Data security – not just for the IT geeks

By Shiona Davies

We are delighted to be one of a handful of market research agencies to hold both ISO 20252 (quality standards) and ISO 27001 (data security). Following our successful ISO 27001 certification in October, what are the lessons we learned along the way?

Data security processes and policies help stop the really bad things happening

Many of the controls we have in place happen behind the scenes, like firewalls.  But in fact, the most likely breach is someone doing something they shouldn’t (as Hillary Clinton has found to her cost). So by training people and telling them about our policies and procedures, they are much less likely to do something daft or damaging.

We used a variety of ways to communicate: from formal training and ‘policy of the week’ emails, to cartoons in the kitchen which gave examples of good and bad behaviour.  It can be a challenge to find the humour in data security, but it doesn’t all have to be dour rules and regulation.

Most is common sense, but you have to prove it is being done

We are all creatures of habit and some of those habits can leave the organisation open to data breaches.  So, once you’ve agreed your policies and told staff about them, you need to check (and check again) that staff are doing what they are supposed to.

We learned early on in the auditing process not to simply ask staff what they would do in a hypothetical situation, but to ask them to do it.  That way you discover who really knows their password for the back-up email service!

You catch more flies with honey than vinegar

Encouraging staff to ‘fess up’ and helping them change their behaviour, rather than throwing the book at them, meant that staff were more willing to talk to us when things did go wrong.  Obviously if they keep getting it wrong, book throwing remains an option….

Data security and business continuity issues can arise in the most bizarre circumstances…

Despite all the business continuity planning, we couldn’t foresee that the radiator valve in the server room would jam, leaving the heating on full blast, causing the air conditioning unit to fail, swiftly followed by the servers which got too hot and shut themselves down!  Still, we got to practise our emergency response (and it worked), while moving our portable air con units into the server room and wafting in cooler air.

Getting ready for ISO 27001 has been no small undertaking, but it’s been much more than a box-ticking exercise.  Whilst we already had many of the processes we needed in place, we now work smarter and are better at spotting potential problems before they occur.

Our opinions