DATA BREACH: Is Your ATS Putting You at Risk?
August 6, 2019
ATS solutions provide different levels of security. It is crucial you are asking these 6 questions to ensure your candidate and client information is safe.
Blasted all over the news last week was Capital One’s data breach, one of the largest data breaches of all time. A hacker gained access to more than 100 million Capital One customer accounts and credit card applications. This included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Capital One is a multi-billion-dollar company, yet one single person was able to hack into their data center and breach 100 million customer accounts. Scary isn’t it?
If Capital One got hacked, is it safe to say that YOUR candidate and client information is as protected as it could be? Although no solution can be 100% secure, it is important to have strong measures in place to guard against a breach. As an employer, you have the ultimate responsibility of making sure the data you house is safe. Have you ever asked your ATS provider how secure your information is? Whether you are looking for a new ATS or are happy with the one you are using, now is the time to ask how safe is your candidate and client information really?
Talking about security isn’t necessarily flashy or fun, but at the end of the day, this is one of the most important factors when assessing an ATS. Many people say, “That’s not important to us” or “Too much time is being spent on the topic. We assume our data is safe. That information is for technical people.” The number one mistake when assessing an ATS is assuming your data is safe! NEVER ASSUME. But there is more to security than just being hacked. Is your data located in a secure data center, free of natural disasters? Is your data backed up regularly? Does your data have multiple layers of protection?
Not all ATS’s provide the same level of security. It is crucial you are asking these 6 questions to ensure your candidate and client information is protected.
What Tier Level is your Data Center?
Before diving into this question, let’s first talk about what a data center is and the different tiers available because, unless you work in IT, for most people this is a foreign language.
So, what is a data center? Essentially, a data center is a large building used to store servers that process large amounts of mission critical data. There are 5 security data center rankings, which are referred to as “Tiers”. A Tier 1 data center is the least secure and Tier 5 is the most secure. A Tier 3 data center has an uptime of approximately 99.982%. A Tier 4 data center has an approximate uptime of 99.995%. Tier 5 data centers are most often used for government use. A Tier 5 data center is required to keep running on a nearby renewable power project. There are (2) primary factors that contribute to a secure data center:
- Uptime/Availability– the amount of time a server stays up and running without power issues or other problems.
- Redundancy- the number of times a certain component is duplicated so there is a backup if it fails, such as, power, cooling, data storage.
High Tier 3 and 4 data centers are recommended for mission critical business applications. Data centers less than a Tier 3, should be used with caution. You never want your cloud operations to be down, but if it happens, you need to ensure that there is a backup plan in place to keep everything running smoothly. The lower the uptime and redundancy, the more at risk you are of losing your data.
Where are the data centers and how many locations do you have?
It may seem silly to ask where the data centers are located. However, you should know where your critical data is located. Data is your business. It’s not really in the cloud, it is in a data center in some state or country.
Asking about the number of locations is important for redundancy. In the event that something occurred at one location, you have the security of knowing that all of your data is duplicated at the other center or another server. You will never lose all of your information if your data is stored in multiple locations.
How secure is the data center?
It is important to ask about the security at the data center. Most data centers are made of concrete walls with very little windows and entry points. This helps protect against the elements and intrusion. You will also want to inquire about surveillance monitoring. Is the facility monitored 24 hours a day? Are there cameras throughout? Is your cage locked?
Next, ask who has access to the actual cage the data is being stored in and how secure the check-in process is. Do you show a government ID or do you need to give a fingerprint? Or perhaps they have facial or retinal scanning. Whatever the check-in process is, you want to make sure it is secure and that no one can just walk in and gain access.
Who manages the data center and how often is your data backed up?
The “Who manages the data center” question can be broken out into a couple of different pieces. First, you will want to know which company physically houses the data center. Once you have this information, you can visit their website to see what other businesses they serve and read about their certifications to ensure they are a credible data center (read section below for certifications to look out for.) Many sites even offer virtual tours. It is difficult to get an on-site tour because of security concerns.
Next, you will need to inquire who has access to the physical data. Typically, only a couple of key IT people at the ATS company can actually access and “touch” the data. Usually, a third party is also hired to further secure the data, increase performance, and manage the overall environment.
With this, you will need to inquire how often your data is backed up. Your data should be backed up daily. Typically, incremental backups are made throughout the day with one full backup done at the end of each day.
Is the Data Center certified/audited?
You want the data center to be certified and audited to guarantee they are compliant with industry standards. Below are some of the key certification standards to ask about:
- HIPAA: Protects against health information of patients. This certification is especially important for those working in the healthcare industry. It assures all security measures are in place when handling sensitive patient data.
- PCI DSS: Offers enhanced data security when processing credit cards online to ensure all identities are protected.
- SOC 1 Type II: This is a report done by an outside party used to control internal financial and accounting reports. The report focuses on the organization’s services, processes, and policies.
- SOC 2 Type II: These are strict security standards designed for technology service providers to ensure client interests are looked after.
- ISO 27001: a framework that specifies requirements for establishing and implementing an Information Security Management System.
- NIST 800-52/FI: published by the National Institute of Standards and Technology, which promotes the standards used by federal agencies.
Once you know the data center provider, you can visit their website to view all of their certifications.
What type of anti-virus/ anti-malware software is used? Who manages alerts?
Your data center needs to have several layers of firewall protection in case one or multiple are breached. Multiple anti-virus and anti-malware software’s should be used to protect your data. This is important because one software may find something and begin running updates, but miss another threat that a different software catches. When there is layered security, an intruder would need to breach through several layers of security before reaching your data.
Next, you will want to ask if your data is monitored 24 hours a day and who manages alerts if something goes wrong. Typically, your data should be monitored 24 hours a day and the same parties that manage your data are usually alerted if something goes wrong. Again, this would usually be internal IT people at your ATS company, a third-party cloud management company, and the data center itself. All three should be monitoring and alerted for breaches or any other issues that may arise.
As you can see, there are many layers that go into keeping your data safe. Security standards and protocols may not be the most interesting topic to read about, however, really doing research and learning about how your data is secured can help your company avoid a tragedy. Once your data is breached or it is lost in a storm, there is no going back. Now is the time to learn about how to keep your candidate and client information safe and it all begins with asking your ATS provider these 6 questions.