skip to main content

Three Steps to Lower Your Cybersecurity Risk in the Staffing Industry

Three Steps to Lower Your Cybersecurity Risk in the Staffing Industry

The staffing industry obtains some of the most important data for threat actors, personally identifiable information (PII). Additionally, staffing firms work in some of the most targeted industries. With this in mind, it is critical to ensure that staffing firms have a cybersecurity strategy in place and are taking steps to protect not only their data, but data of their clients and placements.

According to the 2022 Verizon Data Breach Investigations Report, approximately 78% of action vectors were through web applications or email during a breach. As these two services are typically heavily used in the staffing industry, we start to see the additional risks that are present.

So, what should a staffing firm do to try to lower these risks? Here are three steps you can put into practice to get started.

Step 1: Multi-Factor Authentication (MFA)

One of the keys to lowering your firm’s risk factor is protecting your credentials, and MFA has been shown to make it more difficult for a threat actor to gain access to information systems, even if passwords are compromised. MFA is a layered approach to securing your online accounts and the associated data. In using MFA, you must provide a combination of two or more authenticators to verify your identity before the service grants you access.

There are three categories of MFA currently in use, from weakest to strongest:

  • SMS or Voice
  • App-based
  • Phishing-resistant

However, even implementing the weakest MFA category (SMS or Voice) still makes it more difficult for threat actors, in that they now must have two separate authenticators instead of one.

Step 2: SaaS Vendor Management

Many staffing firms rely on Software as a Service (SaaS) to assist in their day-to-day operations. The ease of purchase of SaaS product can lead to a challenge in managing the growing number of vendors and more importantly, the number of vendors with your data. Some considerations for your SaaS vendor management should include:

  • Are the necessary security considerations in place in the contract to reflect the staffing firm’s security requirements and/or customer requirements?
  • Does your staffing firm understand the controls that must be in place to ensure the SaaS application is implemented as designed (such as access controls of user accounts, etc.)?
  • Does your staffing firm understand what data is being provided to the SaaS, how long it is retained, can it be deleted, verification of data disposal, and can data be extracted if moving to a new application?

Implementing a SaaS vendor management program can assist in ensuring that your staffing firm has a process to review and monitor these vendors and lower your data leakage risks.

Step 3: Security Assessment

Gaining an understanding of the risks, threats, vulnerabilities, and controls of your staffing firm provides the necessary information to make an informed decision in how to strengthen your cybersecurity posture. A security assessment can be based on several different frameworks; however, key areas of consideration in the assessment should include:

  • Inventory of software, hardware, and vendors
  • Risk management
  • Access controls
  • Security awareness training
  • Detection and response
  • Recover and respond

In reviewing these areas, the security assessment should provide you with the strengths and weaknesses of your environment. Using this information, you can build a roadmap of projects that can continue to target and lower specific risks.

While there are several threats and risks to staffing firms, and at times determining where to start can be overwhelming, addressing these three areas is a great way to begin to increase your security posture.



Have a question?

Fill out the form to speak with one of our staffing industry professionals

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.