Category: Security

list-image

Five ways to keep your agency cyber safe

By Andy Ralph   November 29, 2019  

Today is Computer Security Day (isn’t there a day for everything!) but we think that this one is an important day to mark.  Computer security is a hugely important issue for all businesses, but especially for recruiters.  But, so many people don’t understand what their responsibilities are and often it’s because the tech industry makes things sound so complicated, recruiters just don’t know where to start.

 

We’ve pulled together this simple blog post to break down some of the steps that you need to take to keep your recruitment business cyber-safe.

 

 

Have a policy for strong passwords

 

How many of you have one password for everything in your recruitment agency? It’s tempting to do, but using the same password across multiple platforms will increase the chance of it being hacked. A few tips to implement straight away:

 

Use password management software to keep track of your passwords. There are many free password managers available such as LastPass, Dashlane, Keeper Security, RoboForm, KeePass, Sticky Password to name a few, but there are loads of options available
Make sure your passwords are strong - a mixture of upper and lower case, digits and symbols. Did you know that 123456 and password have been the most popular passwords for years?

 

 

Make sure your tech is safe

 

- Make sure you update your Spyware and Malware protection and ensure that it

covers all devices including PCs, laptops, smart-phones and tablets.

Weak security around your WIFI and using cloud-based services with weak passwords will all put your recruitment agency in a vulnerable position.

 

Hire a cybersecurity expert

Tech is complicated. It’s not everybody’s strong point, which is why we’d advise you to bring in a specialist to help you. At Reverse Delta, we use a combination of specialist penetration testing companies and our own security experts to help us and they carry out cyber-security risk assessments for us because we host an incredible 650 Gigabytes of data on behalf of our recruitment clients.  You might want to take a read of this article from the Recruitment and Employment Confederation to understand the difference between cyber-security and IT support.

 

Make sure you’re GDPR compliant

We know GDPR is a distant memory, but keeping candidate and client data safe is fundamentally important to us and it should be to you too! We have built-in best-practice data security and encryption to our FXRecruiter platform (which all of our recruitment industry websites are built on) so that clients and candidates can opt-in and out of communications and unsubscribe should they want to. Protecting people’s personal data is critical for any recruitment agency and demonstrating that you take this seriously will make sure you don’t fall foul of the ICO and more importantly build trust with your clients and candidates. One of the CRM systems that FXRecruiter integrates with, Access Group, has written this blog post about how recruitment agencies can avoid a GDPR disaster.

 

Implement your updates!

 

Make sure you are on an up-to-date operating system as the hackers are learning increasingly sophisticated ways to breach security and they can’t protect you against hackers. When a security update does come out, it’s probably because a threat has been identified, so implement it as soon as you can! At Reverse Delta, we use Linux to host client websites, and Windows 10 in our offices and we always ensure these are up to date with all patches and updates.

And don’t forget to update FXRecruiter. We keep the platform updated regularly to make sure we’re keeping it safe, whether it’s a new version or a monthly security patch.  So if we ask you to update the platform, there’s a really important reason why you should do it!

 

If you want to find out more about FXRecruiter and the commitment Reverse Delta makes to keeping your website safe, please contact sales@reversedelta.com or call UK toll free +44 (0)8000 199 737 or for calling from elsewhere +44 (0)203 682 9533.

list-image

Moving targets and browser security

By Steve Riley   November 6, 2017  
A recent support call had a puzzled client with a mysterious bit of lost functionality on their website. We quickly narrowed it down to their browser and a tightening of the rules attached to third-party plug-ins.This particular site used a natty set of share buttons that readers could use to share out the client's blog posts to their own network. So far so good. And from a marketing and SEO perspective the sentiment is bang on. If you've got good content on your site, make it easy to share and gain the incoming 'Googlejuice'. Can't we just write it ourselves? The easy answer for web developers is to control the turf and not implement third-party scripts. Easy, but not helpful or practical. We live in a connected ecosystem of complex technologies interlinked. If we have a choice between (simply) developing our own code and using something off the shelf, we'll build our own. But it doesn't make commercial sense to continually reinvent the wheel in search of purism, so like everyone else we use plug-ins. Moving targets Every now and then we get tripped up by the browsers. This latest problem was caused by a change in the rules Chrome and Firefox uses to block tracking scripts. It's good for end users to have control, but it's bad that they have to become 'apprentice geeks' to understand what their web browser is doing. In this case it was stopping those useful buttons working.A similar thing happened earlier in the year when the browsers started issuing warnings for regular HTTP websites collecting data. We strongly suggest websites should be upgraded to 'HTTPS' (SSL) but it's another example of having to respond to the changing security landscape. What does this mean for my website? All this is a roundabout way of saying "some things aren't predictable until they've happened!" But when they do happen we try to fix things as quickly as we can. Even if we didn't break it.  Resources Technical notes from the browser makers... Chrome: https://support.google.com/chrome/answer/2790761?co=GENIE.Platform%3DDesktop&hl=en Firefox: https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_ProtectionPhoto by David Paschke on Unsplash
list-image

Should my site use HTTPS?

