Running a charitable organisation is the ultimate exercise in accountability: You've got to answer to the community you serve as well as those who support your efforts. When British Red Cross Training, the commercial first aid training arm of the global humanitarian charity British Red Cross, wanted to live up to its security obligations and do good work, turning to Intruder Pro ended up being the ideal solution.
"My job is to manage our website," said Steve Hart, the Digital Product Manager of British Red Cross Training. "Before Intruder, we had nothing viable in place - it streamlined our processes and brought an unprecedented level of governance around our penetration testing."
Steve and his colleagues weren't complete security newbies. They had tried manual penetration testing and worked with agencies in the past. However, their thousand-pound price tags made routine security scans prohibitively costly, and manual testing proved unwieldy and time-consuming. Considering that every day of delay between checks posed a vast window of opportunity for hackers, something had to give.
With Intruder Pro, Steve and his team were able to jump right into vulnerability discovery and management and keep up the pace. Steve recounted:
"With our old annual pen-testing practices, it took around 18 months to identify and resolve problems, which was too long and could have left us open to unidentified threats during that time. So, I brought Intruder in on a trial basis – just to see how it would work – and it immediately picked up numerous vulnerabilities. Thanks to the remediation advice provided, we were able to fix them all quickly."
Steve cared about the organisation and its users and wanted to go above and beyond to protect its online security. So how did he rise to the challenge and accomplish it?
According to Steve, Intruder Pro's integrations made a considerable difference. One of his favourite features was the ability to manage issues identified by the platform via his existing risk management tools. Every time he created a vulnerability report, he saved time by pushing it straight into Jira for a developer to pick up the corresponding issue and start plugging away on a fix.
Knowing about security threats only gets you halfway there. To implement solutions that work, it's critical to find a security tool that meshes into your workflow. Intruder Pro's integrations with Slack, GitHub, Google Cloud Platform, and others, are optimised to keep information flowing to the right stakeholders. In the event of a problem, everyone could come together to build a solution without worrying about the incidentals – like how to decide when issues might need escalation.
Having enhanced organisational awareness ultimately kept different stakeholders from treading on one another's toes. The relevant data made its way to key players automatically instead of forcing them to hunt it down.
As the product manager, Steve didn't exactly have all day to sit around mining through security reports to find a few actionable gems of insight. Multitasking is nothing novel, but having to wear so many hats can take its toll on security awareness. "Before, an agency or third-party vendor would do our penetration testing," Steve said. "Afterward, we'd get a report that was three million pages long with only three recommendations at the end."
Switching to Intruder Pro let the organisation use the Emerging Threat scanning feature continuously. The team were able to uncover vulnerabilities as they cropped up, so they could respond in a more timely fashion.
The switch to instant reporting did more than merely reduce the time to a problem's discovery. By breaking security gaps down and constantly scanning, the team was able to take on problems one at a time. They also found it easier to focus on specific issues. Implementing effective remediation strategies took less effort when results reflected in-context, accurate data.
One of the primary reasons the British Red Cross Training team wanted to transition was the fact that the charity sector is a prime target for hacks. With servers full of user information, payments, and other sensitive data, it was critical to institute a comprehensive, sustainable security regimen.
"There have obviously been quite high-profile data breaches in this sector recently, so we really have to keep on top of it and make sure we don't have any issues which could compromise our data," Steve noted. In translation, ease of use was everything.
Tools that required great effort to use properly were no good, as they'd cause delays that made it impossible to achieve the ultimate goal of continuous security. Options that generated obscure feedback were also a no-go. Misunderstandings might result in improper fixes, and even though the organisation’s coding team knew its stuff, the information still had to pass through decision-makers – like Steve – first.
Intruder Pro's functional simplicity was a key differentiator that transformed the way the team handled infosecurity. By providing straightforward feedback and summaries, it helped Steve understand not only where British Red Cross Training's vulnerabilities lay, but also which ones should take priority. The system also unified the process, meaning that Steve didn't have to shift mental gears when he wanted to assess internal, external, or cloud assets. He could simply add the appropriate targets and watch the scanner do its job. And now, with Intruder’s introduction of authenticated scanning, new customers can also minimise attack surfaces in their most important engagement pages.
"Intruder Pro is intuitive," said Steve, who appreciated the clean interface and dashboard. "This makes it more manageable for someone who might not be an infosec expert to use effectively.
What's next for Steve and the team at British Red Cross Training? Although they've moved on to handling their security with an in-house team, their experience with highly functional, efficient, infosec governance has certainly left them better informed. As the organisation strives to set a new bar for public service, it will undoubtedly be keeping these lessons in mind.