Viruses. Phishing scams. Data breaches in the corporate world are skyrocketing. Now more than ever, your security must evolve.
Because Babelway’s core business involves sensitive and/or personal data, security has been enormously important since Day 1. Even from those early startup days, the founders of Babelway recognized crafting a coherent, ever-improving security policy would be central to the company’s success. The company has been able to meet the most stringent security requirements of large corporations for more than a decade.
Recently, long-time Babelway CTO Mathieu Pasture sat down to discuss his thoughts on security after intense weeks of contractor-led penetration testing and an ISO 27001 audit. Mathieu has been the driving force behind Babelway’s security policies, including the development of the company’s Information Security Management System (ISMS).
Q: Let’s talk about the ISMS. What is it, and what sort of value can it provide an organization?
MP: According to Wikipedia, the ISMS “refers to a set of policies addressing information security management.” In terms of value, security is very important, not just for company credibility, but also for operational excellence. As a byproduct of establishing an Information Security Management System, you have to improve your operational behavior. And that leads to improving the way your company functions.
Q: Can you give an example of how improving security can enhance operational excellence?
MP: When we talk about security, we also often bring up business continuity. The two go hand-in-hand. For instance, the very first thing you need to do when improving security is to know what the risks for your business are. And to identify those risks, you have to determine what is valuable to you.
For instance, by being conscious about internal and external risks, you will likely start making process improvements—for example, by using segregation of duties. With this segregation of duties, you will also want to make sure that when your team is doing production work, it has the proper mindset and training to do it. You diminish incidents because people know and adopt the proper behavior. And if one does occur, you reduce impact to the whole system because everybody knows how to react and how to communicate the issue. This example clearly shows that measures taken to improve the company’s security and continuity also have a highly positive impact on the the operations.
Q: How can companies make employee behavior evolve in order to reduce risks related to security?
MP: It’s very important that we operate internally with very strict regulations or standards. Everybody in the company has to know what our ISMS and the ISO principles imply. Babelway has a broad yearly training on security. Every person working for Babelway is updated on the latest threats on the Internet, like the most recent phishing mechanisms. We also give a refresher on good security practices like safeguarding passwords, doing archive encryption, and watching out for social engineering.
Q: So, the ISMS contains all of these policies. Is it a way to provide a process for safe employee behavior?
MP: At first glance, the ISMS looks like a manual. As a manual, it helps define assets, risks, and after that the entire process to measure and continuously improve security procedures. Those are the ideas behind the whole security process.
My advice would be to see this system as a living thing that the company regularly uses. That’s why it’s not just a manual—it’s a system. We crafted one from scratch, so it really fits Babelway while at the same time complying with ISO and other standards.
Q: Why is it important that this system be a living thing?
MP: The company itself is always evolving, so the assets are changing. Something that was not that important before becomes important because you’re using it more or because there are new regulations …. In Europe, there’s a big new regulation called the General Data Protection Regulation that has new obligations we will have to comply with. So you constantly have to make room for new assets, new threats, and new obligations. That’s why we have to continuously adapt and improve our security process. In our case, growth also plays a role. What was once good for a start-up is not good for a larger company.
Q: Right. So that’s another reason the ISMS has changed over time … because of the organic growth of a company. What type of security threats worry you most?
MP: We face a lot of email attacks. Recently, an employee was the target of an email scam. She received an email supposedly from Babelway’s Managing Director saying that she should send a payment to England. That means someone knew about this employee’s relationship to the Managing Director.
Normally, one might think an employee with administrative responsibilities wouldn’t be the first person to train about security. On the contrary, I think it’s necessary. Because she knew and was aware of the threats, she asked another colleague directly, “Do you think this is real?” In this case, the answer was obvious and the threat was easily avoided, but these attacks can be serious and have lasting repercussions.
Q: Is there any other advice you think is important to share, either about the establishment of a security protocol or about security in general?
MP: A few years back you could be somewhat passive about security. If you set things up right, you could just keep it going. But times have changed. You have to spend time on your security, and you have to be strategic about it. The idea isn’t to restrict company growth or development, but it’s a fact of life that security is strongly considered in any action taken by Babelway.