By Steve Riley   January 16, 2017  
Apologies for a more technical post this time (we're web geeks after all!). In this post we'll be looking at the type of server your website sits on.Around 25% of the top 100 websites use the HTTPS protocol and this figure is only ever going to grow. The HTTPS protocol is considered essential for ecommerce and other sites sharing personal information. It gives a layer of security over and above the more common HTTP protocol. For the latest version of our own Reverse Delta site launched recently, HTTPS was a key criteria in the design. What does it mean in practice? The extra security layer means data is transmitted in encrypted form across the internet, making it unintelligible to anyone that might want to intercept it. A non-issue you might think for information that is by definition public — your website is on plain view for anyone to see after all. You want it to be seen.Where it becomes more important is where you're transmitting more sensitive data across the web — contact form submissions, etc. Some of our clients use online reference forms — that information definitely needs encrypting.Our recruitment websites all feature candidate logins and personal dashboards, so this is a strong pointer towards adding the security layer. It looks like the Chrome browser will start adding a warning flag for non-HTTPS sites asking for a login, which may ring alarm bells for candidates. [Update: these warning are now being shown and causing a gradual erosion of confidence from site visitors.] Will it help with search? It is likely that moving to HTTPS will give you a small but noticeable SEO boost, certainly with Google ...and Google is almost synonymous with search for most of us.This SEO effect will become more significant in the future. Not so much that you'll gain bonus points for using HTTPS but rather the more common HTTP protocol is likely to be gradually marked down. Which largely amounts to the same thing.There's an analogy here with the way mobile-friendly sites are now identified as more attractive by Google. Nowadays, it's a given that your site should be mobile-friendly. We see use of the HTTPS protocol going the same way in the future. How do I do it? We don't expect you to do all this yourself, but this is the process in outline:Purchase and install an SSL certificate at the hosting end Create a dedicated ip address at the server for your site Change the DNS settings of your domain control panel Ask us to put the site behind HTTPSIt's not super-technical but does need co-ordinating carefully to avoid downtime. Let us know if we can help.

“Shellshock” security flaw could be the next big IT security story

By Andy Ralph   September 26, 2014  
A new Shellshock vulnerability has been discovered in a component of the Linux operating system.  The vulnerability in "Bash" (which is similar to the windows command prompt) could prove serious - both to websites and to a variety of other internet enabled devices.  Because of the range of devices, both new and old this could prove more serious than the recent Heartbleed bug.  And this flaw as already started to get into the news - see http://www.bbc.co.uk/news/technology-29361794At Reverse Delta, we are continually monitoring the common attacks all the time.  Both the hacks that make the news and those that don't.  The Reverse Delta servers are patched and protected.   We hope that the consequences will not be as wide ranging as some experts predict, but rest assured that we continue to treat security very seriously.

Heartbleed – which passwords to change

By Andy Ralph   April 14, 2014  
It's a sign of the times when a major security vulnerability gets its own logo almost instantly. It's like a new celebrity has hit the scene and we all somehow get to see this 'brand' - albeit a sinister one - appearing left, right, and centre. But the 'noise' around it seems to add to the confusion. Lots of people are offering advice on which passwords you should change following the Hartbleed vulnerability reported by my colleague Andy Ralph last week (no vulnerabilities on our servers, we hasten to add). It's important that you understand you don't need to change all passwords but it is healthy to do that regularly anyway Here's a mini roundup in no particular orderMashable: The Heartbleed Hit List: The Passwords You Need to Change Right Now (my fave!) Time: Heartbleed Bug: Here Are the Passwords You Should Change Telegraph: Heartbleed bug: which passwords should you change?... and whilst I'm at it, here's some good advice on choosing decent passwords - it's important!    

