Posted by Rudy Mitra on Jan 21, 2020 12:31:36 PM
Rudy Mitra
Find me on:


Case Study by Jamie Gilroy - Technical Team Leader, Solv


The Background

Solv is a software as a service organisation. We provide software solutions to help organisations across Australia manage workplace injuries and workers’ compensation, their employee safety and health - in essence, we’re all about health and well-being.

Over the past four years we have quadrupled in size, and today we look after a wide range of clients that include major organisations. Because we’re handling their employee’s personal medical information, which is often sensitive, data security is paramount. If we were to suffer a major data breach, it could be personally and professionally damaging to our clients’ businesses and their employees. A data breach also has the potential to destroy our own company’s reputation and viability.

To protect ourselves, our clients and their employees against the risk of a data breach, all data is encrypted in transit and at rest and is stored and backed-up in Australia with Microsoft Azure. We use firewalls, intrusion detection, and anti-virus/malware detection.


The Goal

Every year systems change, protocols change and, our client base has increasingly sophisticated requirements for data security. As a service provider, it’s essential that we keep on top of this with ongoing testing to identify any vulnerabilities.

In the past, we have undertaken annual penetration testing using a third party. More recently, we started third party Penetration Testing multiple times each year. And this year, for the first time, we decided to add to our testing by having our source data analysed and reviewing our configuration of software services which are hosted with Microsoft Azure - we wanted to ensure our cloud solution has been set up to maximise security.


The Selection

With an expanded set of functionality testing in mind, we decided to look for a fresh set of eyes to test our systems.

I googled Australian CREST approved cyber security providers, and The Missing Link was one of the companies that came up in the search results. I then briefed all potential suppliers, with an itemised list of things to test - including standard penetration testing, the host configuration review and source code analysis.

The Missing Link replied with a clear and transparent quote that was logical, with all the options well laid out so that I could see exactly what I was getting. The price was good, my questions were answered, and so I decided they were the preferred contender.


Our Relationship

I’ve done a lot of testing before - as the technical team lead; I’m the main guy that digests the reports that come back to us from external providers, then breaks down tasks. Based on my experience, I found The Missing Link to be very much engaged in the project. Maddie was great in organising, leading and managing the entire project. Melody, who did our testing at The Missing Link, was really good - she was highly technical and thorough. Following our debrief, when she sent me through the report, she also sent through tools and tips, which were very helpful.

I was really pleased with the content of the report itself. There were no massive surprises in it, and the vulnerabilities they found and reported on were clearly set out, followed by some important recommendations to tackle them. In the past, I’ve had reports that tell you there is a vulnerability and provide vague recommendations for fixing them, which makes our work that much more difficult.


The Difference

The Missing Link’s work makes a big difference to our job and our company. The reports mean we can sleep at night knowing we are secure and knowing that even though we are not perfect, we have the knowledge and understanding to be able to improve things. We understand the specific areas that need to be improved, and we have a set of directions to follow.

This enables us to reassure existing customers and is critical to winning new business - a lot of companies, especially the bigger, more sophisticated companies, are becoming more demanding about standards of data security. We need to prove to them that we are secure - we need to prove that we undertake regular testing and that we also have third parties testing our infrastructure.

Of course, third party testing from an accredited company like The Missing Link is also necessary to maintain our ISO certification - all our servers and processes are certified under ISO27001, ISO27017, ISO27018, IRAP and SOC 1/2/3.



Case study by Graeme Moore - IT Operations Manager...

Energy Power Systems Australia

Case study by Jason Snuggs, IT Manager - Energy Po...