The digital transformation of our world is helping us make better and more timely decisions, while also giving us the tools to work more efficiently across all areas of our business. Our global team recognizes the value of information and the importance of maintaining high standards of security to avoid loss or corruption of data.
- Information Security Governance Structure
Organization and Responsibilities
We are a member of both the British Computer Society (BCS) and The Chartered Institute for IT (Information Technology) and uphold the BCS Code of Conduct. This sets out important standards governing a member’s actions in relation to public interest, competence, integrity and professional responsibilities.
The governance of our information security is overseen by our Board, but policy actions are the responsibility of our IT Steering Group. The Group reviews our information security strategy, objectives and key performance indicators. It also agrees on standards and processes and develops any information security related capital programs.
Reporting into the IT Steering Group is our IT Function team, which is responsible for proposing strategy and implementing information security systems alongside managing training and security standards. The team also oversees our information security incident management process.
Our legal compliance team also reports into the IT Steering Group. They review our global information security policies and procedures to confirm they are aligned with international data protection requirements.
- Cyber Security
Cyber security is a subset of our wider information security practices. It focuses on defending our IT systems and electronic information. New threats and vulnerabilities materialize daily, and maintenance of cyber security continues to be a challenge for all businesses globally. To ensure sustainability, it is vital for organizations to combat these threats by creating a risk-aware culture and protecting themselves from cyber risks. We are committed to continually improving cyber security through investment in our people, processes and IT infrastructure. In 2020, we launched our new cyber security strategy, whichcontinues to mature as we further align ourselves with the NIST (National Institute of Standards and Technology) Cyber Security Framework (Identify, Protect, Detect, Respond, Recover). In 2022, we implemented a new global Cyber Security Management Policy that now underpins all our activities. As part of that new policy framework, we have adopted the Microsoft Defender platform as our Endpoint Detection and Response solution and vulnerability reporting platform. We will continue to explore the capabilities of this ever-expanding security service from Microsoft.
We first engaged NCC Group in 2019 to conduct an independent assessment of our cyber security maturity and risk against over 108 control areas, as specified in the framework. There are five levels of maturity: 1. ‘Non-Existent’, 2. ‘Repeatable but intuitive’, 3. ‘Defined’, 4. ‘Managed and Measurable’ and 5. ‘Optimized’. Following our first assessment in 2019, we set a target to reach level 3. ‘Defined’ maturity. Since this time, we have significantly improved our Endpoint Detection & Response capabilities across the group and are focused on continuing to embed IT security at the heart of all day to-day and project activities.
Our latest independent third-party assessment, undertaken in late 2022 by NCC Group, reported that our cyber security maturity level had further increased within the ‘Defined’ level ranking from a score of 3 in 2021 to 3.3, a result that sits very well against our industry peers.
Our IT management team, in liaison with internal and external stakeholders, monitors best practice and ensures our solutions comply with the relevant legislative and regulatory standards on cyber security. This team is responsible for increasing awareness and developing our security training.
- Information Security Training
Regular communications are issued to raise awareness of key issues covering areas such as how to stay safe online, how to protect against online fraudsters and prevent organized cyber-attacks on our businesses. These communications are backed up by an extensive program of cyber security and phishing training courses through our “KnowBe4” global training platform.
The KnowBe4 platform provides regular, mandatory, internal training for all employees based around quarterly campaigns. The campaigns cover a range of information security topics including access control, acceptable use and cyber security threats, such as phishing. Compliance is compulsory for all employees and tracked on an individual basis. Across our global IT team, we continue to embed a culture of information security best practice in all areas of IT service delivery. This approach is backed up by periodic training courses and discussions in IT’s global monthly meetings. IT security is important to Innospec, and we are pleased to report that we are not aware of having had any reportable IT Security breaches for over three years.
In 2022, we ran 9 training and awareness campaigns. 1,602 employees completed our Cyber Security Awareness Training module, 1,768 employees completed our Global Cyber Security Policy training and 1,767 employees completed our Christmas Phishing Attack Awareness module.
Internal phishing tests were also sent out to see how alert we are to attempts to gather sensitive information through fake emails. Two phishing campaigns were completed in 2022.
- Audit and Risk Assessment
Our risk assessment progress has continued to gather pace aligned to our newly restructured IT risk register and Cyber Security Management Policy. Checks are performed on a periodic basis to validate the security of the applications and services we have in place to keep information secure. The results are presented to the IT Steering group and, when required, to the Board. These include:
- Staff information security assessments
- Penetration tests
- Vulnerability scans
- Independent external security reviews and audits
- Customer cyber security reviews