Case Study by Sam Mannix - Digital Strategy & Innovation Manager, RSM Australia
RSM Australia is part of the RSM International Network – the world’s sixth-largest audit, tax and consulting network. We also offer a wide range of other specialist services, including wealth management, consulting, and global compliance reporting. As such, we hold client data that is sensitive in nature, and we are obliged to ensure it is always protected. A breach of any kind would have a significant reputational impact and, depending on the specific activity, could put our clients and/or our business at risk.
To meet our ISO 27001 certification requirements and our RSM global network membership status, we regularly engage a third party to undertake penetration testing of our web apps.
Penetration testing is something that we simply have to do for compliance – we have an internal protocol for regular scanning, and we have been engaging external penetration testers for over 11 years. The goal of this exercise was to ensure that our core web applications are secured according to current standards and exposures - to ensure our internet boundaries are protected and ensure the front door remains closed to potential cyber-criminal activity.
We wanted to make sure the configuration changes made over the years have not exposed us to any threats. We also wanted to check and be assured that our internal scanning protocol was and is working well.
The Selection Process
Following provider consolidation in the market, we decided to look for a new external penetration tester. We began the process with a market assessment, having identified three main criteria for selection; skills and experience, accreditation, especially with CREST, and cost.
Although The Missing Link was more expensive than the other companies we looked at, they surpassed the competition when it came to skills, experience and, most importantly, CREST accreditation.
The entire process was a breeze from my perspective. The Missing Link was professional, approachable, and flexible to meet our needs.
They assigned Mitch to project manage the engagement, and all essential communications that he delivered were clear and concise.We had a project kick-off call with The Missing Link’s entire team, which enabled them to ask questions about any specialised web applications we use. By the end of the call, the testers had a good grasp of what it was they were testing and the issues they were looking to discover.
There were challenges with this engagement – namely timing issues with our accounts and app vendor configurations which delayed the start. Mitch clearly explained the impact and worked to get the project back on schedule.
There weren’t many surprises. However, The Missing Link did find a medium issue with one of our vendor apps. As promised, this was assessed and raised immediately. The Missing Link then provided an interim report on the issue with a level of detail that was a lot higher than I have seen before. It clearly described the issue, potential risk, and required remediation, which gave us the jump start and enabled us to take the issue straight to the vendor.
The final report was equally impressive. Although we were offered a session to run through the findings and ask any questions, the level of detail and clarity provided negated the need to do so. They provided absolute value for money.
Engaging The Missing Link to perform penetration testing has assured our organisation that our controls and processes are working as intended. We can be confident that we are compliant with ISO 27001 and with RSM International Network requirements.
Personally, I can now sleep in peace. Cyber-attacks are increasingly prevalent, so it’s great to have that external assurance that we are as protected as we can be at this time.