We are a member of the British Computer Society (BCS), The Chartered Institute for IT (Information Technology) and uphold the BCS Code of Conduct. This sets out important standards governing a member’s actions in relation to public interest, competence, integrity and professional responsibilities. We continue to improve our alignment with, and measure our performance against, the USA National Institute of Standards and Technology (NIST) Cyber Security Framework.
Our IT Governance Structure
The governance of our information security is overseen by our Board, but policy actions are the responsibility of our IT Steering group. The group reviews our information security strategy and objectives. It also agrees on standards and develops any information security related capital programs. They provide a quarterly written report and an annual presentation to the Board.
Reporting into the IT steering group is our IT leadership team, which is responsible for proposing strategy and implementing information security systems alongside managing training and security standards.
Our Legal Compliance team also provides important input and insight into the IT steering group. They review our global information security policies and procedures to confirm they are aligned with international data protection requirements.
Managing Information Securely in 2023
23 Cyber Security Training Courses
to over two thousand users
3,010 Phishing Tests
where any user caught by the phish test is enrolled into additional phishing training.
Digital Transformation
- Cyber Security
- Information Security Training
- Audit and Risk Assessment
Cyber security is a subset of our wider information security practices. It focuses on defending our IT systems and electronic information. New threats and vulnerabilities materialize daily, and maintenance of cyber security continues to be a challenge for all businesses globally. It is vital for organizations to combat these threats by creating a risk-aware culture and by ensuring that we have appropriate protections in place to manage cyber risks regarding identity, applications, data, and devices. We are committed to continually improving cyber security through investment in our people, processes and IT infrastructure.
Our IT management team, in liaison with internal and external stakeholders, monitors best practice and ensures our solutions comply with the relevant legislative and regulatory standards on cyber security. This team is responsible for increasing awareness and developing our security training.
Cyber Security Management Policy
In 2023, we updated our global policies to reflect the cyber threats we face daily. As a business our performance in managing these risks continues to improve. We have rolled out better mail security policies and defensive access management technologies. Our 24/7 Security Operations Center has been expanded to deliver these enhancements. We also plan to incorporate new SEC cyber security incident reporting rules into our workflow.
With regards to Artificial Intelligence, we are taking a pragmatic approach as the debate surrounding technologies like ChatGPT and Copilot develops. Intellectual property protection is central to the long-term success of our business, so we have currently locked down access to online AI technologies pending more detailed investigations into potential use cases.
We issue regular communications to raise awareness of how to stay safe online, protect against online fraudsters and prevent organized cyber-attacks on our business. Our employees, including Board members, are given regular, mandatory training on cyber security related topics via our “KnowBe4” global training platform.
The training covers a range of topics including access control, acceptable use and cyber security threats, such as phishing. Compliance is compulsory for all employees and tracked on an individual basis. In 2023, we ran 33 training and awareness campaigns for all employees and two phishing campaigns including 3,010 tests. We also formally issued and requested employee sign off for our Acceptable Use and Cyber Security Management policies.
Across our global IT team, we continue to embed a culture of information security best practice in all areas of IT service delivery. This approach is backed up by periodic training courses and discussions in IT’s global monthly meetings.
Audit and Risk Assessment
In 2023, we continued to develop our risk assessment process. Going forward we intend to assess our compliance with external standards such as TISAX and ISO 27001. Throughout the year we partnered with Panorays to deliver security assessments of key third party service providers that are critical to our day-to-day business and vendor sourcing decisions. Our own online presence with regards to security also received a very positive assessment from Panorays.