How do you know whether your business partners are handling your data securely? Can suppliers and customers be trusted not to provide a gateway to your most sensitive information for a cyber-criminal?
Questions like these have grown in importance for all corporates and financial institutions in recent years, with the range, scale and impact of cybersecurity risks increasing exponentially.
And concerns over data security have only accelerated in the time of Covid-19. Attacks on firms in the financial sector soared by 238%¹ globally between February and April 2020, with 80% of financial institutions reporting an increase in cyberattacks. When digital communication is the only way of exchanging information or ideas between counterparties, it must be protected at all costs.
There are many ways to minimise the risk of data security breaches: introduce tough controls; invest in the latest software; hire expert staff; or contract a specialist provider. But questions will always remain. Where are my biggest vulnerabilities? How do we keep up with emerging threats? How big a security budget is sufficient?
No amount of outlay is going to provide guaranteed protection. Throwing money at the problem is not the solution, especially if it is spent reactively, rather than as part of a plan. Expenditure is much more likely to be effective if it is informed by a risk-based and systematic approach.
SkySparc has always taken data security seriously. Our clients have trusted us to test, verify, transfer and integrate their most sensitive data for more than two decades. But even experts can improve, benefitting from different perspectives and approaches. With more client projects focused on digital transformation and Cloud migration, we felt it necessary to ‘audit’ our information security processes, to ensure we measure up against established best practice.
We decided to benchmark ourselves against the highest standard – ISO 27001 – which is designed to verify the quality and effectiveness of the information security management systems deployed by firms to protect the information assets they hold.
Securing ISO 27001 accreditation is no mean feat or small undertaking. Firms need to systematically examine all threats, vulnerabilities and impacts relating to their information security risks in order to then design and implement a fully integrated and comprehensive framework, built on robust securities controls and other risk management measures and methods.
The ultimate aim is to establish rigorous management processes within a system which ensures controls and related measures that can meet information security needs now and in the future. A company-wide approach is essential, touching every aspect of a firm’s activities, covering client interfaces, internal processes and interactions with multiple third-party suppliers and partners.
Although accreditation did not radically alter SkySparc’s overall approach to information security, we drew a number of key lessons from the process. High among these was the importance of focusing most attention on the biggest risks.
By conducting a risk analysis to identify the most significant information security threats to our business, SkySparc is better able to allocate resources and attention proportionately, clarifying our priorities and strengthening our routines where necessary. Formalising and documenting our processes and policies has also helped to make our information security effort more structured and efficient.
Another key benefit to the ISO accreditation process is the greater awareness of information security risks and processes across all SkySparc employees. Inevitably, expertise is varied across any organisation according to job function. But the exercise of achieving ISO accreditation involves all members of the team, both refreshing existing knowledge for experienced staff and educating for the first time those in roles less frequently exposed to information security risks. From ISO team selection to process documentation to formal training, many aspects of the accreditation process helped to better embed information security in our collective consciousness.
Today, information security is deeply rooted in every aspect of how SkySparc does business and particularly how it deals with its clients and handles their data. It is now a natural element of how we do business, present at every step of the way, from kick-off meetings with clients to project and solution design to final reports and assessments.
This is not nice to have, but essential. Research company Cybersecurity Ventures recently estimated² that global cybercrime will cost US$10.5 trillion a year by 2025, rising from around US$6 trillion last year. The World Economic Forum’s 2022 ‘Global Risks Report’³ cited “growing digital dependency” as it listed cyberattacks as one of the biggest risks over the next decade, alongside climate change and more pandemics.
For this reason, our updated, more systematic approach is built for the long term. Accreditation is not a one-off event; it is the start of a journey. We will be audited every year to ensure SkySparc’s information security management system and underlying processes continue to strengthen, whilst being alert to new challenges.
In some respects, little has changed. We’ve always had clients’ interests at heart, and we’ve always taken security seriously. But as SkySparc embarks on its next chapter, extending its data and analytics offerings, it’s good to know security will never be taken for granted.
Today, information security is deeply rooted in every aspect of how SkySparc does business and particularly how it deals with its clients and handles their data.
Rebecca Ericsson Birck, Chief Financial Officer, SkySparc