Don’t let the nightmare of security breaches keep you awake at night

Roly Walter
28th January 2020

Anyone who's spent any time with me in Appraisd knows that I am obsessed with getting a good night's sleep. And to me, that means obsessing about online security and getting it right. Seriously, the thought of having any kind of a problem or data breach is enough to keep me awake for days.

This is something any HR team, with huge amounts of confidential data at their fingertips, should be obsessed with too. With the rapid growth of HR tech, I'd encourage anyone involved in purchasing it to learn about internet security and what the standards mean so that they can make much better-informed buying decisions.

Years ago, I remember how easy it was to find compromised websites that were vulnerable, for example to SQL script injection. I shudder to think how many of those systems are still in production. A few years ago we were given an Innovate UK grant to undergo a third-party penetration test. It was a brilliant process to go through and while we were really pleased with the results for Appraisd, we all learned a huge amount about what to look out for and our potential vulnerabilities.

We resolved this should be a process we repeat at least annually. If you can get your junior developers involved too, it's a fantastic way for them to learn about internet security in action. I’m convinced they get as much from taking part as they would from any online training course.

In 2019 we gained internationally recognised ISO27001:2017 certification. The original penetration test has evolved to a far broader and more comprehensive approach to security than we could have imagined back in 2004 when we founded the company.

Achieving ISO27001 was not simple. While many of the security controls were already in place, and even given the aforementioned obsession from top management, there was still a lot to do to establish secure processes and embed a culture of security ownership and governance within the company. Between Phil (our Information Security Manager) and I, we waded through the standard and made it our own.

Here are some of the things we did differently to suit our own particular needs:

  • Our documentation is all in Markdown making it easy to publish everything onto our intranet, avoiding folders and folders of Word docs.
  • We use Git as our version control system for our documentation since it's familiar to most employees and far more reliable than a table stuck on a Word doc.
  • We use Azure devops tickets to track nonconformities and actions required.
  • We post the action log on Slack every Monday morning to keep everyone in the loop.
  • We try to involve as many different people in the audit process as possible and try to make audit plans that can be carried out by anyone.
  • We congratulate anyone who finds a security issue or a bug. We tell testers to never apologise about stopping a release because they've found an issue.

Our assessor described our approach as unusual - but could clearly see that it fulfilled our obligations and perhaps most importantly, would be seen internally as a well-fitting and appropriate solution rather than a tedious burden. While bugs are inevitable and internet security will always be a constant concern - I now know I can sleep well at night knowing we have the ISO27001 seal of approval and a well-embedded process, system and culture behind it.

The fact I can sleep so well at night is also due to everyone at Appraisd embracing this process so wholeheartedly and discovered a latent interest in everything from how social engineering works through to the relative merits of TLS ciphers...! Online security concerns everyone, so it’s imperative to find a way to get all your team on board.