Information Security: In Conversation with Dr. Marco Ermini, CISO at EQS Group

Information security (or InfoSec as its commonly known) is anything that goes into protecting the information of a company. For EQS this relates to both internal company information and information we hold on behalf of customers. We have a classification policy for our information depending on the sensitivity of the information. Some information, like this blog post, is not sensitive and open to the public, but our source code, for example, is our intellectual property and is therefore highly commercially sensitive. We use a simple traffic light protocol to classify our information – green if the information is public, amber if the information is for EQS internal staff, and red is only for restricted groups within EQS. Customer information is always classified red.

Let me clarify my standpoint: among various definitions, I consider the one derived from ISO/IEC standards to be the most appropriate.

Cyber or IT security is focused only on digital information. Information security goes much wider than this and encompasses the protection of all forms of information, regardless of whether it’s digital or physical. Aside from the differences in everyday processes and tasks, the difference manifests most clearly when it comes to strategic decisions. For example, if a company decides to expand to new markets, it initiates a chain of events with significant ramifications for information security. In such instances, the role of information security becomes pivotal, demanding its involvement at a much earlier stage in the process compared to the functions of cyber security or IT security, owing to the numerous interdependencies it entails.

This is just my viewpoint, and it’s not meant to be exclusive. Some readers might use frameworks other than ISO and have a different taxonomy, which is perfectly fine, as long as we can understand each other.

It is estimated that 75% of the economy at least in the western world depends directly on information. Regardless of your industry, whether or not you operate in the software sector, the impact is universal. In today’s landscape, software is essential for anything, be it safeguarding intellectual property, running industrial machinery, or simply tracking your sales team’s fleet. Software is a necessity for operation and the safeguarding of valuable information. When your information is jeopardised in any way, for example if your competition or a hacker steals it, or when the information is not available to you because there is an outage – all of these things have a direct impact on your business, and will cost you a lot of money. Maybe even your business entirely.

EQS employs best practices when it comes to information security, adhering to the most important international information security standards including ISO 27001, ISO 27017 for cloud and ISO 27018 for privacy. We use these frameworks to develop our multiple controls. We request audits from external, reputable firms and ratify our third party certifications once a year to confirm that we are fulfilling the minimum acceptable level for security.

We always try to be one step ahead. We also employ strong authentication and access controls: we mandate 2-factor authentication for all our employees which means they have to accept an authentication challenge over an external device – which is resistant to phishing attacks. We also have special security software which scans our entire estate, and also multiple type of source code scans and a four or six-eye review before the software we develop goes into production. Threats change daily and we have to be vigilant, and constantly improve our security posture.

We set up an internal Security Operations Center (SOC) which in 2024 will run 24/7 to react to customer requests, potential intrusions from hackers, and any kind of information security event. While many companies outsource this externally, we prefer that the first response comes from us internally as we understand the environment. We use encryption everywhere, and we don’t use any internal networks at EQS anymore. We have moved away from VPNs, and adopted a Zero Trust Network Access framework, which means that every computer and identity at EQS is always authenticated. Every piece of traffic on these computers is inspected.

We do regular testing and training, in particular we train our developers in secure coding. We also commission external penetration tests on our products which offers our customers additional confidence. We also run a so-called bug bounty programme which offers a reward to external researchers if they find problems with our software.

All Microsoft Windows systems employ Rapid-Recovery technology to defend against ransomware, and we reinforce security with a range of external monitoring tools that continuously scan EQS’ estate for vulnerabilities.

And if all else fails, we always have backups! We backup everything into secure, remote locations every four to 24 hours, depending on the environment.

If, despite all of this, a data breach occurs, we have adopted a “retainer service”. This is a renowned, specialized, world-class threat and incident management firm which intervenes, 24 x 7 x 365, within four hours of our call. They produce an independent report which can be provided to customers, as required.

All this is considered a very good level of protection, and companies should demand at least a similar level of security from any SaaS provider they work with.

Of course every company is different. The shape of a company’s information security programme will depend on its risk assessment.

If a company adopts insecure compliance software, there are many dangers. You are putting very sensitive information into this software – approvals, policies, whistleblowing information – which is controlled by an external entity. It is paramount that this information is kept secure because it would be disastrous if leaked.

But the dangers are not just on our side. The security of our software depends on shared responsibilities and our customers need to understand this. This includes effective management of their accounts and which employees have access to what information. These are elements which we as a SaaS provider have no control over!

I strongly advise caution when considering collaboration with a small company that lacks a robust information security program.

Certain companies, lacking a robust security infrastructure, attempt to obscure the situation by presenting certifications and audit reports of their data centers as if they were their own. It’s important for customers to grasp the exact scope of ISO/IEC 27000 certifications or ISAE/SOC audit reports and determine whether they cover both the SaaS offerings or are restricted solely to hosting services.

Remember, your data’s safety and confidentiality depend on how much attention your SaaS provider pays to this critical subject.

Data breaches can happen, particularly if you choose the wrong software. They can result in extremely expensive privacy fines but there are also reputational damages for a company. For example, there are examples of mergers and acquisitions becoming much more expensive following a data breach, such as the merger of Verizon and Yahoo. There are also costs of notifications if you have to inform customers and employees of a data breach. In this case you might even have to pay them legal and privacy protections. There are cases as well where it becomes a criminal case and the CISO receives a court sentence as a result – this happened recently at Uber.