In the spirit of simplicity and efficiency, many recruiting operations and HR departments like it when their background check vendor integrates with their HR software. If you can click a link inside your HR software that launches the background check and drug test, and the final report comes back to your applicant file inside your HR software, this is super convenient and considered a major time-saver.
But what if this approach made your applicants and employees’ private information extremely vulnerable to a data breach? If you knew that reliance on this very convenient workflow could make it much easier for hackers to steal social security numbers, dates of birth, drivers license numbers and more, is it really worth it?
If there was an alternative approach that might add one to two minutes of extra work per applicant, but would completely protect your employee’s personal information, wouldn’t this be the more responsible choice?
The software code that connects an HR system to a background checks system is called an Application Programming Interface or API for short. Over the past five years, hackers have become extremely well-versed in penetrating APIs to facilitate a data breach. Salt Security released the results of its API security report titled, “The State of API Security – Q3 2021.” Consider some recent research findings from Salt’s report:
> Ninety-one (91) percent of respondents suffered a security incident in their APIs in 2020.
> Fifty-four (54) percent of those API attacks were tied to software flaws; 46 percent of the attacks succeeded because a malicious transaction was recognized as being legitimate.
> Eighty-two (82) percent of organizations lack confidence in knowing which APIs expose personal information.
> One hundred (100) percent of Salt Security’s customers that suffered API attacks in 2020 had standard cybersecurity tools like web application firewalls in place, but they did not prevent the attack.
API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. API attacks also led to millions of people having their personal information stolen from Facebook and LinkedIn. Here’s a link to a huge list of API data breaches that happened in 2020. It is worth noting a few important facts about these data breaches:
> Vulnerabilities in the APIs are the direct cause of these breaches. Nothing else is to blame.
> Access management gateways with strict authentication/authorization would NOT have prevented these breaches.
> All illicit API requests in these breaches are cleverly crafted to appear entirely “valid” to existing security devices.
While APIs support the interactive digital experiences that business software users have come to rely on, they also provide hackers with multiple venues to access an organization’s data and can even be used to cause massive business disruptions. Common attack methods being used to exploit APIs include:
> API Parameter Tampering – Hackers often use this technique to either reverse engineer an API or gain further access to sensitive data.
> Session Cookie Tampering – These attacks attempt to exploit cookies in order to bypass security mechanisms or send false data to application servers.
> Man-in-the-Middle Attacks – By eavesdropping on an unencrypted connection between an API client and server, hackers can access sensitive data.
> Content Manipulation – By injecting malicious content (e.g., poisoning JSON Web tokens), exploits can be distributed and executed in the background.
> DDoS Attacks – Poorly written code can be used to consume computer resources by sending invalid input parameters, subsequently causing a disruption to the API-supported Web application.
So What Is The Alternative?
All of this can be avoided with our secure integration solution, which does not require an API. We can give you a custom link that is specifically coded to process the background searches in your package. You can embed the link in your offer letter and transmit it directly from your HR software. You’re going to send them an offer letter anyway so why not embed our link in the letter that you email them?
Your candidate reads the offer letter, clicks our link and they go into an online workflow where they read their FCRA Summary of Rights and other disclosures, they enter the information required to process the searches and they e-sign their consent form. You can see how this works by watching this video.
If you want, you can even embed the link on a screen in your HR software’s onboarding workflow instead of embedding it in the offer letter. Voilà! No API required.
We will email you the completed report as a PDF, which you would upload to the candidate’s file in your HR software. The extra one to two minutes it takes to upload this PDF is definitely worth the extra security and peace-of-mind you will get by completely protecting your applicants’ personal information from a possible API data breach.
Both options are super easy… and very secure.