Case Study by Alex Byrnes - ICT Manager, Centacare New England North West
The Background
Centacare NENW is the Social Services Agency of the Catholic Diocese of Armidale.
Although we are a Catholic agency, we work across the community to offer a range of services to individuals and families from all backgrounds. To facilitate our services, we have built strong relationships and networks with local agencies, health care and mental health care services, Elders and community leaders.
As a social services provider, we collect a lot of confidential information on our clients – from their basic personally identifiable information through to notes from sessions that might involve counselling, NDIS planning, mediation matters and even divorce settlements. It’s very easy to realise the importance of keeping this information safe and secure.
The Goal
In engaging The Missing Link, we wanted to have a third party undertake a professional and thorough audit of our internal and external systems. Ultimately, our goal was to ensure our systems are as secure as they can be.
The Selection Process
In November 2020, our organisation started the process of evaluating our cyber security. At that time, we spoke to the company that holds our insurance policy for cyber security, and they recommended two vendors for Penetration Testing, one being The Missing Link. We looked at both companies but ultimately decided to go with The Missing Link.
There were a few reasons behind this decision. We wanted to work with an Australian company with local staff, and The Missing Link fit this criterion.
Additionally, we had read good reviews of their work, and when we started discussions, they were very responsive.
For me, the most significant selling point was that security is their thing – it’s their day-to-day work rather than being an add on to other services, so they’re fully geared up with red and blue teams to carry out in-depth penetration testing. It just made sense to go with them rather than another group.
Our Relationship
Although we started the engagement process in November, we didn’t want to commence Penetration Testing until after the new year, when everyone returned from holidays.
In the lead-up, we went through the process with The Missing Link, provided the information about our systems that they needed, and agreed on the scope of testing. Being able to pick and choose the areas we wanted to prioritise and test meant we were able to get good value for money from the project.
Once the new year came around, it didn’t take much effort on our behalf to get things underway. The testing itself was completed within a couple of weeks, and they notified us of priority issues during the testing so that we could rectify them immediately. They delivered the final report quickly, which meant we could start implementing more priority fixes straight away.
We always expected there would be some issues, so we weren’t surprised by what they found. They gave us a good list to work through, with a lot of detail for our IT team and an executive summary for presentation to our executives and board. The Missing Link also offered their support, if needed, as we implemented the fixes.
The Difference
Undertaking Penetration Testing with The Missing Link was a positive experience. We went into it knowing that issues would be found – after all, no organisation is perfect, and we certainly know we are not. So, this was a constructive way to identify issues and to find out how to fix them. It was good value for money, and we got the desired outcome we were looking for.
Having completed testing, what was found has been fixed and as a result, we have a relatively secure system.
It also means that we can reassure our partners in the community, and our clients that we have the best processes in place to protect their personal and professional information… that also goes a long way when it comes to securing tenders.