Case study by Graeme Moore - IT Operations Manager, Recoveriescorp
The Background
Recoveriescorp is an award-winning organisation that provides a debt collection service for clients, including Australia’s biggest financial services companies. Our sophisticated information technology infrastructure and software have facilitated our success.
The Goal
As a debt recoveries service, we handle sensitive information for a wide range of clients on a day to day basis, which makes data security extremely important to us.
To comply with government regulation, we have to meet the ISO27001 as well as the Payment Card Industry Data Security Standard for credit cards. And because our clients are working in the financial services sector, we also have to meet their stringent data security standards as well.
Over the past decade, I’ve observed a significant change in the importance placed on data security, and this has intensified further since the Royal Banking Commission started in late 2017. Our clients’ security requirements increased quite noticeably each year.
The Selection Process
The Missing Link reached out to us in 2017, asking to have a chat about our data security.
At that time, we didn’t discuss Penetration Testing with them. Instead, we spoke about finding solutions to our software limitations. In particular, we were looking for a solution to streamline our patch management process. The solutions we’d identified that met our needs were quoted a sky-high price, which were well outside our budget - as a debt recovery service, we are expected to meet all the security requirements of our tier one partners but in a much smaller environment which can be extremely challenging.
With this in mind, The Missing Link took a very pragmatic approach and suggested IBM’s Big Fix – a patch management tool for about a fraction of the cost. They acknowledged it would not have the functionality of the more expensive solutions but advised it would be a good starting point. We took their advice and we continue to use Big Fix every month. It does a great job, and we still haven’t needed to use all of its functionality. In retrospect, the products we’d initially looked at, which were ten times the price, would never have given us ten times the value.
Over the following two years, we didn’t do much with The Missing Link. They proposed penetration testing, however again, our budget could not extend to the premium service that The Missing Link was offering. But we kept talking to them because we could see they had some of the best resources in Melbourne – and we hoped to engage them at some time in the future.
Over time, our budgets increased in this area and eventually, in 2019, the available budget met the offering from The Missing Link and we moved forward with them.
Our Relationship
Our relationship with The Missing Link is professional, but it’s also personal. We’ve had the same Account Manager since we first engaged their services and when we meet, we catch up on family then get down to business pretty quickly. They are always responsive to our calls, transparent about their costs and services, and importantly if anything goes wrong, they’re quick to resolve issues.
As a company that plays in the premium end of town, you’d expect high fee services. But impressively, they provided us with lots of options for Penetration testing and they’ve been very clear about the compromises that can realistically be made to reduce costs while still meeting ISO, and more importantly, the broader intention of the standard.
The Difference
Penetration Testing with The Missing Link has certainly produced some surprises and fundamentally changed the way we do things. They have identified outdated processes that other IT experts have not commented on, and they’ve given us guidance on how to fix them with clear start and end points. When we needed more information, they quickly gave us direct access to their Pen testers for technical support – which is something a lot of companies won’t do. The feedback from my team has been that this has drastically reduced the time taken to resolve issues, which obviously results in a big productivity boost for our business as my staff can move on to the next project.
Pen testing is a double-edged sword - it adds a lot to your workload when things are found that need to be remediated. However, I’d obviously prefer The Missing Link finding them than a hacker. If a hacker breaks in, takes data and brings the company down, the repercussions will be massive. With The Missing Link beside us, I can feel confident we are making the right choices and securing the business.
