Organisations often make spurious claims like "We take your security seriously" or "Your data is safe with us" but is this really true?
Here at Eden we've been building apps, portals, websites, APIs and all sorts of integrated technology since 2008 and there's one thing that binds everything we do - data, often Personally Identifiable Information (PII).
We wanted our clients to know how serious we were about ratifying these statements for them and their customers and so we applied for ISO 27001 accreditation.
What would a breach cost your organisation?
Before we tell you about our news, let's talk about data breaches and what poor security decisions could mean for your business.
The global average cost of a data breach in 2020 was a staggering $3.86m (around £2.83m sterling) according to IBM or $150 per record of customer PII. Basic maths using that figure means the costs really mount up quickly.
- 1,000 customers - £11k
- 10,000 customers - £110k
- 100,000 customers - £1.1m
This in reality however hasn't played out the same in Europe where the fines are usually higher due to more stringent and security-focused regulation with GDPR.
In July 2019 the ICO announced its intention to issue a 204.6 million Euro fine to British Airways which would have been the biggest fine ever set in the UK for a single incident in 2018 where the British Airways website diverted users to a hacker website which managed to collect personal data of approximately 429,612 people including names, addresses, payment card numbers and the CVV numbers of 244,000 British Airways customers and 612 usernames passwords and PINs of Executive Club accounts.
The intended fine was eventually commuted down to £20 million due to the impact of Covid-19 on the aviation industry meaning a fine of around £81 per person affected down from the intended £750 per person affected.
Could your business survive an ICO fine of £80 per customer? Let's look at those numbers again:
- 1,000 customers - £80k
- 10,000 customers - £800k
- 100,000 customers - £8m
- 1m customers - £80m
It’s not just the cost of fines though. The damage to your business reputation and the trust that your customers have in you may be irreversible and so taking security seriously is the only option.
The International Standards ISO 27001 Standard for Information Security
The International Organisations for Standardisation (ISO) is universally recognised as the standards body for various commercial standards. Attaining ISO accreditation is proof, second to none, for whatever your claim is and when it comes to claiming you take security seriously then the accreditation you need to back that up is ISO 27001.
To achieve the ISO 27001 certification, an organisation must assess all security risks associated with the information that the organisation controls or processes and the systems for doing so. Any risks identified needs to be mitigated with controls to remove security risks. It’s a complete analysis of the way a business operates leaving absolutely no stone left unturned.
It’s a massive undertaking for a business of any size as it means changes and scrutiny of every facet of your operation, demonstrable leadership commitment, employee training and changes to all procedures & policies.
Eden and ISO 27001
We've always considered security as part of our systems architecture and development strategies but it's often a set of satellite tasks. Things to do while the development is going on and actions to complete, test and remedy at the end of a project. With most companies, security is never given the same credence as the features, deliverables or the shiny new user experience in the new mobile app.
We wanted to change that and so we started our ISO certification path in December 2019. It’s taken a full year but we’ve just been successfully internally audited and we’ve two more audits before we should achieve our ISO 27001 accreditation in March 2021.
So far it’s meant a lot of changes. Andy, our MD and Adam in our projects team have navigated the team through the changes and collectively we’ve put in hundreds of hours of work to put information security at the forefront of everything we do. We’ve changed our project structure, we’ve trained the whole team and we’ve bolted down and secured every system and procedure we have.
This means that we and our clients can say with confidence that “we take your security seriously” and what’s more we can prove it.
What does it mean for you?
In short, it means that your data and your client data is secure but it also gives you a whole load more value when choosing Eden as your partner for your digital services and products.
Due to the nature of our clients, we're often asked to complete vendor questionnaires, which inevitably include security assessment questionnaires.
We’ve already assessed, scrutinised and adapted every procedure at Eden and so we know with confidence that we’re the perfect partner for your UX, digital transformation, app and web requirements and that we can prove it with a robust ISMS (Information Security Management System) and we’ve all the evidence to back it up. It means that if you choose Eden as your digital partner, you can be safe in the knowledge that we will flourish under the microscope of your infosec team.
It also means that we’ll be constantly thinking about your information security when building amazing digital solutions for you because it’s baked into the fabric of our ways of working. Whatever we build together, whether it be a new mobile app, an AI-powered kiosk, or a new suite of microservices to replace your monolith, you can say with confidence that we’ve assessed, considered and mitigated all of the risks to your business.
By choosing Eden to develop your solutions you’re demonstrating to your customers and partners that you take your responsibilities seriously and that you work according to best practices.
As well as building your solutions with best security practices we’ll also include a strategy for monitoring these solutions, and help your team with awareness and processes for handling incidents in systems that we build for you. We’ll take the necessary precautions and we’ll provide you with the evidence and documentation you need to maintain and continually improve your digital offerings.
Alongside outstanding security measures, minimal downtime is delivered as a bonus. Our commitment to ISO 27001 goes well beyond most Service Level Agreements and so working with us will ultimately save you money.
Finally, with enhanced systems, architecture and processes come improved products and service offerings. We pride ourselves on modern microservice powered systems and so when working with Eden, your new products & services can be added to your portfolio quickly, seamlessly and most of all securely.
What ISO accreditation means for Eden
For us, this has been a mission to make our services better but it’s not entirely philanthropic. We realise that having this certification gives us a unique edge over many of our competitors and it means winning more business.
What we didn’t realise when we started this whole undertaking is that the value isn’t in the accreditation, it’s in the journey that we’ve been on to reach it.
We’ve improved everything about our business. Potential risks and issues in any new digital product are highlighted early, our project management processes have improved and been refined and although certification is an expensive process, our profitability has increased.
By working towards certifiable trust with our partners and their customers we’ve built even more trust in ourselves. We’ve committed ourselves to a journey that has fundamentally changed our culture and it’s not one which is adverse to risk, it’s one which understands risk and controls it with best-in-class practice and continuous improvement.
Our period of self-reflection has meant we’ve trimmed off the rough edges of our business, streamlined our processes and improved the things that we were already great at.
By making our operations more secure, we’ve made everything run better and we will do the same for your products and services.