In 2021/2, more than 80% of UK organisations experienced a cyber-attack and 73% were affected by a ransomware attack. It just shows - not a single company can afford to be complacent on this matter.
This is a matter that I’d advise any HR team, with huge amounts of confidential data at their fingertips, to take extremely seriously and get acquainted with the threats. With the rapid growth of HR tech, I'd encourage anyone involved in purchasing it to learn about online security, what precautions are prudent to take and understand what standards any platform should meet to guarantee the highest levels of protection.
Some years ago, Appraisd was given an Innovate UK grant to undergo a third-party penetration test. It was a brilliant process to go through and while we were really pleased with the results, the whole team, not just the developers, learned a huge amount about what to look out for and potential vulnerabilities.
We resolved this should be a process that we should repeat at least annually. Getting the whole development team involved, especially junior members, is a fantastic way for them to learn about cybersecurity and the threats that exist in a real-life working environment. I’m convinced they get as much from taking part as any online training course could offer.
Following on from this experience, we first gained internationally recognised ISO27001 certification for Information Security Management in 2019. Our Tech Lead, Phil Durrant, took the learnings from that original penetration test and developed a far broader and more comprehensive framework to secure this standard, that provides clients with the crucial reassurance that we take the management of their data seriously.
Since then, Phil has owned this process, honing and refining it as the company grows and new threats appear. Like performance management, this is not a “once and done” process. It is vital to remain vigilant, reminding the team about the potential dangers and their own responsibilities.
Since adopting hybrid working, a new internal Slack channel has been created dedicated to cybersecurity, where everyone can highlight concerns, share stories of breaches suffered by others and highlight best practice. Employees are required to complete online security training annually, without exception. This all helps to embed a culture of security awareness within Appraisd and ensure the standard is followed and upheld, becoming a living, breathing part of everyday work. We’ve also developed our own internal advanced security tests for our Customer Success team that must be passed annually in order to maintain superuser access. I take pleasure in deriving fiendish questions that identify any gaps in knowledge that can be remedied.
We are delighted that we successfully retained our ISO27001 certification following our recent audit. Phil and the team have really embraced the standard and made it their own, adapting it to suit our needs and culture.
One of the elements that is key is involving as many different people in the audit process as possible. This way, everyone in the business, no matter their job role, can work on the standard and understand why it is so important. This also means that the audit plans are owned by the business and can be carried out by anyone, not just Phil.
We also encourage the team to look out for security issues or bugs. It is much better that we spot any problems before they negatively impact our clients. We tell testers to never apologise about stopping a release because they've found an issue, it is their role to be that additional layer of protection.
Our assessor congratulated us on developing a tailored approach that fits our organisation. They could clearly see that it fulfilled our obligations and perhaps most importantly, is seen internally as a well-fitting and appropriate solution that they understand and appreciate rather than a tedious burden.
While bugs are inevitable in any tech platform and cybersecurity will always be a constant concern, I’m confident with the ISO27001 seal of approval and a well-embedded process, system and culture, we are doing all we can to the minimise risks for our clients and working to the highest possible security standards.
Cybersecurity concerns everyone, and at Appraisd everyone is committed to doing all we can to protect our clients.
Notes and tips
- I personally give each new employee an introduction to our security practices on their first day to cement the importance of security. Job applicants are made aware of our security screening process from the very beginning.
- We’ve introduced tools like Snyk and Sonarcloud which scan every line of code for vulnerabilities before they even get sent for peer review
- I’ve devised and periodically update a fiendish superuser questionnaire for our CS team and others who have access to customer data. Succeeding in this test is a right of passage and mark of achievement at Appraisd.
- Our #infosecurity Slack channel is used to share horror stories from the news to keep everyone on their toes. We also post pictures of phishing emails we’ve received to spread awareness, and any employee can use this channel to quickly get avice from the security team on something they’re not sure about.
- We use single sign-on for everything and encourage all our clients to do the same for their access to Appraisd. Where we can’t use SSO, we use Lastpass Enterprise not only to store passwords, but to enforce our password policy and to flag up employees who need to improve their security score.
- Our insurance provider gives us some great infosecurity e-learning modules as part of our cyber insurance policy.
- We try to keep our systems and processes simple and unambiguous. Complexity leads to mistakes so we try to reduce this.
- Where possible, we also help our clients and suppliers understand information security too. We ensure our user interface makes it really hard to make a serious mistake.