Committed to Cyber Security
Many companies claim that they are ‘committed to cyber security’. New Verve is too. But what does that actually mean? And how can we reassure our customers that we practice what we preach?
We recently carried out an internal audit to satisfy one of our customer’s ISO 9001 obligations. As part of this audit, we needed to highlight how as a business we complied with all applicable data protection legislation. Crucially for our customer, we needed to show that when it came to data security, we had adequate measures in place to ensure the confidentiality, integrity and availability of their data.
As a business, we are process and detail driven. We have always carried out due diligence on supplier systems and software, and we have a number of operational runbooks and policies in place to help enable staff to work in a secure way. So, we were in a good place and scored very highly in the audit.
However, we identified a few areas where we could make improvements.
Working From Home
Similar to lots of other businesses in the context of the COVID-19 pandemic, the New Verve team had no choice but to work remotely for an extended period of time. We now have a permanent ‘work from anywhere’ policy, meaning that people can work wherever they like as much as they like.
‘Anywhere’ equals somewhere that ultimately New Verve does not directly manage or control. To mitigate against cyber risks when staff work from a non-office location, we already had established numerous measures:
- staff are provided clear obligations and guidance within our policies (Data Protection, IT and Communications, Work from Home, and Information Security Incident Management).
- when accessing any New Verve or customer data, every staff member must use their New Verve laptop or a company-managed work profile (e.g. on mobile devices).
- every staff member must connect to our VPN facility before accessing any of our systems.
However, we realised that we could do more to further reduce cyber risk, specifically when it came to network security. While VPN connections were dictated by policy, they weren’t automated. This of course left room for human error or oversight.
We replaced our own VPN hardware with AWS Client VPN, providing a highly-available, managed, and elastic cloud VPN solution to protect all network traffic. We then made sure that the connection to our VPN network was automated on all laptops when people logged in.
We’ve always encouraged and promoted autonomy within New Verve and for a while, every staff member was a local administrator on their own machines. This was great because it meant we did away with extra process. If somebody needed a tool to enable them to do their job, they could install it themselves.
Unfortunately, this approach doesn’t float so well when it comes to security.
To ensure that our machines only had software that had been properly assessed and approved by the business, we decided to ditch our ‘local admin’ approach. All unapproved software was identified and removed from New Verve machines. Now, staff must seek approval for new software via our service desk and when approved, the software is installed and managed remotely by an authorised staff member using JumpCloud‘s software management feature.
Staff need to be enabled when it comes to data protection. Until recently, New Verve has provided data protection guidance in the form of policies and operational runbooks. However, we realised that we were lacking a formal training program.
To bridge this gap, we signed up to iHasco’s GDPR and Cyber Security training courses. Specifically, we provided advanced training to staff who are responsible for enforcing or managing data in our workplace, and essentials training for everyone else. The courses are well constructed and delivered, and the learning tool is extremely easy to use.
Reassuring Customers with Cyber Essentials
The audit that we carried out for our customer was great. It reassured us as a business that we were on the right track and in a strong position when it came to data security. It also identified areas where we could improve and we did so quickly.
So what next? How can we reassure our customers that this is the case?
Step in Cyber Essentials.
Cyber Essentials is a simple but effective, Government backed scheme that helps protect businesses against a whole range of the most common cyber attacks. Through an official certification, it gives companies peace of mind that their defenses will protect against the vast majority of common cyber attacks.
I’m delighted to say that as of July 2021, New Verve is now Cyber Essentials certified.
With this certification, we:
- have a clear picture of New Verve’s security level.
- can reassure our customers that we are working to secure our IT against cyber attack.
- can attract new business with our promise that we have cyber security measures in place.
If you haven’t already audited your own data security measures, I’d encourage you to do so now! Cyber Essentials is a great place to start. Feel free to reach out if you need more insight into the gaps we identified and how we address them.