Making Online Recruiting More Secure

By Dec 1, 2007
LIKE SAVE PRINT
Reuse Permissions

HR Magazine, December 2007 Breaches put job seekers at risk and employers on notice.

Among job board executives attending a meeting of the International Association of Employment Web Sites (IAEWS) earlier this year, one recent development was generating most of the buzz.

The personal information of more than 1 million subscribers to the megajob site Monster.com had been stolen and discovered on a computer in Ukraine. The data, Monster executives acknowledged, included job seekers' names, addresses and e-mail addresses. Most likely, the information would be used by cyberthieves to generate personal e-mails aimed at stealing victims' money. Many job seekers, security experts warn, could also become prime targets for a common phishing scheme in which e-mail recipients, lured to a phony Monster.com site, might:

  • Be asked to enter personal information.
  • Be urged to unwittingly download malicious software that could harm their computers.
  • Enable spyware that could put additional personal or financial information stored online at risk.

Among the victims of the breach were more than 130,000 subscribers to USAJobs, the federal government job site Monster manages. But Monster officials say there is no way of knowing how many others of its tens of millions of users might have been affected by earlier attacks that went undetected.

Presented with news of their high-flying competitor's misfortune, one might have expected some attendees at the meeting to feel a bit smug. But as IAEWS Executive Director Peter Weddle recalls the reaction among his members, most were more inclined to empathize with Monster's security woes than to gloat.

"Our members are very open about the fact that on a daily basis they are experiencing a whole array of [security] attacks of varying degrees," says Weddle, whose group represents tens of thousands of job sites and software providers worldwide. For HR professionals and employers who rely on online job boards, or who use their own web sites to attract job candidates, the case serves as a cautionary tale. But, if there is something good to come from security breaches such as this one, it is the emergence of new alternatives to first-generation Internet job sites that may create a safer online experience.

Security Cracks Surface

During the past decade, employers have become increasingly dependent on job boards, investing nearly $6 billion in such postings last year alone, according to the advertising consultancy Borrell Associates Inc. As competition in some professions increases, job board spending by employers during the next five years is expected to grow by more than 10 percent annually.

Despite these sanguine predictions for the job-board industry, persistent concerns about data privacy--underscored by the breach at Monster--are casting a shadow. "The challenge that any job database has is security," says Ray Schreyer, IBM's Charlotte, N.C.-based head of recruiting strategy.

IBM, the country's fourth largest employer, recruits for thousands of vacancies around the world each year. And while it once relied heavily on big boards like Monster, CareerBuilder and HotJobs for candidates, Schreyer says he has been forced to find alternatives. "If they delivered, I would still use them." Jo Prabhu, head of International Services Group, a Long Beach, Calif., recruiting firm, has similar concerns.

"Our reliance on the job boards has come back to bite us," says Prabhu, who used to spend tens of thousands of dollars annually to access job-site databases but closed those accounts two years ago when the return on investment started to lag. "Candidates have stopped trusting the boards," she says. "They're no longer putting their information out there, so [searching for candidates on the boards is] a waste of time."

The effectiveness of traditional online recruiting, and the fate of its lucrative business model, could be compromised, Weddle and others say, unless the industry takes steps to regain stakeholder confidence.

Monster officials and others in the industry say they are taking heed. Patrick Manzo, Monster's vice president of compliance and fraud prevention, acknowledged his company's weakness in staving off abuses. Contrary to earlier media reports, Manzo tells HR Magazine, Monster's intruders were not code-cracking computer whizzes; they used a legitimate employer password.

"Somebody came through the front door using a key," says Manzo. In addition to other actions that Manzo declined to specify, he says the company will be stepping up its efforts to educate employers about good practices for keeping their passwords safe. But some critics contend that the only way to really ensure that databases are secure is to limit who gets access in the first place.

Doug Geinzer, chief executive officer of RecruitingNevada.com, an online job board that posts job openings but doesn't maintain an applicant database, faults newspaper publishers like the Tribune Co.that have established ties with job boards but do little if any customer screening beyond what they would do for a traditional help wanted ad.

The Tribune is a partial owner of CareerBuilder.com, but its newspapers aren't the only ones tied to the boards.

"The only thing they are interested in is that they get paid," Geinzer says, not pointing his finger at any specific publisher. Geinzer's contention has merit. When this reporter called one large national job board's sales office to inquire about setting up an account, she was promised access to its database within 20 minutes once she provided credit card information and a taxpayer identification number on the phone. She was never asked if she was an employer. (No steps were taken beyond the initial inquiry to establish the account.)

