With the General Data Protection Regulation just months away, information security has been a hot topic. There’s talk of appointing data protection officers, implementing security by design, strengthening the information security or IT department, etc. All of these steps are critical. However, true information security is not found in a single technology, person or department. True information security is about more than IT. It’s a culture.
The truth of this fact was evident throughout our ISO 27001 certification process, which we recently completed. If you’re not familiar with ISO 27001, it’s an international standard for an information security management system, which includes policies and procedures for reducing an organisation’s information risk. The certification involves an extensive planning process and a third-party audit covering 12 main sections. Any business that successfully completes this rigorous process sends the message to its customers and business partners that it’s dedicated to protecting the data in its care.
Why is ISO 27001 so widely adopted and respected? Well, because it takes into account potential information security risks throughout the entire organisation. When auditors from the BSI Group conducted our examination, they didn’t just stop by the IT department. Auditors were present throughout our facilities, sometimes even at or around employees’ desks. Because they carried out spot checks to ensure each staff member followed company policy regarding information security, it was imperative that employees follow protocol such as:
- Locking computer screens upon leaving their workstations
- Following our clean desk policy
- Shredding sensitive documents at the end of their working days
According to Verizon’s 2017 Data Breach Investigations Report, 14 per cent of data breaches were attributed to human error, and 81 per cent of hacking-related breaches involved stolen or weak passwords. To avoid becoming a statistic, our entire organisation engaged in regular security awareness training to ensure everyone was familiar with security best practices and why they were important. As a result, there’s a culture of security throughout the business.
At the end of our ISO 27001 assessment cycle, we passed with flying colours. We could not have done that without the cooperation of every employee. Because the certification process was driven by a culture of security rather than simply the desire to tick a box, we’ll continue to maintain and improve our security processes.
With data security regulations holding businesses accountable for protecting data, and with the risk of data breaches continuing to rise, it’s more important than ever to ensure employees value security and exercise best practices. How strong is your security culture?