Protecting your recruitment agency’s data, so that it can be recovered successfully from an IT systems failure, forms an important part of GDPR compliance.
Planning for such eventualities is also critical from an operational and commercial perspective – we have only to see how hospitals and healthcare facilities ground to a halt during the WannaCry ransomware attack of 2017, to understand just how much operational chaos and reputational damage can be caused by an IT outage.
As such it is critical that the Board have a thorough business understanding of their plans for coping with, and recovering from, an IT failure, whether that is caused by a cyber attack or something more mundane such as a hardware failure, fire or flood.
Many of the recruitment agencies that I work with have no in-house CIO, and as such sometimes I find that the Board are incorrectly reassured by the presence of an IT disaster recovery plan that was perhaps put together some years ago and has sat in the fireproof safe ever since.
This is a myth that I wanted to expel, as unfortunately, my experience is that this document needs to be constantly evolving, as our use of technology in the industry has moved on apace, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.
So in order to ensure ongoing compliance and relevance, I always recommend that the recruitment companies we work with continually re-assess and test their plans around resilience, backup and disaster recovery, against the commercial and operational needs of their business and regulatory compliance requirements such as GDPR. Some points to consider would include:-
- How long could you afford for each of your various IT systems to be down for?
- How much data, if any, could you afford to lose?
- When did you last try a test restore of your data or email? Did it work?
- Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results demonstrate that recovery times and data loss met your current business requirements and compliance obligations?
- Where are your backups held, and could you access them in the event of a disaster that say incapacitated your premises (or in a situation where the emergency services would not allow you access to your offices?)
- In the event of a major disaster, what hardware would you restore your backups on to?
- If your offices were incapacitated where would you work from and how would you connect to your recovered system?
With ever increasing regulatory and market-driven pressures, the advancement of technology and changes in working practices, coupled with constantly evolving cyber security threats, my experience is that the disaster recovery plan needs to be a living, breathing document that is constantly reviewed and re-assessed to reflect the changing landscape in which recruitment agencies operate.
If you would like help with reviewing or testing your disaster recovery plans to make sure that they are in line with your current business requirements and the forthcoming GDPR legislation, please do not hesitate to contact us.
Epoq IT work with small and medium size recruitment agencies, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security.