Keeping a secure workplace environment

Security, ISO 27001 and keeping your organisation secure

I recently interviewed our operations manager Sam Loving about the importance of security in the workplace. We discussed how and why we take security so seriously here at Invotra and also how following security guidelines can benefit other companies.

What exactly is security?

A good definition of security is the protection of an organsation, data, building or a person. At Invotra, we follow secure processes and procedures to keep our information and assets safe. We follow a vast array of security checks which comply with international best practice standards, and were recently audited as part of our ISO 27001:2013 accrediation.

What is ISO 27001:2013?

ISO 27001 is a specification for an information security management system (ISMS). ISO standards give world class specifications for products, services and systems, to ensure quality, safety and efficiency.

What does Invotra passing the ISO audit mean?

Passing the ISO proves that Invotra as a company is trusted with all the data we have stored. This was the first surveillance check we had since we were achieved our ISO 27001:2013 certification, which means our auditors are checking to make sure we’re continuing to follow the secure processes we say we do.

I’ve heard about security clearance – what does that mean?

Security clearance is commonly used  in industry and government. Many jobs in information technology require security clearance for access to specific information which is said to be classified.

SC (Security Check) clearance  is an authorisation that allows access to information that would otherwise be forbidden.  SC can be issued for individuals or for groups.

At Invotra, a number of our employees are SC cleared, which means that they are able to access privileged information.

All of our employees go through BPSS screening.

Why is security so important to Invotra?

Security is critical for any organisation and it is vital to Invotra – for us and our clients. We work with over 45% of UK Government and our customers rely on us to provide a secure intranet service.

Our customers need to know they can trust us to look after their data. While every organisation has a duty to take care of the data it has access to, due to the nature of our clients we deal with sensitive data on a daily basis.

What other advantages does security provide?

Being secure saves us time – we’ve ended up with an improved operational procedure which assists in a smoother workflow.

Being security focused helps to improve staff awareness within the office environment and out, which massively reduces the risk of information or assets being compromised.

Ultimately being security-focused reduces the risk of loss of data, information and ultimately, our reputation.

Are there any disadvantages?

The time invested into the security measures to make sure we’re doing things the right way can take time to set up in the short term, but in the long term puts us in a much stronger position.

There are some situations where processes may take a little longer to ensure security is taken care of, but again, it’s worth it to ensure the integrity of our product and service.

Have you got any top tips you would be able to share with readers of this blog?

Sure – let’s work through some best security practices that could work in many companies…

Six Steps for Better Security In Your Organisation

1. Remember your people can be your biggest asset and security risk! 

Encourage all of your employees to:

• • • • Challenge any visitors you don’t recognise
      • Escort visitors around the building
      • Make sure all doors are locked behind you
      • Keep key cards visible while at work (but safely stored when they’re not in the office)
      • Be vigilant with ‘phishing’ and other email scams – if something does go wrong, make sure to report it straight away!
      • Make sure all PCs are locked when away from the desk.

2. Use a password manager

• • • • Using a password manager is the easiest way to keep your private information safe online. There are many benefits to this; using a different password for every login means you can reduce the risk of being hacked. You will only have to remember one master password which will log you into the password manager.

3. Backup your data (and work with suppliers that do the same!)

• • • • Maintaining regular backups of all of your data is key to a secure environment; It prevents loss of information if any files/websites become corrupt or compromised (and of course it helps with disaster recovery (DR) too). Before we complete any work, we take back-ups of data, and we and our hosting providers make nightly back-ups to ensure we don’t lose any important information.

4. Audit your activities

• • • • With Invotra recently passing the ISO Audit I thought it would be great to throw this tip in.  Following an existing structure/standard for example ISO helps put you on the right path for the things you should be doing. Whether you carry out regular internal checks or employ an outside organisation to audit your processes, you can feel confident that your security procedures are robust.
      • Other tests such as penetration testing (aka pen tests) help make you aware of any vulnerabilities, both in your software and your physical security procedures, which may not otherwise be very visible or obvious. This may be the practice of trying to gather any data by hacking into your own computers, systems or networks to prevent attackers from exploiting it. Or it could be as simple as asking a ‘mystery shopper’ to try and access sensitive information.

5. Gamification to make security a competitive activity

• • • • Gamification (that is, using parts of a game in other activities, like competition and points scoring) can be used to help carry out standard security checks in a fun and competitive way. A system we use at Invotra results in employees washing up the dirty plates when their computer is not locked and left unattended.

• • • • It brings a sense of competition to everyone in the office – to prevent themselves from being  ‘named and shamed’ on our Message Wall. Security is very important and we do take it seriously, but as demonstrated with a gamification process it can also be fun! It encourages employees to be more security aware and is a fun and creative way to keep employees aware of the security checks which need to be an everyday essential inside the office.

6. Keep software up to date with security updates

• • • • It sounds like an obvious one but keeping up to date with software security updates is not always a priority for some – many companies have an automated update process, but particularly where users have control of their own devices it’s vital to make sure everyone is applying the latest updates to their machines.  Upgrading your software will always improve the security with new features, and keeps the computers working, plus it’s (usually!) free!

I’d like to say thank you to Sam and everyone at Invotra who’s helped contribute to my this blog, which has helped increase my security knowledge and I hope it will be helpful for others!