Case Study by Martin Smee - CEO, Pluss Communities
Pluss Communities is an online communications platform that helps build connections and communities. I was inspired to develop it, having moved to Brisbane as a university student. I wanted to find a way to help people overcome the challenges I’d experienced in making connections and finding out about what was going on in my community.
When I launched Pluss Communities V1 in June 2018, I was surprised by the interest it generated among retirement villages. In retrospect, it makes sense because there are so many times when older people are at high risk of becoming socially isolated – when they first move into a village, when a partner dies, or when they become less physically able, for example. Villages that have taken up Pluss Communities find their residents can get connected and stay connected through these stages – even if it means they’re simply able to read about what’s been happening around them or view some photos.
Having trialled Pluss Communities as a concept with a number of retirement organisations, and received a positive response, we turned our attention to establishing a good standard of data hygiene in an effort to prepare for commercialisation.
Our overarching goal in engaging an IT security provider was to ensure we had, and continue to have, the best possible data security controls in place. As a new business, this was critical to being able to reassure potential clients that their data and their users’ data would be safe when using the Pluss Communities platform.
To put this into place, we wanted to find a reputable company that was capable of delivering penetration testing and providing comprehensive documentation of their discoveries. We also wanted a company to provide ongoing advice on more complex elements of privacy law and compliance issues, as well as ongoing security services.
During the establishment of Pluss Communities, we benefited from some great advisors, and one of them was the Chief Technical Officer of a major online business who recommended The Missing Link.
He said to us, “I only use The Missing Link”, and with his strong love for data security, this was such a clear recommendation that we didn’t look at anyone else. We contacted The Missing Link and happily received a call back the same day.
In October 2019, we engaged The Missing Link to undertake our first penetration testing exercise and it was a positive experience from the beginning. We really put them to the test as we had a major potential client that had been deliberating about signing on with us for six months. When they decided to proceed, it was on the basis that we could prove – within two weeks – that our security standards met their compliance requirements.
The Missing Link was great – they pulled every string to make it happen and it did. We did two types of penetration testing – one from the perspective of a credentialed user and the second from the perspective of a malicious outsider. It was exciting but nerve-racking – while it wasn’t my effort being tested because I’m not the coder – it was critical to our business moving forward.
The penetration testing proved reassuring. It was great to realise that building our technology to best practice standards meant we were well prepared to go to market. There were a few mid-level concerns, but they were accompanied by clear and helpful documentation, which enabled us to rectify the vulnerabilities.
When we engaged The Missing Link, we didn’t think we were ready to go to market. However, once we’d undertaken thorough penetration testing, and closed the gaps in our security risk, we felt confident that we were. Thanks to The Missing Link’s advice, we also felt well informed and were compliant with privacy legislation. That’s important because as a B2B company, the multi-million dollar organisations we want to work with need to be able to place their trust in our technology, our people and our processes.
As a business, we’re not big enough to have our internal security team, however, we are growing and our needs are changing. The Missing Link has demonstrated its flexibility to work with us on this basis. They’ve provided options for service and advised us on which will give us the best bang for our buck. Going forward we’ll do annual penetration testing and we’ll consult with them in-between times to ensure we’re getting the information we need to maintain the highest levels of data security for our organisation and our clients.