At Verbit, we understand just how important your data is. Our dedicated in-house information security team uses human expertise, cutting-edge technology and industry best practices to keep your data safe and secure, providing you with the assurance and confidence you need to use Verbit’s platform and services.
Verbit leverages the power, flexibility and security of the world’s largest public cloud service provider to provide a secure environment for our platforms and our customers’ data
Backed by the AWS uptime SLA, our platforms are also replicated across multiple availability zones and regions to ensure that our services are available whenever you need them.
Only authorized Verbit employees may make changes to our AWS infrastructure. Access is via SSO and with 2FA only, and user privileges are regularly reviewed. All account actions are logged.
We use AWS services such as GuardDuty, CloudWatch, and CloudTrail to monitor and help detect threats to our AWS infrastructure, and to generate a comprehensive audit trail.
We use industry-leading CSPM software to monitor our infrastructure continuously, including infrastructure-as-code scanning. Our CSPM software helps us detect misconfigurations in real-time and set up automatic remediation workflows, while also providing important context that allows our team to make risk-based decisions. Attack path analysis enables our security experts to identify lateral movement paths that may pose a risk to high-value assets.
We’ve set internal commitments to ensure that vulnerabilities are remedied within an appropriate timeframe, according to severity level. We aim to resolve critical-severity vulnerabilities within 48 hours and high-severity vulnerabilities within 14 days.
For global businesses with large digital estates, the volume of security data can quickly become overwhelming. At Verbit, this is where we turn to our SIEM for help. With AI and machine learning capabilities, our SIEM combines security data with threat intelligence and behavioral analytics, cutting down on false positives and allowing our security experts to focus on protecting our data and our customers’ data.
Led by Verbit’s CISO, our information security team includes security experts who specialize in incident response and malware analysis. Working together with our dedicated 24/7 Security Operations Center, our security team can triage and respond to security incidents quickly and effectively.
To support our internal team, Verbit works with an external provider to ensure that we have 24/7 coverage of all events and incidents
Access to our platforms is via the encrypted HTTPS protocol only, and any HTTP requests are redirected to HTTPS. This helps to keep your user credentials and data secure while in transit. Your data is also encrypted in AWS S3 buckets while at rest, using industry-standard strong cryptographic algorithms such as AES-256.
Over 80% of data breaches can be traced back to poor password security – that’s why our platforms also include two-factor authentication (2FA) to help secure your data. Customers can assign specific roles within their team to ensure that no one has more access rights than they require. On the Verbit side, we also have detailed access control and password policies. Only authorized personnel have access to your data, and we regularly review access rights.
Your data is safe and secure when it’s in our platform, but you can also remove it whenever you want – just get in touch with your account manager.
Verbit’s R&D team is passionate about providing our customers with the best and most secure platforms possible, and we plan and carry out our development according to documented SSDLC procedures.
Our platforms are developed with input from our security specialists, while also taking into account industry best practices, such as the OWASP Top 10. All code is reviewed prior to being merged into the main branch. As with everything in information security, it’s important to keep up to date with the latest developments – our R&D team undergoes regular secure coding training.
We support our commitment to secure development and information security by commissioning an independent, external penetration test of our platforms at least annually. These tests are conducted by cybersecurity experts with decades of experience, using the latest tools and techniques to simulate real-world attacks.
Infrastructure and application security focuses on protecting the data that our customers send us for transcription. That’s a priority for Verbit, but we’re just as serious when it comes to protecting our own data.
Like most tech businesses, Verbit relies on a number of software-as-a-service (SaaS) platforms for our daily business operations. To manage these platforms, we’ve chosen to implement a best-in-class SSPM solution to help us out.
With SSPM, our security team can monitor security posture for each of our SaaS assets in near real-time. We’re able to detect SaaS misconfigurations, as well as monitor user privileges. This allows us to make accurate assessments of both SaaS-to-SaaS and Device-to-SaaS risks and implement appropriate remediations, continuously hardening our SaaS security.
SSO is the perfect counterpart to SSPM – we use one of the world’s leading SSO platforms to bring authentication across our SaaS estate together under one umbrella.
Incorporating 2FA, our SSO platform hardens our SaaS security and helps our employees avoid falling into common password security traps, such as reusing the same password for multiple systems.
Our SSO platform also makes life easier for our IT and security teams when provisioning and deprovisioning users, and even helps by automatically deactivating inactive user accounts.
At Verbit, we don’t store confidential information on user devices, but we don’t stop there. All of our corporate-managed devices are encrypted, meaning that if the device is lost, any data on it cannot easily be accessed. We also enroll our devices into a device management platform so that our team can monitor and manage them centrally. The functionality includes helping with routine tasks, such as applying system updates, but also allows us to disable or even wipe the device remotely if it is ever lost or compromised.
