In an increasingly digital world, the importance of managing risks related to cyber security cannot be overstated. As part of our commitment to transparency and accountability, we have taken a deep-dive into cyber security practices at Newable. Our conversation with Newable Chief Information Officer, Mashudul Karim, touched on a wide range of topics, from our overall cyber security strategy – and its alignment with our business objectives – to the tools and frameworks Newable uses for identifying and assessing risks.
What is our current cyber security strategy? How does it align with our overall business objectives?
Newable’s cyber security strategy is to protect the business from cyber threats through a combination of policies, controls, training, and testing. This serves our business by allowing us to use technology with confidence – to achieve our goals, innovate, and serve our clients, while maintaining a low-risk profile.
How are we identifying and assessing cyber security risks? What tools or frameworks are we using?
Newable’s Cyber Security Team (CST) identifies and assesses cyber security risks through regular reviews, security tests, investigations, performance monitoring and reporting, external certification. Our approach is aligned both to the Cyber Essentials Plus scheme operated by HM Government and to the international ISO 27001 cyber security standard.
What are the most significant cyber security threats that our organisation currently faces?
We face broadly similar cyber threats to other businesses of our size and industry. This includes sophisticated phishing attacks as well as infections from ransomware and more traditional viruses. These could lead to the inadvertent disclosure of sensitive information, exposure to extortion by cyber criminals, and widespread operational disruption.
How are we protecting sensitive data from breaches and leaks? What measures are in place to ensure data privacy?
We protect sensitive data by restricting access, particularly through remote means, and mandating strong passwords, multi-factor authentication, and encryption. But the real key to our overall ability to protect ourselves from breaches and leaks, is to ensure that our users are well-trained, security conscious, and vigilant.
What is our incident response plan in the event of a cyber-attack? How often is it tested and updated?
Our Cyber Incident Response Plan is part of our overall Business Continuity Plan. This starts with the recognition that an incident has occurred and then moves through various stages, including assembling the right team, assessing the situation, executing the plan (while communicating with stakeholders), and managing the incident to closure. We review this once a year and test it every two years with the help of external partners and security specialists.
What cyber security training and awareness programmes do we have in place for our employees?
We provide annual cyber security training for all staff, with additional role-specific training for certain teams, including the CST. We also distribute a Compliance & Security Newsletter and regular email notifications to maintain the overall level of cyber security awareness across the business.
How are we managing third party risks? What measures are in place to ensure our vendors and partners are also maintaining strong cyber security practices?
We manage third-party risks through the ThirdParty Risk Assessment Portal and related policies and procedures. This relies on decision-makers across the business sharing the responsibility to assess third parties using a single, consistent framework. Our legal contracts, terms and conditions, and privacy notices support this by ensuring that our suppliers meet their cyber security obligations and understand the consequences of non-compliance.
How do we ensure our systems and software are always up to date?
We manage our systems and software centrally and updates are delivered directly from the Cloud. This ensures that any security vulnerabilities are addressed without delay, which is especially important for laptops and mobile devices. We have strict rules in place that prevent out-of-date systems and software from accessing our sensitive data.
How do we measure the effectiveness of our cyber security programme? What key performance indicators (KPIs) or metrics do we track?
We measure the effectiveness of our cyber security programme by monitoring medium and long-term trends in incidents and near-misses, and by looking closely at how our systems and our people are performing, for example, by tracking training statistics. We compare these to external security benchmarks regularly and take advice from our partners on areas for improvement.