Trifast plc – Annual report – 31 March 2017
Industry: manufacturing, distribution
Risk Table (extract)
RISK MANAGEMENT (extract)
The IT health checks carried out around the Group have already started to prove their worth
IT Risk management
TR Systems have had a busy year assessing and addressing IT risk around the Group and, as mentioned in last year’s report, the IT team have tackled the risk head on.
IT health checks have been carried out in all European sites and the process has also started in Asia. Further visits to Asia and the USA are planned for FY2018 to complete the IT risk review of the entire Trifast plc Group of companies.
The IT health checks have already started to prove their worth as, following on from health checks carried out around the Group in 2016, potential weaknesses in the IT Infrastructure were identified.
To confirm these weaknesses penetration tests were carried out by PTP (Pen Test Partners). PTP are a leading penetration testing and security company with which we have established a good working relationship. Their reports highlight the risks and vulnerabilities and exactly what needs to be addressed in risk priority.
Alongside the IT health checks and penetration tests, 2016 saw a major effort by all sections of the TR Systems department to address the requirements of the ISO/IEC 27001:2013 Information Security Management System, with the aim to achieve accreditation by the British Standards Institution (BSI). The process involved consideration of all aspects of information security with risk assessments being the major starting point. All members of the team were asked to consider any area that could be susceptible to security threats and where these were found they were immediately addressed. December 2016 saw the final push and we were pleased to be awarded the accreditation at the final assessment before Christmas.
To ensure information security is seen as a continual process, an Information Security Forum (ISF) has been established. This forum is made up of personnel from across the business and meets regularly to review all aspects of information security including any security incidents that may have occurred.
Internal audits are also carried out throughout the year with annual BSI assessments scheduled to ensure the Company continues to comply with the Standard. Information security is included as part of our day-today processes.
We have already seen benefits of compliance to the Standard with new and existing customers now being assured of our ongoing commitment to the security of both our own and our customers’ information.
We are now putting in place schedules to rollout the ISO/IEC 27001:2013 Standard to the whole Group. This will be carried out on an incremental basis throughout the UK first and then to Europe and the USA/Asia.
As I am sure most of you are aware there have recently been two major IT incidents, the first one being the WannaCry ransomware virus. We are happy to report that TR was not affected by this ransomware and would like to think the investment in our cyber security that the Company has made prevented this.
The second incident was the airline system crash caused by a power outage in their data centre and lack of adequate backup processes. Again, TR has a secure datacentre that has a more than adequate backup power source which is tested on a regular basis and we can report that we have never lost any connectivity during the switch to backup power. Also, TR has multiple backup processes continually running that provide the organisation with the ability to restore the Company’s systems and data within an appropriate time frame.
One of the consistent cyber threats to TR and its Group of companies is email traffic. Email threats come in different varieties, from a simple phishing mail to a more direct virus hidden in an attachment. TR have invested heavily in this area and, as you can see from the statistics, the investment has paid dividends.
In summary TR have received 37,547,107 emails in the last year. 36,107,354 were blocked by our collection of email defence solutions. This means that only 1,439,753 emails were delivered which equates to c.4% of mail traffic. Assuming it takes the average user five seconds to process a mail this is a saving of 5.7 years of one person’s time.
TR Systems have worked hard on establishing a global IT support structure. With many subsidiaries spread far and wide around the globe the best solution is to form good relationships with third party support partners that, under TR Systems guidance, will deliver the same level of security that the majority of TR locations already receive. This model also allows flexibility when new acquisitions join the Group.