News and Insights

The demand for International Organization for Standardization (ISO) certification has clearly increased in recent years, with the global ISO certification market expected to grow at a CAGR of 14.7% from 2022 to 2030. With ISOs the most significant way that companies can demonstrate the quality, safety and effectiveness of their offering, it is increasingly becoming a requirement for tender processes, in all sectors from IT to communications to healthcare.

While demand for ISOs is increasing across many areas, we’re seeing particularly significant demand from companies looking to demonstrate strong information security management systems, for example through the ISO 27001 standard. ECI’s investment in Citation in 2012 was an early indicator of this, with the business acquiring QMS to enable it to deliver the ISO accreditation products being demanded by its existing SME customers. What’s driving this acceleration in demand?

1. Complexity in supply chain

Supply chains are becoming more complex as a result of the globalisation of supply chains and rising customer expectations for faster lead times. Covid-19 exposed vulnerabilities in global supply chains, reinforcing the necessity for them to be flexible, agile and resilient.

This can be a pain point. While it may not be possible to make supply chains less complex, it is possible to help find solutions to deal with that complexity, for example by increasing trust in the supply chain. ISO certification is one of the few ways that businesses can demonstrate they are equipped to handle the demands made of them, and will be able to deliver what they say.

The ISO 23301 mark is considered the gold standard of reliable business continuity management systems, with 56% of business continuity and risk professionals worldwide saying they use it as a framework, with an additional 15.1% certified or in the process of doing so. A driver here is the number of large customers requiring it from their suppliers. Microsoft has started requiring a valid ISO 27001 certification for any of their suppliers that meet the definition of being a SaaS provider.

2. Growth in regulation

Despite ISO standards not being a legal requirement, they are recognised by many industries a aligned with regulatory best practice. For example, ISO certification can be used to demonstrate ESG compliance.

ISO 27001 provides a good basis for meeting the requirements set out by the EU GDPR (which is compulsory). In fact, 48% of respondents in the process of or having already implemented ISO 27001 certification, named GDPR compliance as their main reason for getting certified.

3. Acceleration of cyber attacks

Historically ISO certification has focussed on physical security, but there is now an increased focus on digital assets and data security. This is key to combat cyber-attacks which are on the increase, with an 38% increase in global attacks from 2021 to 2022.

These attacks are costly and disruptive, and certifications like ISO 27001 reduce the organisation’s vulnerability to the evolving threats. By specifying protective measures, it prevents the risks of attacks and helps propagate good organisational practices.

4. Internationalisation of businesses

Many countries have frameworks backed by governments or trade associations, such as Cyber Essentials in the UK or SOC-2 in the US, to set common standards in security and privacy. However, ISO is the only international standard that exists for companies in areas like quality management (9001), environmental management (14001), and information security management (27001).

For businesses looking to serve customers in multiple countries, ISO certification is the most direct route to ensure that any compliance concerns from customers will be addressed. Even for US-headquartered businesses that have long defaulted to national standards, there is evidence of significant growth in ISO certifications. In information security management, this growth is reflected in many businesses that were originally focused on SO2-compliance now evolving their systems and processes to pursue ISO 27001.

These four trends are only increasing, so the expectation is that there shall be increasing demand from ISOs as SMEs and Enterprises look to comply with ever-increasing demands from customers, suppliers and their tech stack. If you would like to find out more about ECI’s experience in the compliance and certification space or discuss how we might be able to help your business, please get in touch.

ECI recently moved out of its old office at Brettenham House after 37 years. When we were looking at new office design, one of the key drivers was that we wanted to ensure we could move as sustainably as possible. But that is really difficult! Questions emerge around what to do with 37 years of stuff, the need to balance green ambitions with the pragmatism of finding the right office and ensuring you can create a modern new office without items having a high carbon footprint. These add a layer of complexity to what is already a big project. Here we’ve pulled together our top tips for moving office sustainably and some of the work done by the ECI team:

1. Creating an energy efficient office

• In an ideal world, you would always select the most efficient office and minimal work would be required to improve performance. But realistically, there are other drivers for selecting an office, and for ECI a big one was location. The team have planned their lives around commuting to the ECI office, so we wanted to ensure the move was also minimally disruptive to that. And in midtown, where we were already based, there aren’t many modern new builds, so we knew the choice were more likely to be older buildings refurbed and refitted.
  
• And while these may not be as efficient in the day to day running, it is usually less carbon intensive to refit and renovate buildings rather than demolish and build. A good example of this is the current row over Marks and Spencer’s flagship store on Oxford Street – demolishing it would likely release 40,000 tonnes of embodied carbon, the equivalent of almost 20,000 flights from London to Sydney.
  
• That meant we had to look at refurbed buildings and assess the energy efficiency, but also the potential. What could be done in our own floorspace and the wider building over time? So, when we found 80 Strand, we initiated a project with the landlord to introduce secondary glazing to our floor and are working with them long-term to deliver on energy efficiency initiatives. We made sure that ECI was on a renewable contract and are working to look at smart meter options. We also managed what we could control, ensuring the underlying engineering aligned with best practice standards by installing motion sensors for the new energy efficient LED lighting with different timers dependent on location to maximise efficiency. So, for example, open plan lighting turns off quickly when areas aren’t in use, but corridor routes stay on for longer.