Strengthening Safeguards

Spooked by their critics' do-or-die warnings, some job-board executives say they have made systemic improvements designed to rebuild employer and job seeker trust.

The DirectEmployers Association, a nonprofit consortium launched five years ago, has attracted business from more than half of the Fortune 500 companies, in part by promising better security on its two sites, the Job Central National Labor Exchange (www.jobcentral.com) and NACElink (www.nacelink.com), a recruiting system designed for students.

DirectEmployers members pay a flat annual rate of $15,000 for job posting privileges, according to the group's chief, Bill Warren, who helped launch Monster in the 1990s but left a decade later. The fee helps pay for safeguards that he maintains are largely absent from the larger boards.

"We're screening to make sure that all the jobs are legitimate and that those who access the database are legitimate employers," Warren says. "We don't know that [the wrong] people haven't gotten in. But I don't think anyone is more careful than we are."

The fact that DirectEmployers' fee is lower than what many of its members had been paying to advertise on other sites is an added bonus, Warren argues. Schreyer of IBM acknowledges that DirectEmployers' sites don't have Monster's cachet among job seekers or the corporate executives it has aggressively wooed. But he's banking on the proposition that better candidates will gravitate toward a more selective site. Plus, Job Central, unlike the larger boards, doesn't have interstitial advertising. Schreyer maintains that, in addition to being pesky, such ads increase users' vulnerability to spyware and other malicious programs.

VetJobs.com, a site that caters to military veterans, also screens employers before allowing them into its database, according to Ted Daywalt, the site's president and chief operating officer. In addition, VetJobs is leveraging technology to help protect user passwords. Its system constantly changes a member's access code, making it difficult for cybercrooks to use spyware to steal a legitimate customer's password.

You build in double- and triple-entry systems, and you make things very complicated for spyware," Daywalt says, noting that the system also has proprietary safeguards he isn't willing to reveal. In addition, Daywalt says the site monitors the activity of its customers while they peruse the database.

"You see someone downloading several hundred resumes at a time and you wonder what they're doing," he says. The site automatically triggers an alarm when a user tries to download more than 300 resumes at a time. "No one can open up our entire database."

Emerging Models To be sure, the big boards still have scads of loyal customers. Valerie Kennerson, managing director for talent attraction at the Atlanta-based American Cancer Society, relies on several large boards and niche sites to fill hundreds of vacancies yearly and is satisfied with the results. "I can't see that we would move away from them," she says. "I know that they are meeting a need."

Still, some job board executives questionthe viability of the traditional job board model in light of what they say are inherent security weaknesses. "I'm somewhat sympathetic to Monster," says Warren. "It got hit very hard. But what happened to them could happen to anyone."

Faced with a seemingly indomitable threat, Warren is considering dismantling Job Central's resume database permanently. That's music to the ears of recruiters such as Minneapolis executive Peter Brasket. He is banking on next-generation search-engine technology that he contends can be leveraged to match employers with job seekers--without the help of traditional job board databases. Jobs2Web, a career-site optimization solution that his firm is marketing, is designed to help companies ensure their Internet job postings don't get lost on the web and get pulled up easily by job seekers using search engines like Google and Yahoo!

"Job boards exist because search engines can't find the listings," Brasket says. Warren agrees, arguing that new search-engine technology has the ability to link employers and job applicants in a way the traditional database model he helped design in the '80s never could. Moreover, new search-engine technology gets third parties like DirectEmployers away from the risky business of collecting and housing applicant data-- a responsibility he maintains is best carried out by employers through their applicant tracking systems (ATS). Job Central, in fact, uses a Googlepowered application to pull listings directly from its members' ATS.

While the site does serve as a kind of clearinghouse where applicants can shop for the jobs they like, Warren contends that the similarity with traditional job boards stops there.

Rather than having job seekers apply for positions through DirectEmployers, applicants are linked directly back to the employers' sites.

"We don't play a middleman role," he says. "That's old and risky technology. It's time to let it go."

Rita Zeidner is manager of the SHRM Online HR Technology Focus Area. She can be contacted at rzeidner@shrm.org.

Web Extras

SHRM article:
Job Boards Recruit Each Other to Fight Cybertheft (SHRM Online HR Technology Focus Area)

SHRM video:
Ted Daywalt, president of VetJobs.com, on data security issues affecting Internet job boards 

Web site:
International Association of Employment Web Sites 

Web site:
DirectEmployers Association

LIKE SAVE PRINT
Reuse Permissions

SHRM WEBCASTS

Choose from dozens of free webcasts on the most timely HR topics.

Register Today

Job Finder

Find an HR Job Near You

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect