Taking Information Security Seriously

In the past five years alone, security breaches have increased by 67 per cent – according to an Accenture global survey. 47 per cent of cyber-attacks are targeted at SMEs. The cyber insurance market is growing rapidly to support policyholders at a time when COVID-19 is forcing business to re-assess their business continuity plans, resilience and, indeed, their sustainability.

The cyber insurance market is now growing fast. Business Wire reports that the Global Cyber Insurance Market size is expected to reach $21.4 billion by 2025, rising at a market growth of 27.2% CAGR during the forecast period. The number of companies, both large and small, has grown significantly over the past few years, opting to invest seriously in cyber security services.

Regulators need to be reassured that insurance companies are taking the threat of data breaches seriously. That – particularly in the wake of the General Data Protection Regulation – is serious enough for insurers, which need to meet stringent capital solvency requirement. Just as important for insurers, however, is the other GDPR – General Data Protection Reputation! Imagine the reputational impact on an insurer – which purports to provide cyber services to policyholders – if it can’t protect itself against information security breaches?

Information security really took off in 2015/2016 and has continued to receive attention since. It first came to light with stories emerging of Facebook leaks, Myspace, Uber and Three customer account breaches, company laptops going missing and myriad other information security breaches. Without naming names, insurance companies have already been breached on numerous occassions and will continue to be targeted in 2020. This is the new reality of our times. So what simple steps can carriers and insurance claims services providers like DOCOsoft do to mitigate the InfoSec threat?

If you have simple access to places you shouldn’t have access to, for example, network shares, Sharepoint sites etc. then your company probably has a lot more serious vulnerabilities that an unscrupulous person could taking advantage of, could cause huge issues. The best way for a company to know if its own information security is fit for purpose is to follow a reputable international standard. Better yet, get certified.

Information security is, unfortunately growing into a much more complex, enterprise-wide issue that needs investment in people systems and standards. To be precise, ISO Standards.

ISO stands for International Standards Organisation. DOCOsoft achieved ISO20017 accreditation last year! There were two phases in this process. We completed our phase one audit in June 2019 when Certification Europe investigated our Dublin office, this involved ensuring that all our documentation within the company met with the ISO Standards. Phase two took place in September. This consisted of a second audit where they ensured we had evidence or proof of anything we had stated in our ISO documentation. The evidence must have existed before this audit and must prove that we have been doing what we are supposed to. Some examples of these things may include that we have locks on our machines, which we use when leaving our desks, that we have strong passwords, encrypted databases, things in place that ensure we think about security when undergoing projects – this had to all be evidence based. We were therefore delighted to be presented with an ISO20017 certificate in October last year.

While the push for ISO came internally, this was something we needed to get for the sake of our clients, both current and potential. Without an ISO certificate, DOCOsoft could receive a questionnaire with 1,500 questions from almost all potential clients. When you look at these questions now, one can see that most, if not all of them have come from these standards. It will be nice to not have to fill in the 1,500 questions now that we have been awarded our ISO20017.

Information security affects everybody. For DOCOsoft to be compliant with information security standards, every member of our team must play their role. Whether it’s a case of securing your screen, refraining from leaving your laptop in your car unattended or ensuring your laptop is encrypted.

Our information is split into different categories; highly confidential, confidential, internal and public. Highly confidential information includes the likes of information around payroll, employee records etc. In the case of any of this information going missing, we would most likely have to report a GDPR breach, which would be very serious. Confidential information includes client information, our own IP etc. We have a process in place for a breach in this case. We have also implemented disaster recovery.

Information security is crucially important. Luckily, DOCOsoft as a company invested in information security – so when a virus that crippled the NHS was reported, DOCOsoft had nothing to worry about! Now a new real world virus is causing different problems for the NHS and many cyber criminals are seeing this as an ideal opportunity to get past companies’ defences, which means that a robust approach to information security has probably never been more important.