Hello readers, I am Rob Hill, an IT professional of 17 years. I started working in Information Security around 2 years ago when a previous employer launched a project to improve IT security. We implemented ISO 27001 across the business, and it completely transformed the way we operated around the globe. Building on that success, I started with CaféX in August 2017 as the information security and compliance officer, brought in primarily to implement ISO 27001.
Why ISO 27001 matters and why CaféX is getting ISO-certified
Caféx's move to software as a service (SaaS) has driven the need to demonstrate publicly to our customers that we adhere to industry accepted standards for information security. Our goal is to give all of our stakeholders confidence that we have world-class IT security policies and procedures across the business.
ISO 27001 is a globally recognised certification, which means that wherever our customers are located, they can be assured that CaféX adheres to a consistent set of standards approved worldwide.
The importance of information security and senior leadership buy-in
Implementation of ISO 27001 typically needs to be driven by top management to be successful. CaféX's senior leadership team has completely embraced this initiative, and our IT security strategy is driven from the top down.
Gauging the level of user awareness to pursue
User awareness is a hot topic in any organisation, and there are varying opinions as to how best to communicate new initiatives internally. At CaféX, we have a user base spread across the globe representing different functions and skill levels, which initially made it challenging to gauge the right level of technical depth for user training. We decided to keep initial modules fairly simple, high-level and to-the-point with some technical aspects included throughout.
User awareness training to ensure a secure organisation
We thought long and hard about the best vehicle for user training. Rather than use the traditional presentation method, we designed an animated video tailored to our company with real life examples of cyber-crimes, such as phishing. We hired a professional voice-over artist and kept the material fun and interesting to keep viewers engaged.
Positive results were seen almost immediately. Within the first few days of the video’s release, employees began reporting phishing emails to our IT department and avoided clicking on potentially harmful links.
We continue to deliver awareness training through an ongoing program that presents a new topic each month. A monthly newsletter also keeps our employees up to date on our progress with ISO 27001 as well as other compliance programs such as General Data Protection Regulation (GDPR). We also plan to cover related topics, such as working remotely and information classification.
Choosing tools for team collaboration and compliance
For me, effective collaboration is key when working for an international company. Using the Google Suite has changed the way I work, allowing me to create and update policies and procedures with ease as well as assign items to colleagues who are working with me on a given document.
As part of my role, I created a Security Steering group that meets each month to discuss a large number of topics, conduct document reviews and discuss the status of our ISO 27001 rollout. There were a number of documents, meeting notes and other items that needed to be viewed by everyone in the group. Initially, I had set up a Google site for this group but found it difficult to keep everything together and assign tasks to other members.
As an alternative, I started using CaféX Spaces, the virtual workspace platform from CaféX for team collaboration, live audio & video chat, and secure, private access to shared files, SaaS tools, etc. Spaces has completed changed the way we collaborate. It allows me to have one place for all our content, meeting notes and presentations whilst still harnessing the power of Google to keep documents maintained and updated. My favourite feature within the workspace is assigning tasks. Inherent to implementing a successful ISO 27001 program is the large number of documents to review. Spaces makes this process easy; just enter an email address and click to assign a review task to someone in the group. I can also send reminders to people.
We decided early on that we needed a place for all our users to go and find all information related to information security, so we created a Google site. This is a central site where all our compliance information is stored with status information for each item. But, unless all users in the group bookmark the URL, they would have to search their inbox to be reminded of where to go. With CafeX Spaces, they can just go to a single, secure location and get links to any and all related resources.
Measuring success is key to successful management
Success is an interesting word. From my point of view, success means that our employees think about information security in everything they do, whether they are creating deliverables at work or shopping online at home. Of course, success for the business will hopefully be achieved when our external audit takes place in Q2 of 2018 and all the hard work has been completed. But, as we all know, the work does not stop there. Information security is about continuous improvement and always trying to be one step ahead of new threats.
Constant vigilance is critical and the best offense is a good defense
Hackers, cyber criminals or whatever term you’d prefer to use will always be there; there is no getting away from them. The one thing we all can do to make their lives harder is to ensure we have strong passwords that are different for every accessible website we use - from work emails to social media platforms. There are some fantastic password manager tools out there that allow you to generate random passwords for each of the sites one visits without the need to write any passwords down - or worse, save them in an electronic file that can be hacked. These tools work across all devices, so users never need to remember their passwords and/or reset them frequently.
I hope you have enjoyed reading about my first few months at CaféX, our ISO 27001 initiative, and how seriously CaféX takes compliance and information security. My next article will be around GDPR and the steps CaféX is taking to implement that compliance program. Meanwhile, be sure to check out CaféX Spaces.