Principal risks, GDPR, cyber security and description of measures taken during the year


Trifast plc – Annual report – 31 March 2019

Industry: manufacturing, distribution

Risk management (extract 1)




Risk management (extract 2)
Cyber Security
As our digital transformation advances and we accelerate the migration of data from on-premise to cloud-based storage, the increased endpoints and resultant growth in attack surfaces, create an entirely new set of risks to mitigate.

During the FY2019, we have focused heavily on logical and physical risk assessments to provide a clearer understanding of our current global estate. Risk management has been a key indicator and driver for identifying information assets and classification, and has provided us with a better perspective when it comes to determining our highest priorities and developing our risk management strategy.

Identifying threat and threat actors continues to be of great importance. Threat intelligence helps us defend against sophisticated attacks by understanding a threat actor’s strategies and objectives. Each threat presents a unique challenge and performing analysis through vulnerabilities gives us a likely impact, enabling us to map threats to assets and build a robust cyber defence.

Unfortunately, as with any organisation the biggest risk we face is our own staff. Accidental/intentional insider threat can be equally damaging as an external advanced persistent threat. It is often said that, ‘It isn’t just the outsider trying to get in who should be feared, it’s also the insider as they already have the keys!’ Once valuable data has been leaked, there are always criminals who are looking for opportunities to use that data to their advantage. Identity and access management processes, data loss prevention, best practice security controls and user awareness training are all crucial in preventing insider threats.

On 25 May 2018 the EU General Data Protection Regulation (GDPR) was introduced (replacing the Data Protection Directive 95/46/EC) as it was felt that businesses were not taking privacy and the care of personal data seriously. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today’s data-driven world. As with any new legislation, its introduction presented challenges but we overcame these and successfully implemented improved training, data security controls and procedures to meet the new GDPR regulatory policies.

TR Fastenings UK (TRF) achieved its first cyber security certification on 15 March 2019. The HM Government Cyber Essentials scheme is designed to help UK organisations improve their defences and demonstrate publicly their commitment to cyber security. The certification means that TRF is now qualified to bid for government and other highly sensitive contracts, due to its exceptional standard of base controls in cyber security.

The protection of confidential data and information is something we take extremely seriously. Our customers want to work with partners who can be trusted to access and handle confidential or sensitive information and have measures in place to keep this data safe and secure. Being awarded this certification is not only evidence of our credibility in this respect, but also our dedication to quality and integrity when it comes to customer information.

On 14 April 2018 we became an approved member of the UK Government’s Cyber Security Information Sharing Partnership (CiSP). CiSP is a joint industry and government initiative set up to exchange cyber threat information in real time, via a secure, confidential and dynamic environment. Becoming a partner has given us access to early warning notifications, thereby greatly improving our ability to keep up to date with global cyber threats.

ISO/IEC 27001:2013
Our continued effort in information security rewarded us with the achievement of our second year certification from the British Standards Institution (BSI) for Information Security Management System. Achieving the renewal has shown our commitment to information security. It continues to demonstrate a management framework of policies and procedures that will help to keep our information secure and provide confidence to business customers and partners.

Looking ahead, we will continue to reassess our global estate in relation to the ever-evolving threat landscape. Developing a process to periodically evaluate our ongoing programme will be crucial to this and enable us to enhance our cyber security risk management, keeping our most valued assets protected at all times.

John Paton
Global Head of IT Security