes, formerly TheLadders) exposed 13.7 million user records; each record included names, email addresses and employment histories, such as their employer and job title. A few weeks later, Stack Overflow said that an unknown number of their user records were exposed.
Who’s next? It’s a problem that won’t go away – and probably keeps many in our industry up at night. After all, who wants their next big blast of publicity to come in the form of bad news about user privacy and data security?
Well, as you may already know, the most important step in dealing with a problem is recognizing that you in fact have a problem. How secure is your user data? If you don’t know, you most likely have a problem. So step one in preventing what should be a preventable nightmare is conducting a thorough audit of your user data security: what you store, where you store it, how you store it, and how you monitor its protection from anyone (or thing) that may be trying to access it.
A caution: I am not a security professional! But I am somewhat paranoid when it comes to system security and redundancy. A little paranoia is useful when thinking about your users’ data security, to be honest. So too is the assistance of a professional – so I would encourage you to seek out someone who specializes in digital security. Also, don’t forget that physical security is also important – if you have physical files, they should be secure. Same goes for files that can ‘travel’ via employee laptops, etc.
Back to the user data, though: first, look at your website security. Again, it’s useful to have experts who do this day-in and day-out take a look, if only to alert you to newly evolved threats. The world of hacking is not static, which means your website’s security must be constantly renewed and updated. Of course, this goes for any other paths to intrusion you may have, such as a mobile app, an invoicing system, and so on. How often should you examine the site security? Well, follow your expert’s advice – and don’t forget about the impact on your business of being down – and inaccessible – for even one day. I’ve been there – and it hurts.
Next, most security pros would say that you should be encrypting all user data that contains personally identifiable information – and then host this data on a dedicated server (which of course should be protected as well). The average job board collects tons of candidate data – and a good bit of it could be useful to a hacker. You owe it to your candidates to protect it – and if you don’t, they’ll go elsewhere. Test your system on a regular basis!
Finally, you should have a disaster plan in place for what you will do if a breach occurs. How can you ‘lock down’ any additional breaches? What is your approach to finding and isolating the breach? What will you communicate to your customers (both employers and candidates)? You don’t want to end up as a punch line on the Chad & Cheese Show (as Ladders did)!
Anyway, food for thought – and something to think about during your next sleepless night.[Want to get Job Board Doctor posts via email? Subscribe here.]