Tip: Perfection and pragmatism won’t always align when it comes to finding a new office. Work out what is key to your business, take into account the potential improvements you can make and get started on them early!

2. Sourcing products

We worked closely with our design agency Peldon Rose to source products locally and from renewable materials where possible. This included:

• Carbon neutral acoustic panels made from 100% polyester fibre (PET), at least 60% of which is recycled material, and sourced from a zero-waste manufacturing initiative.
  
• Carpets made from ECONYL, 100% recycled nylon which is exactly the same as brand new nylon and can be recycled, recreated and remoulded again and again. Including the backing, the carpet is made from 69% recycled total content, and is cradle to gate carbon neutral with offsetting
  
• A British manufactured kitchen sourced sustainably from FSC (Forest Stewardship Council) managed sources.
  
• The majority of the new furniture has been sourced from British designers and manufacturers, from sustainable practicing manufacturing facilities powered by 100% renewable electricity. These facilities bring quality employment opportunities to areas such as Lincolnshire, Somerset and South Wales, adding social and economic sustainable aspects. This furniture was supplemented with a few select pieces sourced from Denmark, a leading country in sustainable manufacturing.

Tip: When working with a partner highlight the importance of sustainability early and keep asking questions throughout the moving office process. Don’t get dazzled by beautiful design, find out what it’s made of, where it was made and what the end of life might look like. The furniture industry in particular is incredibly focussed on sustainability right now, so if one product doesn’t work, another one probably will.  

3. Reuse

• We knew that we wanted to absolutely minimise our waste to landfill from our existing site but also that a key part of the office move would be everyone being excited by a new look and feel.
  
• To achieve both these objectives we completed a full office reusability assessment, with every item being considered as to whether it was something that could potentially be moved across to the new office. We were surprised that actually, as long as we designed around them, some of the most significant pieces of furniture such as office chairs, boardroom tables and meeting room chairs, could be kept as part of the move.
  
• We partnered with charity Waste to Wonder for the items we could not reuse, with all 86 items that we donated, from desks to chairs, repurposed for education facilities in Cameroon.

Tip: It’s easy to come to dislike office furniture you see every day, but make sure you are fully considering whether it might work (with a clean/refurb) in the move. Often these are high quality items that still function perfectly well.

4. Resell

• Once we had worked out which items we could move over, that still left several items for us to find a home for. We decided the first port of call would be an ECI charity auction, giving people the option to bid on items from the office – from lamps to artwork – raising crucial funds for our charity partner, The Bread and Butter Thing. It also gave people an opportunity to donate gifts or promises to support our fundraising efforts.
• Overall, we sold 62 items and raised c.£10,000 for our charity partner. And importantly, it was a large batch of items that wouldn’t be going into landfill.

Tip: You would be surprised by what people secretly have their eye on in your existing office! Not only does this create a unique fundraising opportunity, but it also builds buy-in for the sustainable office initiative. 

5. Recycle

Following an IT audit to understand which tech needed upgrading to improve efficiency, we knew we wanted to ensure our old technology - from computers to random charging cables - was removed sustainably. We partnered with two charities to ensure that it could be reused/recycled as appropriate. These were:

• We partnered with Computeraid, a leading registered charity for providing refurbished IT equipment. This meant old monitors, PCs and laptops were cleaned and then donated to non-profits like schools, charities, or community centres throughout the world, ensuring it does not end up in landfill. Even items like wires and charging cables are stripped for parts so that the underlying components can be recycled.
  
• Further equipment was donated to CPR Computer Recycling where the items are sold and all profits are given to charity.

Tip: It is absolutely possible to pursue a zero waste to landfill strategy as part of moving office sustainably. Whether you’re looking to reuse or recycle, find the right partner and make sure it is included as a line item in your budget from the start.

6. Green office policies

• Moving office is a fantastic opportunity to trigger behavioural change within your team. Now is the time to think about what the greenest version of your office looks like and what behaviours do you need from your team to support that? At ECI we created a wishlist of everything we’d like, and then prioritised what we thought we could change immediately and what we might need to develop longer term.
  
• This included really committing to going paperless. That meant stopping business cards as standard, implementing a clean desk policy and minimising printers throughout the office to support that transition.
  
• At ECI we removed bins from people’s desks and set up proper recycling hubs throughout the office instead. We now recycle our espresso pods and are looking at options for terracycle in the future.
  
• As well as automatically turning off as much as possible through sensors, teams are encouraged to turn off everything at the end of the day, and this is tracked to see adherence. Not only does this reduce energy use, it also is key for ensuring IT systems are being updated and reduces cyber risk.

Tip: Make a wishlist of everything you could potentially do in the office and then prioritise by impact and ease of implementation.

As part of our Unlocked programme, sharing expertise across the ECI network, we recently welcomed Lisa Forte, partner at Red Goat, the cyber resilience and defence consultancy. Together with ECI’s Head of Cyber, Ash Patel, and Avantia’s CTO Dan Huddart, we discussed the current threat landscape and what boards can do to best protect themselves.

