Recruitment site Monster's refusal to implement two-factor authentication after users were hit by cyber attacks is a "business failure," according to analyst firm CIC.
The jobs site last week told CBR it has no need to upgrade its security after F-Secure revealed that many users could potentially have been hit by bank detail-stealing malware.
Monster insisted its methods were robust despite F-Secure's revelations, but CIC principal analyst Ian Murphy claimed otherwise.
He told CBR: "There really is no excuse for companies failing to implement this today. The technology is not expensive and the savings from reputational damage offset any costs that might be involved.
"For a high profile site such as Monster Jobs, this is really a business failure."
F-Secure said two-factor auth could prevent future malware attacks after the Gameover Zeus virus was used in an attempt to steal recruiters' bank details.
The attack is installed via spam or a bot, and takes information users type into online forms, before prompting them to give up the remaining information required to take control of the user's Monster account by directing the user to a fake security check form.
F-Secure's blog post warned: "HR recruiters with website accounts should be wary. If the account is potentially tied to a bank account and a spending budget ... it's a target for banking trojans."
Two-factor auth relies on users entering one set of details, such as a username and password, but also providing another form of identification, just as an ATM requires a pin number in addition to a debit card.
Monster had answered CBR's questions in a previous statement, saying it "employs a layered system to protect access to our site that goes significantly beyond passwords and security questions."
It added: "We think this level of security and monitoring is an appropriate balance of security and usability. We operate under the assumption that we are always a target and take strong measures to defend ourselves."
Monster also denied the malware was a danger to users of Universal Jobmatch, the government jobs site it is under contract to provide.
But CIC's Murphy said there was a risk the same malware could hit jobseekers.
"If they do not protect one high profile site it is unlikely that they protect other sites," he said. "There is also a question to be asked here as to what level of security did Department of Work and Pensions (DWP) require?"
CBR has approached the DWP for comment.
It is unclear whether Monster's deal will be renewed beyond its April 2016, though a joint statement issued by Jobcentre Plus and Monster said Jobmatch was "here to stay" after it was criticised for fake job listings.