Information Security

We make extensive use of the latest information technology tools to manage our business effectively. Our global team recognizes the value of maintaining high standards of security to avoid loss or corruption of data is critical.

We are a member of the British Computer Society (BCS), The Chartered Institute for IT (Information Technology) and uphold the BCS Code of Conduct. This sets out important standards governing a member’s actions in relation to public interest, competence, integrity and professional responsibilities. We continue to improve our alignment with, and measure our performance against, the USA National Institute of Standards and Technology (NIST) Cyber Security Framework.

Our IT Governance Structure

The governance of our information security is overseen by our Board, but policy actions are the responsibility of our IT Steering group. The group reviews our information security strategy and objectives. It also agrees on standards and develops any information security related capital programs. They provide a quarterly written report and an annual presentation to the Board.

Reporting into the IT steering group is our IT leadership team, which is responsible for proposing strategy and implementing information security systems alongside managing training and security standards.

Our Legal Compliance team also provides important input and insight into the IT steering group. They review our global information security policies and procedures to confirm they are aligned with international data protection requirements.

Managing Information Securely in 2023

23 Cyber Security Training Courses

to over two thousand users

3,010 Phishing Tests

where any user caught by the phish test is enrolled into additional phishing training.

Digital Transformation

We make extensive use of the latest information technology tools. Work on our Optimus program, launched in 2022, progressed well during 2023. When complete in 2026, it will bring all our enterprise resource planning (ERP), customer relationship management (CRM), planning, analytics and governance risk and compliance (GRC) capabilities, into one ecosystem for the first time. This will simplify our end-to-end business processes and improve our reporting capabilities across all our business operations. Responsibility for delivering this global, complex and transformational program is a 100-strong Optimus team. This comprises employees from across our business and colleagues from NTT Data Business Solutions.
  • Cyber Security
  • Information Security Training
  • Audit and Risk Assessment

Cyber security is a subset of our wider information security practices. It focuses on defending our IT systems and electronic information. New threats and vulnerabilities materialize daily, and maintenance of cyber security continues to be a challenge for all businesses globally. It is vital for organizations to combat these threats by creating a risk-aware culture and by ensuring that we have appropriate protections in place to manage cyber risks regarding identity, applications, data, and devices. We are committed to continually improving cyber security through investment in our people, processes and IT infrastructure.

Our IT management team, in liaison with internal and external stakeholders, monitors best practice and ensures our solutions comply with the relevant legislative and regulatory standards on cyber security. This team is responsible for increasing awareness and developing our security training.

Cyber Security Management Policy

In 2023, we updated our global policies to reflect the cyber threats we face daily. As a business our performance in managing these risks continues to improve. We have rolled out better mail security policies and defensive access management technologies. Our 24/7 Security Operations Center has been expanded to deliver these enhancements. We also plan to incorporate new SEC cyber security incident reporting rules into our workflow.

With regards to Artificial Intelligence, we are taking a pragmatic approach as the debate surrounding technologies like ChatGPT and Copilot develops. Intellectual property protection is central to the long-term success of our business, so we have currently locked down access to online AI technologies pending more detailed investigations into potential use cases.

Cyber security in the workplace is everyone’s responsibility.

We issue regular communications to raise awareness of how to stay safe online, protect against online fraudsters and prevent organized cyber-attacks on our business. Our employees, including Board members, are given regular, mandatory training on cyber security related topics via our “KnowBe4” global training platform.

The training covers a range of topics including access control, acceptable use and cyber security threats, such as phishing. Compliance is compulsory for all employees and tracked on an individual basis. In 2023, we ran 33 training and awareness campaigns for all employees and two phishing campaigns including 3,010 tests. We also formally issued and requested employee sign off for our Acceptable Use and Cyber Security Management policies.

Across our global IT team, we continue to embed a culture of information security best practice in all areas of IT service delivery. This approach is backed up by periodic training courses and discussions in IT’s global monthly meetings.

Audit and Risk Assessment

In 2023, we continued to develop our risk assessment process. Going forward we intend to assess our compliance with external standards such as TISAX and ISO 27001. Throughout the year we partnered with Panorays to deliver security assessments of key third party service providers that are critical to our day-to-day business and vendor sourcing decisions. Our own online presence with regards to security also received a very positive assessment from Panorays.