How We Keep Your Data Secure

As a cyber security company, nothing is more important to us than the security of our customers’ data. A breach of our customer information could cost us our entire business, and that’s why we go above and beyond to implement the latest cutting-edge security tools, as well as ensure robust processes and the fundamentals of information security management are in place.

Here we describe the specific controls and approaches we take to securing the different aspects of our business, from the office we use, to our datacentres, access control, and prevention and detection strategies:
‍

Continuous security monitoring

The Intruder service provides high quality assessments of weaknesses in internet-facing systems. Using our own service against ourselves allows us to be rapidly informed whenever new vulnerabilities are released.

Detection

Intruder uses industry standard intrusion prevention tools to protect our online services and infrastructure against active attacks.

Endpoint protection

Intruder uses state of the art anti-virus and anti-malware solutions as part of a suite of next generation endpoint protection tools.

Transport encryption

As you would expect, we use banking-grade 128-bit AES Transport Layer Security (TLS) encryption on all transport links carrying customer information or controlling our infrastructure.

Data separation

The Intruder portal uses industry standard libraries and software engineering techniques to ensure logical data separation between clients’ datasets within the SaaS environment.

Data center security

Intruder exclusively uses datacenters with numerous security certifications, including ISO27001, PCI DSS and more.

Individual accounts

Intruder assigns all privileged users with individual accounts to enable auditing and logging of privileged accesses to customer data.

Patching

Intruder has robust policies and implements processes to ensure we regularly perform essential maintenance activities such as patching software, taking data backups and testing controls are functional as expected.

Backups

Intruder performs regular full backups of our customer and company information and stores it securely in a separate cloud zone. Backup restore procedures are tested bi-annually to ensure that any disasters can be recovered from.

Background checks

We vet every employee with third party background checks for authentication purposes, and for criminal records, as well as following up on character references.

Access reviews

Intruder performs regular access reviews of employee privileges to ensure that as employee roles change over time their privileges are updated and in sync.

Penetration testing

We perform penetration testing against our application on every major release using our own in-house security experts.

Storage encryption

Intruder uses full-disk encryption on all company devices as standard, as well as cloud volumes storing customer information. This enables us to protect data on equipment that is lost or stolen.

Hardened builds

Intruder uses hardened builds for its application servers. No software runs with root privileges and application and deployment accounts do not have access to the rest of the operating system or network beyond what is necessary.

Secure coding

Intruder adopts secure coding principles during development. All code being checked in is reviewed for security weaknesses by both humans and automated scanning tools.

No passwords

Intruder uses SSH keys to control access to its infrastructure. No passwords are in use in the estate, protecting us from standard brute forcing and password stuffing attacks.

Two factor authentication

Intruder uses two-factor authentication on all corporate accounts. This helps us prevent common attacks like email phishing, that aims to capture user credentials to gain access to company information and services.

Anti-virus and anti-malware

Intruder’s infrastructure is protected by anti-virus and anti-malware systems.

Office security

The Intruder office is located in a dedicated secure room in a secured office block. The entrance to the building is secured with security guards during the daytime and is locked with a shutter and burglar alarm overnight, as well as being covered by CCTV.

Least privilege

Intruder follows the principle of least privilege as a general model within the business. Where employees do not require access to information or systems, they are not given it.

Governance & Responsibility

No amount of technical security controls would be sufficient unless backed up by robust process and governance. Intruder has a robust governance model in place which makes specific staff members responsible for information security in the organization, in line with ISO27001 principles.

SOC 2 Type 2

Intruder Systems Ltd successfully completed the AICPA Service Organization Control (SOC) 2 Type 2 audit. The audit confirms that Intruder Systems Ltd’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security.