Providing evidence of effective security with penetration testing
To meet the daunting requirements of new financial regulations, WMBA Limited, the commercial entity of the respected British trade association Wholesale Markets Brokers’ Association asked Redscan to carry out penetration testing on its web site and internet-facing applications. The organisation received an impressively quick and highly professional service, enabling it to meet its compliance deadlines and demonstrate the effectiveness of its IT security.
For many years, WMBA Ltd has published a number of financial guides for global markets, including SONIA and RONIA, two sterling-based indices of trades between banks. Following the financial scrutiny surrounding ‘Libor’ in the UK, the Bank of England and Her Majesty’s Treasury decided to draw up a list of the UK’s most influential financial benchmarks and then bring them all under the tight regulation of the Financial Conduct Authority (FCA). Both SONIA and RONIA appeared on that list.
“The news came as a mixed blessing,” says Glen Tamcken, IT Manager at WMBA Ltd. “On the one hand it raised the profile of our organisation and endorsed the quality of our products. On the other, it gave us a lot of new procedures and paperwork to organise, which had a huge financial impact. We are not a large organisation, so we needed to gather all of the evidence to demonstrate our compliance as cost efficiently as possible.”
Under the FCA regulations, WMBA Ltd has to be able to prove that its IT systems and data are well defended from the antics of hackers, who might want to maliciously corrupt or manipulate financial figures. The organisation therefore decided to commission a penetration test from a professional IT security firm that could challenge its existing IT security controls and provide recommendations for improvements.
WMBA Ltd started by obtaining quotes from various providers for penetration tests. “Some were outrageously expensive,” says Tamcken, “but Redscan was very reasonable.”
He adds: “Redscan had the personal touch. A director from the company came in and talked with us to gain an understanding of our business, we also had the opportunity to have an in-depth discussion with the specialist who carried out the test before he got started. He was able to give us a reassuring explanation of what he was going to do during the test and the kind of reporting we would get back.”
Over an agreed period of time, Redscan conducted ‘ethical hacking’ and penetration testing to challenge the security of WMBA Ltd’s systems. The tests focused on the organisation’s internet-facing servers and web site, identifying potential areas of vulnerability based on its long experience of providing managed IT security services. Then Redscan produced detailed reports, providing WMBA Ltd with invaluable insight into the strength of its defences and suggestions for additional enhancements.
WMBA Ltd was particularly impressed by how soon Redscan could carry out the penetration test and how quickly the reports were delivered. “We had quite tight deadlines,” Tamcken explains. “Redscan was very accommodating on the schedule for the penetration test, they did the test and got the reports back to us in just a couple of days.”
The cost efficiency of Redscan’s service, as compared to the other providers who offered quotes, was another huge benefit. The sudden need for FCA compliance had given WMBA Ltd lots of unexpected but significant costs, and Redscan helped the organisation to keep this expenditure manageable.
As a core part of its penetration testing service, Redscan provides a detailed, written report, which, according to Tamcken, is “set out in a clear manner and easy to read.” WMBA Ltd was able to act upon the recommendations in its report and make system enhancements itself without the need for external help.
Genuine security improvements
The expert advice that Redscan provided about the effectiveness of WMBA Ltd’s IT security was very valuable for the organisation. Tamcken explains: “Due to the size of our organisation we haven’t got vast IT resources and specialist IT security professionals who can look at every possible aspect of IT security, so it was reassuring to have Redscan’s expert help. Fortunately, there weren’t any major areas of weakness in our IT systems, but Redscan did provide us with some valuable advice about a couple of things that we could do to strengthen our defences even further.”
Following the initial penetration test, WMBA Ltd took Redscan’s advice and made improvements to its IT security. Then, Redscan provided a free retest, so the organisation could be absolutely certain that its security was as effective as possible.
Stamp of approval
Now WMBA Ltd is well on the way towards becoming an Authorised Benchmark Administrator. “Redscan has given us a third party stamp of approval for our IT security and the reassurance to know we are as secure as possible.” Tamcken says.
What our customers say
"Redscan gave us the professional service and quick turnaround that we needed to meet our tight deadlines."
IT Manager, WMBA
"Should I need any security testing again in the future, Redscan would be my first port of call!"
Project Analyst/Developer, STM Life
"We have been very impressed by the quality of Redscan’s engagement, communication and reporting. We will not hesitate to use them for any future testing requirements."
Information Security Officer, LDF
"Our partnership with Redscan has been one of the most successful that we have ever undertaken"
IT Director, ICG
"If you want a solution where someone will look after you 24/7 and give you a very flexible, professional and agile service – you want Redscan"