If you ask any information security expert what keeps them awake at night, invariably they’ll start talking about ransomware. The idea that you could quickly be locked out of your data is a risk that all businesses should take seriously.
We leverage the power of a world-leading next-gen antivirus and endpoint detection and response (NGAV and EDR) solution that goes far beyond traditional definitions-based file checking to help secure our endpoints and reduce the risk of ransomware and other malware. Utilizing AI and machine learning technology, our NGAV and EDR can block known and unknown malware and ransomware. Industry-leading threat intelligence is combined with AI-powered indicators of attack to help prevent malicious behavior and sophisticated attacks.
What’s more, our NGAV and EDR solution is backed by a team of cybersecurity experts working 24/7 to help prevent attacks – sometimes referred to as Managed Detection and Response (MDR) – for a truly comprehensive, hybrid solution.
A phishing email can often be the entry point for ransomware or malware – in fact, some reports suggest that as much as 91% of all attacks begin with a phishing email, so email security is worth taking very seriously. At Verbit, we’ve enhanced the native security capabilities of our email suite by adding advanced threat protection from one of the leading vendors in the market. With seven layers of security – including threat intelligence from multiple sources, recursive unpacking, and CPU-level technology – our advanced threat protection can prevent not just spam and typical malicious emails, but also deeply embedded attacks, persistent attacks and targeted attacks, as well as business email compromise scenarios such as email spoofing and look-alike domains.
It’s important that our vendors take information security as seriously as we do at Verbit – particularly where they may have access to our customers’ data.
We’ve developed strict security criteria for our vendors based on the risk they pose to us and to our customers, and we work with a leading third-party security management platform to automate the management process. Smart questionnaires and automated security scanning give us visibility of our external attack surface and allow us to identify and treat third-party risks effectively.
At Verbit, we believe in making our people the first line of defense in information security. That means giving them knowledge, encouraging questions, and empowering people to make good decisions.
All Verbit employees undergo security awareness training as part of their initial onboarding. We don’t stop there, though – we have a rolling program of security awareness training that runs throughout the year, across the whole business, and we also encourage our employees to make use of our large training catalogue in addition to compulsory awareness modules. Our security awareness training isn’t generic, static content. Working with a leading provider, we make sure that we have dynamic content tailored specifically to Verbit’s information security landscape. As part of our security awareness program, we also conduct regular phishing and spear phishing simulations.
Our objective at Verbit is to build a strong culture of cybersecurity awareness. Our Security Champions help facilitate this by integrating security into the daily work process, both for themselves and for their teams. Security Champions can provide peer-to-peer support to supplement our formal training and awareness schedule and reinforce the collaborative nature of our information security strategy.
It’s important that we ensure we have the right people working for us and working on our customers’ data. Our HR team works hard to verify that new Verbit employees are who they say they are. Where local laws permit, we may also conduct background checks appropriate to the job role – a criminal records check or a credit history check, for example.
All Verbit employees are aware of our information security policies and agree to follow them. We manage policy updates and attestation through a central platform so that we can be sure everyone is always up to date with the latest version
When our employees need to use Verbit information systems, we grant access based on the principle of least privilege. All user accounts are unique to an individual user and are secured in accordance with Verbit’s access control and password policies.
Our access control policy specifies rules for joiners, movers, and leavers – and user access rights are regularly reviewed to ensure that privileges are appropriate and not retained longer than necessary.
Information security is a culture, not a bolt-on, and in Verbit this culture starts at the very top with a strong commitment from senior leadership – leading by example and promoting continual improvement, but also ensuring that our information security strategy is aligned with Verbit’s overall business objectives.
At Verbit, we have a dedicated team for managing information security, led by our CISO, and we align with globally accepted best practices for information security management.
ISO 27001:2013 certification and SOC2 attestation are available for certain services and configurations – please speak with your account manager or our support team for further details.
Without understanding our risk landscape, it would be impossible to select appropriate information security controls. That’s why risk management is the heart of Verbit’s ISMS – we identify threats and vulnerabilities to our information assets and assess them in terms of both likelihood and impact to our business. We then use this data to make sure that we’re selecting controls appropriate to the risks we face.
Risk assessments are regularly updated, in particular in response to system changes, and the risk landscape is reviewed by senior leadership at least annually.
Verbit’s information security policies are reviewed at least annually, or in response to significant change, and approved by senior leadership. Policies are communicated throughout the business and are also available to other interested parties where appropriate.
It’s important to check that controls are working as intended. That’s why we run both annual and quarterly internal audit programs – this allows us to catch any problems and resolve them quickly, but also to identify opportunities for continual improvement. The results of internal audits form part of our overall reporting on information security and are reviewed by senior leadership.
