ARKK's Information Security Officer, Richard Hammond, speaks about implementing and maintaining a robust security infrastructure and culture at the company.
For those of you who may not be aware, Information Security, or InfoSec for short, is the practice of protecting information by mitigating information risk. In a world where people, organisations and governments are holding an ever-increasing amount of sensitive data online, the security of this information is paramount.
InfoSec isn't only concerned with data breaches that happen online, physical security is just as important - the first line of defence against any type of data breach is a company's employees. Having over 4 years' experience in the Information Security sector has shown me that only when all parts of an organisation are working together and adhering to security procedures do you truly have a robust infrastructure in place.
Having previously managed penetration testing within the Surrey and Sussex police department, I've seen the myriad ways that systems can potentially be infiltrated by a malicious attack. It's my job to ensure that we have processes, procedures and systems set up to help mitigate the risk of a data breach while also establishing remediation action in the unlikely event that it does occur to mitigate the impact.
ARKK take a forward-thinking approach to information security and its fundamentals are built into the organisation's DNA. Security, both digital and physical, is part of the company's day-to-day activities to ensure that customer's data security is our top priority.
We believe that our security methodology and stance should be as upfront and transparent as possible. ARKK's security statement is visible on our website and outlines the controls we've put in place so our customers can feel assured that their data is in safe hands.
Being ISO 27001 certified since 2016 is a fantastic accomplishment for ARKK. It shows our commitment to data security via an internationally recognised security framework ensuring policies, procedures, processes, controls and standards are in place.
ISO 27001 certification, however, is only the first stage. Maintaining the certification requires consistent monitoring of ARKK's security standards and ensuring everyone abides by them. Maintaining the certification includes:
"We're incredibly proud that we've maintained our ISO 27001 certification since 2016. The team work amazingly hard all year round to keep our, and customers data secure which is no easy task with the wide range of cyber and physical threats" describes Richard Metcalfe, ARKK's CEO.
It's easy to say that we take security seriously, however, implementing systems takes significant investment from the top-down. We have a dedicated InfoSec team at ARKK constantly managing data security, an investment that some companies just aren't willing to make.
InfoSec investment isn't just financial, it also involves time and resources from the entire company to be trained and uphold our procedures. As I mentioned before, the first line of defence is an organisation's employees and I've worked in several companies but ARKK has one of the best security cultures that I've seen.
I also believe part of having a comprehensive Information Security Management System (ISMS) is that you have to be responsive, it's actually one of ARKK's core values. During the platform proposal stage, we respond to questionnaires as a priority, providing detailed accounts and supporting evidence to reassure customers of our data security.
Information Security is multi-faceted. Digital and physical security are vital, but so is the reliability of access to that data. Storing information online has many advantages, however, this data must be readily available when customers need it.
ARKK go the extra mile to ensure that our platforms are always accessible. We use some of the most reliable data centres in the world to guarantee that our availability and uptime is as consistent as possible. ARKK also has a detailed business continuity plan set up so if our servers were to ever go down, they would be back up and running as quickly as possible to ensure customers never miss their filing deadlines.
Several issues can occur when a company suffers a data breach. Under European GDPR law, any infringements must be disclosed to the relevant authority meaning they will be visible to the public. Depending on the severity of the breach, companies can be fined up to £18 million or 4% of their annual global turnover, whichever is greater. These fines not only place a financial burden on an organisation, but the coinciding reputational damage can be just as devastating if not more so.
Would you trust a company with your sensitive information after knowing they've suffered a breach? Probably not. Consumer confidence can take years to build and only a moment to destroy once a firm has been tarnished with a data breach infringement.
ARKK like to take a proactive approach to Information Security which is why we're always looking at ways to improve our data security. Although we've been ISO 27001 certified for several years, the next step for us would be to become ISO 22301 certified.
Having an ISO 22301 accreditation would mean that we're recognised for having industry-leading standards in business continuity management, adding yet another layer of certainty to the controls that ARKK has in place to maintain the security and availability of customers data.
If you'd like to read more about our SaaS platform or finance process automation, check out the ARKK blog.