Addressing the increasing importance of information security

The current landscape

In today’s digital world where data is more ubiquitous, valuable, and sensitive than ever before, information security is of critical importance to individuals and organisations of all types. In response to a growing number of leaks and hacks along with increasing scrutiny from individuals about how organisations use their data, governments and regulators the world over have responded with new laws and regulation to ensure all information is protected throughout its life cycle.

Despite the recent uptick in awareness of information security, people are often surprised to find out that many industries, particularly financial services, have been self-regulating and implementing controls above and beyond the legal minimums for years. This behaviour recognises the fact that, regardless of applicable law and regulation, there are usually other serious consequences for organisations who fail to protect information, such as negative publicity, financial loss, and loss of competitive advantage. In addition, these incidents often lead to increased scrutiny from regulators and law makers of the type which precipitated the introduction of GDPR, for example.

The rise of standards and their limitations

As organisations have sought to implement programmes to reduce the risk of information security incidents, they have naturally coalesced into industry bodies and collaborated with NGOs to develop and share best practices. Over time, this collaboration has resulted in a range of standards and certifications which help organisations assure clients that their information is secure.

Among the most widely recognised programmes of information security assurance are the international standard for Information Security Management, ISO/IEC 27001, and the AICPA’s System and Organization Controls (SOC) for Service Organizations (SOC 1/2/3). Both initiatives aim to tackle many of the same problems, but with differing levels of specificity, prescriptiveness, and freedom for the organisation to limit the scope of applicability.

In practice therefore, when selecting a partner organisation it’s important to ensure not just that they are certified or audited against the appropriate standards, but also that the scope of that exercise matches the services provided.

Demica operates with security at our heart

To help assure our clients and partners that we take information security seriously, and that we can be trusted with some of our clients’ most sensitive data, Demica has developed and implemented a comprehensive Information Security Management System aligned with the ISO/IEC 27001 and SOC 2 standards. Our management system is embedded throughout the business in everything that we do, from employee onboarding and offboarding, to software development and testing. All teams and departments adhere to the same controls framework, and all services that we provide are within the scope of audit. In recognition of this commitment to information security, Demica has gained and maintained ISO/IEC 27001 certification since 2011 and produced annual SOC 2 reports since 2013.

If you are an existing or potential client, we would be happy to discuss sharing the outputs of these audits with you to help you understand how we protect your information.

Staying restless

Of course, another constant in the modern world is that of change. The internet never stands still, and bad actors are always hunting for new ways to profit from, disrupt, or just create mischief with information held by organisations of all types. That is why Demica remains fully committed to continuously improving our security posture.

Our continuous monitoring of the security landscape has highlighted that one of the most common, but least publicised, causes of data breaches is human error. In fact, a 2021 survey by Egress reported that a staggering 84% of IT leaders had experienced a serious data breach as a result of human error in the preceding 12 months. In the same survey, 64% of respondents identified email as the riskiest area of their IT organisation for data breaches.

In recognition of these facts and as part of our programme of continuous improvement, Demica has partnered with Zivver to roll out their secure digital communications platform to all employees during 2022.

Zivver’s suite of tools will work in the background to ensure that all emails sent by Demica staff are analysed for security risks and automatically encrypted if sensitive information is being shared. If an encrypted email is required, Zivver will prompt the sender to set up two-factor authentication with the recipients, who can then securely log in to Zivver’s portal to read the email. Using Zivver’s capabilities, Demica will build on our existing suite of operational and technical controls to proactively detect and prevent information leaks via email, significantly reducing the risk to the business and our clients.

If you are an existing client, you will soon start to receive Demica-branded email notifications from our Zivver instance when our staff want to communicate securely with you. Zivver was chosen for its simplicity and intuitiveness, but if you require any help in handling these new notifications please speak to your key contact at Demica.