Lisa shared how cyber-attackers are now professionally run and globally recognised organisations, with processes and reporting to maximise extortion of as many companies as possible. As the attackers professionalise, what are the five biggest cyber threats facing companies?

1. Double extortion ransomware

In recent years, ransomware has emerged as one of the most prominent cyber threats, rapidly evolving from traditional malware attacks to more destructive ‘double extortion ransomware’. In the past, attackers would encrypt data and demand a ransom for the decryption key. Cyber attackers have now adopted a new tactic that amplifies the impact of ransomware attacks. Not only do they demand payment for decryption keys to unlock the encrypted data, but they also engage in data exfiltration, stealing sensitive information from the targeted companies. To add further pressure, these attackers threaten to publicly leak the stolen data unless the ransom is paid promptly.

As a result of this dual-threat strategy, numerous companies have found themselves compelled to give in to the ransom demands to prevent the potential exposure of their confidential data. This approach has proven alarmingly successful, pushing many organisations to pay the ransom as a desperate measure to avoid reputational damage and potential legal consequences.

2. Politically motivated groups & DDoS attacks

The rise of pro-Russian hacking groups has led to a surge in Distributed Denial of Service (DDoS) attacks, which flood servers and network sites to prevent users from accessing them. The aim is to cause downtime for websites, creating potential financial losses and significant disruption to businesses. E-commerce websites are particularly under threat due to the damage these attacks cause, as well as financial organisations and companies who are seen to be in support of Ukraine.

3. Employee targeted attacks

The number of insider threats has been rising as employees are increasingly collaborating with attackers, granting access to networks, and sharing sensitive data. The cost-of-living crisis has made individuals more susceptible to manipulation, contributing to this trend. To mitigate the risk, companies should adopt a principle of least privilege, ensuring that employees only have access to the data that is essential for their roles.

4. LinkedIn targeting

Hackers are increasingly using alternative social engineering techniques, such as building long-term relationships on professional platforms such as LinkedIn to gain access to sensitive information. Some companies, including MI5 & CPNI, have launched the app ‘Think before you link’, which is a series of targeted training sessions on what this looks like on LinkedIn or other similar platforms.

5. Impersonation

Using generative AI can help attackers streamline their operations and make it more difficult for employees to spot the attack. That being said, this hasn’t yet drastically impacted attacks, as their previous approach was already so effective!

In the face of all these significant threats, what can all boards do to tackle the different issues?

1. Every board should conduct a review of all systems and applications

This means spending time evaluating; what does my business need to survive/run? What are the critical systems that need protecting? The board should consider how the business would be able to operate in the event of an attack, how long it would it take to get back online and where an attack would have the greatest impact. For example, could you do business without emails, and do you therefore have the necessary contact details of key stakeholders in the event of an attack? Cyber accreditations such as ISO27001 or SOC 2 are a key way to front-foot your cyber awareness and preparedness internally.

Dan Huddart, Chief Technology Officer at ECI-backed business Avantia, spoke about how they have developed an ‘always on’ approach. This includes putting processes in place to take immediate action and isolate if any threats are identified.

2. Create a crisis management structure

Developing a comprehensive cyber incident response plan is crucial and should be prepared as if an attack is an inevitability. Pre-building comms statements and establishing clear protocols will help with swiftly and effectively handling the response, as the board will struggle with bandwidth during a crisis.

3. Tabletop exercises

Regular tabletop exercises can help identify weaknesses and improve response capabilities. Establish a structure of Gold (strategic decision maker), Silver (tactical) and Bronze (operational) teams, and make sure everyone knows where they sit in this. This should be re-run annually, or if the risk changes, for example with an acquisition.

4. Staff training

While technical prevention methods are essential, the weakest link in cybersecurity often lies with employees, therefore making it essential to provide adequate training for all staff. Good examples of this can be engaging video series, ideally delivered in the flow of work and tailored to the specific needs of individuals, rather than one-size-fits-all content platforms.

5. Cyber insurance

Cyber insurers can be hugely valuable during an attack; they can offer PR support, additional call-centre resources to help with the influx of enquiries and can assist with negotiating with the ransomware group. However, this can be difficult and costly to obtain and maintain.

If you would like to find out more about upcoming ECI Unlocked sessions, or you want to hear more about how ECI is supporting its portfolio with cyber security, please do get in touch.

We're delighted to announce our investment in Commify, the UK-headquartered European leader in business messaging solutions to Local Enterprises. The deal, valued at €300 million, provides a full realisation for Hg.

Commify’s integrated solutions enable over 45,000 customers to communicate with their customers and staff, sending over 5 billion messages per year, covering a range of business-critical use cases from appointment confirmations to emergency alerts, via a range of channels including SMS, WhatsApp, RCS, email and voice.

The business is a long-established leader in the European Local Enterprise segment, complemented by fast-growing operations in the US and Australia. It operates at a global scale, taken to market locally in each country via both its global solutions brand Esendex and local self-serve brands. Commify has completed 16 complementary acquisitions in the last decade, and the investment from ECI will support further acquisitions across both existing and new countries, as well as to accelerate future platform and product development.