Data Security – The Importance of Security Officers for Businesses Holding Client Data

This post is also available in:

As it was Data Security Day last week, we had a guest poster, Irina Maltseva, talking about protecting small businesses from payment fraud. However, we forget the other important aspect of data security in our businesses, and we only realise their importance when something goes wrong. I am, of course, talking about the legal and security teams that seem to fade into the woodwork until it’s time for digital security training or there is a data breach.

Any company that holds or accesses sensitive client data needs to be aware of the trust that is placed in them by their clients. You can’t ask clients to give you their information if you are oblivious to the responsibility you hold for keeping that data secure.

Simplybook.me is one such company, and we pay significant attention to how we store and access that information. We have our legal and security manager, along with another information security officer, who ensure that we are always on the straight and narrow.

Introducing our Security Bods

Please show your appreciation for our security personnel for their incredible dedication to their work. Introducing Georgia, our Legal and Security Manager, and Maryna, our Information Security Consultant.

We asked a few questions about what they do in their day-to-day and how they keep up with requirements.

Georgia

What do you do?

I combine the two roles of legal and security manager. My key responsibility is ensuring the maintenance of our Information Security Management System, ISO 27001:2013 certified. In simple terms, I need to understand how we use data and how we transfer it throughout our organisation. It must travel securely and with appropriate technologies.

How do you ensure compliance with data security and the laws that protect them?

The first step is to make sure we keep up with the changes in applicable laws and see how those apply to our business operations. Afterwards, we need to communicate with our IT experts and make any improvements to our established security controls. Compliance requires day-to-day, consistent monitoring of business operations and controls in place with regular internal communication.

How do you keep up with changes etc.?

I mainly monitor the websites of relevant regulatory bodies. Additionally, I follow other channels:

• I follow LinkedIn organisations and professionals in the field,
• Subscribe to relevant organisations and, where possible,
• Attend conferences or online webinars for training or networking.

We evaluate important changes and present them to the top management. We then work together to make any needed changes to our established security controls.

How do you ensure everyone knows how they should maintain data security?

• Each new hire goes through the induction/first-day training
• Every year all employees must undergo intense annual data security and privacy training.
• We perform annual audits by which we check employees follow the policies & procedures

In general, there is trust that everyone understands the importance of following data security internal policies & procedures. However, as the company has been growing, we have started to implement a continual reminder of security practices and procedures throughout the year. We have recently started using a training tool that sends all employees monthly reminders and updates to policies throughout the year.

Maryna

What do you do?

I have the role of Information Security Consultant. I, like Georgia, contribute to ensuring that information security in the company meets the requirements of international standards, especially ISO 27001.

My key responsibilities are:

• Ensure related compliance requirements are addressed, e.g., security regulations and controls associated with ISO 27001:2013 standard.
• Ensure appropriate risk mitigation and control processes for security incidents as required.
• Document and disseminate information security policies, procedures, and guidelines
• Help with coordinating the development and implementation of information security training and awareness program.
• Help with coordinating a response to actual or suspected breaches in the confidentiality, integrity or availability of information assets
• Assist with inventory of company assets, e.g., keeping the Hardware Asset Register
• Conducting planned and unplanned information security audits in accordance with ISO 27001or other standards
• Participate in the development of business continuity plans and risk assessment

How do you keep up with changes?

In order to improve my knowledge, I sometimes contact my former colleagues in this field to exchange information, read articles with new implementations of security controls and try to attend various training events.

Data Security Within the System(s)

While our legal and security officers spend most of their time dealing with the human side of data security, their research and findings also influence how we process data within the SimplyBook.me (and, of course, SimplyMeet.me and SBPay.me) system.

Our Security team has worked very hard to ensure that our system and policies adhere strictly to the laws surrounding GDPR and other more localised policies in the US and Australia. Everyone has to have their own version of data protection and privacy laws with minor tweaks and changes. However, virtually all of the different versions of data protection laws cover the same ground.

It is down to Georgia and Maryna to ensure our data security and privacy standards adhere to the laws of every country where people use our system to hold client data.

Data Security and Privacy Importance, to us and you

We are committed to ensuring the data privacy of our clients. However, we’re also very aware that our data security policies affect you and your clients. You are equally important, from the sole operator of a hair styling business to the medical clinic dealing with sensitive patient information. If your business saves client information, we need to be able to uphold the data security that you promise to your clients.

Consider how much it might cost you to pay damages for a data privacy breach. It could be a lot and enough to cripple your business. Not to mention the clients who might not want to come back after such an incident. By choosing a business with an established security team and many security features that are free to use, you are protecting yourself from the dangers of an unprotected business and allowing your clients to trust you.

Thank you, Georgia & Maryna. Your hard work is thoroughly appreciated and valued.