Why it matters
Data plays a huge role in our daily lives – from the way we work, to the way we travel and communicate. It’s estimated that 90% of the world’s data has been generated in the last two years and this is expected to keep growing, exponentially. In addition, the growing frequency, severity and sophistication of cyber-attacks has implications for all businesses. Our customers and partners want clarity and transparency about how their data is used and protected by the organisations they interact with, and this is reflected in government policy and regulation.
We have a strong framework in place to understand and mitigate potential threats, spanning the risks associated with theft or loss of customer information as well as disruption to business operations.
Our policies and procedures seek to ensure the information we collect is stored and used correctly, to protect personal data and to make sure we don’t keep that data for longer than we should. Our expert information security, data protection and compliance teams protect and support our business, managing policies and controls, assessing risks and restricting inappropriate access to information. Our data related policies sit within our group-wide risk and compliance structure and have local ownership and are audited periodically.
An important part of this is making sure we support our colleagues to take the steps required to protect our organisation. We regularly engage with colleagues so they’re aware of threats and what to do if something goes wrong. This includes carrying out phishing campaigns and exercises to check our incident management procedures are robust. We have mandatory data protection training which, as well as advising on how best to protect data, makes clear that misuse of data by an employee could result in disciplinary action.
We also use controls such as firewalls, intrusion detection systems and various other security technologies to help defend our systems from attack, regularly reviewing and refreshing them to address new and emerging threats. As part of this, we invest in technical and process controls to guide our risk-based information security programme.
Beyond our own organisation, supply chain partners complete information security questionnaires or privacy impact assessments, and privacy clauses are included in relevant third-party contracts involving the transfer of personal information. For our clients, we have developed several cyber specific insurance products, which include risk assessments and data breach response planning.