COO Q&A: How to thrive in today’s evolving tech world - Part 2

In the second instalment of our evolving tech world article, Paul Albone gives his 3 top tips on how best to protect your firm from a cyber-attack and discusses the value placed on accreditations within the industry. Click here to read part 1.

Q. What are the three critical things that firms must do to protect against cyberattacks?  

1. Make all your staff aware of the threats of cyber-attacks

Cyber-attackers use malicious code and software to alter system behaviour and data, resulting in disruptive consequences that can comprise a firm’s systems and lead to cyber-crimes such as information and identity theft, or systems being compromised. 

Cyber-attacks come in many guises, so invest the time and effort in training all your staff. There are a number of good online interactive courses to test and measure staff awareness of cyber-attacks.

2. Find your network and system weak spots that could be exploited by a cyber-attacker 

Normally, this takes the form of an independent security vulnerability test by an external supplier. When choosing a supplier, always ensure they are CREST accredited. The CREST scheme assures a firm that the supplier follows strict testing processes for network and system security assessments. The test findings will help a firm prioritise and plan any security vulnerability remediation measures required.

3. Protect your firm with a solid insurance policy

Take out a stand-alone cyber insurance policy, ensuring that it provides your firm with access to a 24/7 incident response team and, as with any insurance policy, ensuring that you understand what is and is not covered.  

Q. What would you recommend as a good starting point when it comes to improving IT performance?

I would start from the business view and work inwards to IT. For example, is there a clear “line of sight” from the business goals into the IT roadmap? Without this, there is a high probability that valuable IT resources are working on low value, non-important activities.

Then, ensure the fundamentals are in place by measuring KPIs, activities and progress. Are IT operations providing the right level of activity and keeping key stakeholders within the firm informed? If not, establish regular reporting covering both high-level and detailed views. 

It’s also important to regularly inspect a system’s performance metrics at all levels in the system infrastructure. How are systems performing? Where are the hot spots? What are the most commonly occurring errors being raised in the system? 

Once you’ve determined this, ensure the IT roadmap has a continuous system improvement plan running right across it to address these issues. Proactive and regular corrective measures are always better than responding to sudden system incidents that can cause significant disruption to a firm.

Q. What is the value of accreditation (such as ISO 27001) and how do you achieve this status?

Our tmgroup journey towards ISO 27001 accreditation originally stemmed from our GDPR compliancy programme. For this, we ensured demonstrable processes were in place to protect the data held on an individual. This involved a comprehensive assessment of our data, processes, controls, risks, protection and privacy across our entire IT systems landscape. As part of this, we reviewed and updated all of our information security management policies and privacy policy. 

For ISO 27001, the key requirement was to demonstrate that our information security management is under control and in place on an ongoing basis. Our accreditation means that tm have passed the strict security requirements set by ISO 27001 in the integration, management and storage of our clients and internal data.

We also have Gold Partner status with Microsoft, which sets us apart as a high calibre business partner and assures our clients that our solutions are designed and developed to the highest standards.

With thanks to Paul Albone, COO at tmgroup