“Zero-Day” exploit affects IE users

By Dave Haygarth   September 19, 2013  
Anyone who is using Internet Explorer (especially IE8 and IE9) needs to be aware of a "zero day" exploit that is "in the wild" and affecting users, downloading malicious code to their machines automatically.The episode has prompted the first Microsoft emergency fix-it patch for many months.Along with the patch, there are also several pieces of advice or settings that users should user as a matter of course to protect themselves against the rising tide of hackers and exploits.  These include things like not using a user account on your PC with Administrator rights for day-to-day activities and ensuring that you have an up to date virus scanner installed.There are many articles on the subject out there, including http://www.bbc.co.uk/news/technology-24142934.

WordPress continues to be a popular target for hackers

By Dave Haygarth   April 16, 2013  
Let me get this straight.... I love Wordpress. I really think it's the best all-round CMS, and so does the world, it seems.  Statistics show it to power anything between 15 and 25% of the world's websites and that's not going away. But with that popularity, there comes a small problem... that any vulnerability becomes an easy target for hackers.  The latest attempts at exploitation reported by the BBC today  are worrying.  I feel some of the larger BotNet attacks on the world's websites will soon be dwarfed by some really huge - off-the-scale ones... so hackers will exploit any vulnerabilities in popular software - and Wordpress is certainly popular. But perhaps the most worrying thing about this is it's fundamentally down to crackable passwords.  By repeatedly hammering the user name 'admin' and thousands upon thousands of password combinations, a bot will eventually crack its way in.  By using the standard username 'admin', you may well be putting not only your site, but thousands of others at risk.  Change it!

20 Most Common Passwords (to avoid!)

By Dave Bancroft   July 18, 2012  
Figures from a survey by ZoneAlarm show that the 20 most common passwords we choose when set up accounts, with the most common being 123456 and 5 of the 20 being first names! The survey also showed up the the majority of people pick a 6 digit password and only a third of uses pick a password over 8 characters! For more information and all the statistics from this survey, see this graphic on the following link : better and more secure passwords.

Lost internet connections a reality for some 300,000 people

By Dave Haygarth   July 9, 2012  
Today, the FBI will shut down a number of Internet servers which may cause  300,000 people to lose their ability to connect to the internet. The servers in question are DNS servers which act like an address book for the internet, telling computers where to find the sites that users are looking for. These servers where being controlled by a criminal gang and misdirecting internet connections, netting the cyber-criminals money for doing so. This was achieved using "malware"(malicious programmes) downloaded by unsuspecting users, changing the internet settings to use the rogue DNS servers, rather than normal DNS servers. The rogue servers were seized by the FBI and altered to run 'correctly' so that people could have time to repair the damage to their PCs before the servers were dis-connected, as this malware is still on peoples machines, and still trying to use the Rogue servers.  The date for this disconnection is today. More details on the story and links for a tool to check if you are infected is here.            

The LinkedIn breach: Take action to limit any damage

By Dave Bancroft   June 7, 2012  
LinkedIn's recent security breach cased a bit stir, as these things tend to do.  It's a very popular networking site and in simple terms the sheer volume of personal data accessible is enough to cause alarm bells. Here's what you need to do if you haven't done so already and a few simple things to remember: Change your LinkedIn Password IMMEDIATELY Hover over your name in the top right of LinkedIn and a drop-down box will allow you to select "settings".LinkedIn will ask for your password. Enter your current password to confirm you're who you say you are (!!!) and then scroll down to the bottom. Select Account and under "Email & Password" select "Change password". Don’t try to make your password too memorable. It's tempting but eventually will come back to haunt you in the next hacking. Make each password unique and if you want to make it memorable then use a combination of punctuation marks letters and numbers that can really only be memorable to you. Do not use the same password on any site that you use on any other site If you have a hotmail account or Google Mail account that uses the same password as your (now hacked) LinkedIn one, guess where the hackers are going to try and login to next...!  Change that one too.

Want a supercharged WordPress Site?

By Dave Bancroft   February 14, 2012  
Just be careful what you wish for. It appears that a plug-in called ToolsPack which claims to "Supercharge your WordPress site with powerful features..."  is actually a back door that allows hackers to run any command they want on your site. The plug-in has recently been appearing in sites that have been hacked in other ways, hiding in plain site as a plug-in, hoping users will ignore it as genuine and therefore allowing full access to your site data at any time. It you see this plug-in installed in your site, un-install it and then do all the usual review of your site to find any weaknesses - further information can be found here or your nearest friendly developer!