It came to light this week that Curry’s PC World and Dixons Travel stores had suffered a major security incident when a hacker was able to install malware on thousands of sales tills, thereby scraping the information of 5.6 Million customer payment cards. This has not only caused lasting reputational damage to the company but has led to the Information Commissioner’s Office fining owner Dixons Carphone £500,000. Likewise, Travelex are still battling a ransomware breach which was discovered on New Year’s Eve. This has left Travelex’s status as the premier foreign exchange service in the world in tatters, led them to pull their website offline and has left millions of customers and major banks such as HSBSC, Barclays and RBS unable to process foreign exchange.
These two examples are stark reminders of the real-world consequences that can spring from improper information security.
This news is particularly topical for Flynet as we have recently been awarded ISO 9001 and ISO 27001 accreditation. We interviewed Flynet’s Compliance Manager Mat Middlecott in order to illustrate how adherence to the ISO framework provides increased operational security and procedural integrity, helping organisations like ours prevent the catastrophic breaches that have occurred at Dixons Carphone and Travelex.
What is ISO and why is it important?
" The International Organisation for Standardisation (ISO) provide a framework of processes for a number of different industries that share common processes, these best practice approaches inform and guide organisations in how to approach issues like quality and security in a way that learns from the best and is honed by the errors of the past.
The ISO accreditations are internationally recognised by industry and individuals alike as trusted marks of best practise, this helps de-risk working with or buying services from organisations that hold these credentials. In our case ISO 9001 and ISO 27001 aren’t just one-time certifications, they’re a way of doing business. " Mat Middlecott, Flynet ISO Compliance Manager
What are ISO 9001 and ISO 27001?
" ISO 9001 is a standard that ensures quality levels in the manufacture and delivery of products, services and deliverables. ISO 27001 ensures a standard of information security management. Using these frameworks in a way that supports your organisation’s processes and operations ensures a good level of security and best practice." Mat Middlecott, Flynet ISO Compliance Manager
Why would ISO 9001 and ISO 27001 have made a difference at Travelex?
"The Travelex breach was a ransomware attack that took advantage of a security flaw in their VPN software, Travelex use a VPN product called Pulse Secure, in fact Pulse had identified this exposure and provided a patch 8 months earlier. This falls more into the ISO 27001 area, with particular focus on the policies for Information Security Management, which would describe the frequency with which software update checks are carried out. A VPN gateway is essentially a front door to your organisation on the internet, so the policy would identify a high frequency of checking and identified those responsible for carrying out that process. It’s simple and sometimes dogmatic work but highly important, especially when weighed against the cost of a breach. A breach that in Travelex’s case has virtually shut down their business and closed retail Forex operations at Barclays, Lloyds and many others." Mat Middlecott, Flynet ISO Compliance Manager
Put in those terms it sounds like standards like ISO 9001 and ISO 27001 would benefit any organisation, how easy was it for Flynet to become accredited?
"Flynet had a head start when it came to ISO 9001 and ISO 27001 accreditation. Being a science and technology company we were already quite procedurally driven, already having the majority of the required policies in place. Flynet has been supplying heavily regulated industries for a long time which has led the organisation in a very procedural way, compliance with other standards like HIPPA and GDPR has seen a lot similar assets and processes created, which certainly gave us a boost." Mat Middlecott, Flynet ISO Compliance Manager
What’s the most important aspect of gaining and maintaining the ISO 9001 and ISO 27001 certifications?
"I believe the key element to ISO 9001 and ISO 27001 certification is that anything written down in a policy document must be adhered to. As such all ISO 9001 and ISO 27001 certifications are fully tested in a rigorous 2-stage audit by a UKAS registered auditor, which ensures standards are correctly maintained and accountability is clear and transparent.
However, achieving certification is just the start. Constantly iterating processes while tracking changes and improvements should be the lasting legacy of ISO 9001 and ISO 27001. Becoming complacent once accreditation has been awarded is a dangerous situation. As events have shown, no certificate can stop a determined actor from undermining security, unless security is part of your company’s daily life.
My mother used to say an apple a day keeps the doctor away, in other words a simple daily process that can keep you or your organisation fit and healthy." Mat Middlecott, Flynet ISO Compliance Manager
At Flynet, our decades of experience have taught us that protecting the customer is the best way to ensure fruitful relationships. That’s why we constantly search for the best standards and protocols to adhere to, from GDPR, to ISO and beyond. With ISO 9001 and ISO 27001 we’ve found a standard that will ensure security for us and our partners far into the future.