We made the decision to apply for ISO 27001: Information Security Management accreditation earlier this year (audit scheduled for later this month!) because we wanted to be sure that the systems and processes we were using are up to the job.
The volume of data that we receive through client campaigns has grown just as quickly as Code String itself!
We leave all the complexities of encryption algorithms, one-way hash functions etc. to the technical team but from a client management perspective, the volumes of data may be on a much smaller scale but that doesn’t reduce the levels of protection and security that we need to use.
All data we send is encrypted (and always was) but one of our key learnings during the implementation of ISO 27001 is the need to always provide the password, or key, using a different method. For example; if we send the encrypted file via email the client will be given the password by phone or text; if the client prefers the password to be on an email then we’d use a cloud-based file transfer service to send the data.
It is perfectly obvious that sending encrypted data in one email and following it up with the password (even if it is on a separate email) undermines the data security. But confession time…come on…you’ve all done that at some point (and probably got away without any breach in security) but if someone is hacking that email account you’ve given them the data and the key!! The consequences don’t bear thinking about: prosecution? Fines? Not to mention the reputation of your business.
Don’t take any chances with PII (personally identifiable information), think carefully about all aspects of information security, not just consumer data – you don’t want to be the next big headline!