While the Great Resignation has been a game changer for companies in all industries, for businesses in the recruitment and HR industry, it has been a seismic – and in some ways positive – change. But, one troubling aspect that has flown under the radar is the cybersecurity implications. For businesses in the recruitment industry, the wave of employee churn has been a boon – but every silver lining has its cloud, and it looks like the explosion in job-seekers is catching the attention of cybercriminals and, in particular, bot operators.
Bot attacks have surged globally in recent years, with bad bots making up more than a quarter (25.6%) of all online traffic in 2020. Of these, the majority (57%) are known as advanced persistent bots (APBs) which are harder to detect and mitigate as they mimic human behavior. Regardless of whether businesses are built around products or services, bots are becoming a scourge across the internet.
For job boards and other recruitment-related businesses, data scraping bots have become one of the most impactful issues. These bots not only cause significant reputational damage when customers’ data is taken without their consent, but websites can experience performance issues or go down completely from the exorbitant traffic requests.
Jobs for the bots or bots for the jobs?
At the end of 2021, a global job listing site was targeted by the biggest bot attack Imperva Research Labs had ever monitored and mitigated. The attack was focused on data-scraping, i.e. the automatic extraction of content and data from a website – in this case information from job-seekers profiles and resumes. While data scraping attacks tread a fine line between business intelligence and violating data privacy, it’s one of the most prominent bot attacks businesses face today. Scraping can result in worse conversion rates, unreliable marketing analytics, poorer SEO rankings and, in the case of particularly aggressive scrapers, website downtime. In this instance, the website was hit by a staggering 400 million bot requests over four days from nearly a half a million unique IP addresses.
At first blush, it might seem strange that a job board was the focus of such a massive bot attack – many would expect the target to be a bank or major retailer instead, using such resources to try and steal sensitive data rather than job seekers information.
However, the data gathered in these sorts of attacks can be used in many ways — like Account Takeover (ATO) attacks on other sites. Therefore, in the context of the Great Resignation which has seen the number of employees looking to make a move reach record levels, attacking a job board is now quite lucrative. Resumes are a rich source of personal data – addresses, employment history, salaries and so on – that can fuel subsequent ATO attacks.
Learning from retailers
While bot attacks aren’t new, the scale and volume of the incidents are higher than ever before. In order to cope, the industry should look to another sector which has been leading the way in combating bots: retail.
The retail industry is a prime target for bot operators all year round, so retailers need to have a base layer of protection in place at all times. However during busy periods like Black Friday, or when a hot new consumer item is released, the odds of bot operators striking is significantly higher. Last year, bot traffic spiked 73% during the holiday period. As a result, retailers are learning to look ahead and identify those times of the year when they’re most likely to be targeted by bot operators. From there, they can bolster their defences to cope without disrupting the user experience for legitimate, human customers.
The past year has seen record numbers of job seekers look for new opportunities, meaning a large influx of new or updated customer data for businesses. Good cybersecurity depends not only on understanding how valuable your data is to your business, but how valuable it is to hackers as well, and this wave of data means recruitment businesses are going to find themselves facing more bot attacks than ever before.
Blocking off the bots
Botnet operators are constantly changing their tactics to evade defences. There are a number of steps that companies can take to significantly reduce the chances of successful bot attacks.
- Make sure that you’re blocking or using CAPTCHA when you identify requests with outdated user agents/browsers. This won’t stop the more advanced attackers, but it should catch and discourage some. Plus, the risk of disrupting genuine users is very low. Most modern browsers force auto-updates, making it more difficult to surf the internet using an outdated version.
- Block known malicious hosting providers and proxy services. Less sophisticated perpetrators use easily accessible hosting and proxy services like Digital Ocean, Gigenet, OVH Hosting, and Choopa. Not allowing access from these sources can discourage attackers from coming after a site.
- Monitor failed login attempts. Set a baseline for failed login attempts, then monitor for anomalies or spikes, with automatic alerts sent to security teams when such anomalies occur.
- Most importantly, invest in a comprehensive and robust bot protection solution. Bot operators are launching attacks round the clock using advanced bots that can mimic human behavior, so businesses need to protect themselves from the most sophisticated automated threats without affecting the experience of legitimate users. Bot operators are almost always looking for the easy wins where they can get the most data and highest return on investment (ROI). Therefore, having a solution in place that reduces their potential ROI is extremely important.
Bots are not a new phenomenon for the recruitment sector but, like many other industries, the scale and scope of attacks seen recently is unprecedented. HR and recruitment companies need to understand how valuable the data they hold can be for cyber-criminals and implement a clear, cohesive bot management strategy as soon as possible. Not only will this help mitigate any attacks that do come through, but effective protection can often deter bot operators from launching an attack in the first place, which is really the best defence of all.
Lynn Marks is Senior Product Manager at Imperva, a role she has held since July 2017.