Sidetrade is a company that provides AI technologies to help organizations drive customer relationships, enable business growth and generate cash flow, with more than 1500 businesses in 80 countries using Sidetrade technology to aid their marketing, sales and finance initiatives.
Sidetrade recently announced that it has obtained ISO 27001 certification, and Infosecurity Magazine spoke to Laurent Pontier, technical director, to discuss the importance of the information security standard for the company.
What is the significance of Sidetrade obtaining ISO 27001 certification?
Delivering SaaS technology, Sidetrade has constantly taken a proactive approach to securing its application and protecting its customers’ data. Now, Sidetrade offers an AI technology, and AI activity is powered by trust. AI users need to know that the AI they are using is secure, fair and transparent in its predictions and recommendations, but also that their data is being stored, accessed and used in a reliable way. ISO 27001 certification was a natural step for Sidetrade, formalizing and reinforcing our attentiveness to security excellence.
It lets us improve and align our way of working to the latest industry standards and puts us in the ‘premier league’ when it comes to addressing security-sensitive and business critical markets. Our ISO 27001 certification gives Sidetrade a decisive edge in a world where secure data management has become crucial.
What customer and security benefits will ISO 27001 bring?
It’s important to have strong business continuity management procedures, which establish management responsibilities and procedures when harm strikes, to ensure a quick, effective and orderly response to information security incidents. It was therefore appropriate for Sidetrade to leap ahead in security management by obtaining ISO 27001 certification, the gold standard in information security.
Also, our customers are implementing cybersecurity programs, and requesting higher security from their suppliers. ISO 27001 facilitates effective decision-making from customers when they are selecting an AI solution.
With ISO 27001, we have found a way to protect our data assets and the associated systems in a way that is above and beyond the usual standard. ISO 27001 certification demonstrates that data security is a top priority for us. Our certification even covers our internal processes (HR, finance, suppliers, IT), and the physical security of our installations.
What are the best practices for achieving compliance with a certification such as ISO 27001?
Firstly, Sidetrade’s executive committee took the decision to secure ISO certification. Strong leadership from the top is important from the start. A company needs to recognize that cybersecurity is a priority, and that the threat is real and poses serious risks to the business. From that comes the needed investment and staff time to see ISO certification through to completion – it becomes a whole company priority from top to bottom.
Teamwork is also vital, especially for the execution. This was an 18-month project involving all employees across the business.
Also needed is hard resource planning, trust investment in all contributors, leveraging the knowledge of others, delegation, control, continuous adjustment of the plan and, last but not least, be ‘hands on’ to lead by example.
Sidetrade worked hard to make its information security management system ISO 27001 compliant. Not only were heavy investments made to secure technical systems and processes, but all of the company’s working practices were improved. We have a defined security strategy based on sound security principles.
What’s your advice for managing IT-related risks and protecting the confidentiality, integrity and availability of information?
Firstly, take the time to assess the risk and build a risk analysis on the entire company systems, processes and methods. Then, set out a company-wide policy that can act as a guide and reference point for all.
Employees constitute an asset in the security strategy, which is why a security awareness training program has been set up at Sidetrade, alongside a company that uses gamification to help employees understand cybersecurity principles and practices, with real-life scenarios. It helps to enforce the security culture in the company and third parties it deals with. That’s something each company should be doing. You also need to remember that employees are key-players in information systems security, and that major security breaches occur because of human error and misunderstanding around following policies and assessing risk level.
Sensitive information should be classified according to an appropriate level of confidentiality, while also available for those who have a legitimate need for access. We carry out recurrent reviews of information system security risks, to assess the impacts on our operations and obligations. Those practices, like incident feedback and performance monitoring, create a culture of continuous improvement.
I also think it helps to secure an external audit. In our case, we invited KPMG to audit the ISO project, which gave us an additional level of scrutiny, and ultimately validation.