Finding the Cure for Security Vulnerabilities and Strengthening Regulatory Compliance

To protect corporate systems and an extensive retail network from ever-evolving security threats, the British Heart Foundation moved to highly accurate, automated vulnerability management and policy compliance using Qualys Express.

For more than 50 years the British Heart Foundation (BHF) has pioneered research into the causes of heart disease and improved methods of prevention, diagnosis and treatment. BHF is wholly funded by donations, obtained through traditional fundraising methods, legacies left in supporters’ wills and retail activity.

BHF runs a chain of more than 730 charity shops throughout England, Wales and Scotland, which are predominantly staffed by some 22,000 volunteers. This retail division plays a vital role in BHF's fundraising activities, netting more than £34 million in 2012-2013. For every pound donated to the BHF, 81p is spent on the fight against heart disease, with a charitable expenditure of over £120 million in 2012-2013.

Staying One Step Ahead of Security Threats

Since much of its retail revenue flows through credit and debit card transactions, it is critical for BHF to keep underlying business systems secure and in compliance with the Payment Card Industry Data Security Standard (PCI DSS). The organization must ensure that all its operating systems, applications and servers—both for retail and corporate divisions—are protected against emerging vulnerabilities that could jeopardize its security and regulatory compliance.

The BHF IT team sought out the tools that could help them to stay on top of the constantly evolving and ever-increasing vulnerabilities and maintain a strong level of security and compliance across the whole organization.

Intuitive, Comprehensive Qualys Solution

To bring greater accuracy and automation to IT security and meet regulatory requirements, BHF selected Qualys Express—a powerful, integrated suite of IT security and compliance solutions designed for mid-sized businesses.

Martin Harris, IT Infrastructure Manager at British Heart Foundation, comments, "We reviewed three solutions in detail, running a pilot for each one. What sold us on Qualys was the management tools—the rich functionality ticked all the boxes for us and the high degree of automation meant less work for our team."

BHF has now streamlined control of its entire vulnerability management lifecycle, from asset discovery and vulnerability assessment to remediation and security-fix verification. Leveraging the Qualys Cloud Platform, the on-demand solution is delivered as a service and fully managed by Qualys, without any software or costly infrastructure for BHF to deploy.

Targeting and Resolving Vulnerabilities with Smart Scanning

BHF is currently working to identify and fix vulnerabilities, using Qualys Express to run regular scans of IT assets for both its retail and corporate networks.

Bo Marcus Win, Infrastructure Analyst at British Heart Foundation, has been leading the scanning effort across the organization's IT landscape. "Our retail environment is quite large—we have more than 700 shops throughout Great Britain. We use Qualys to perform frequent, automated scans of our systems and if vulnerabilities are detected, we make the necessary fixes to keep systems protected. There are a lot more assets on our corporate network – servers, workstations and devices such as switches – and that adds complexity to vulnerability management. With Qualys we are able to perform very comprehensive, granular scans automatically, which is a great help."

The organization has plans to use Qualys PCI to help substantiate the security of its debit and credit card transactions, and help prove compliance with PCI DSS. The solution will enable BHF to ensure that systems remain within compliance and help prepare for mandated PCI DSS assessments and reporting.

Keeping Business Systems Secure and Compliant

Today, BHF has a powerful platform for proactively tackling the vulnerabilities that place its infrastructure and applications at risk, and one that will help it to prove PCI compliance.

Bo Marcus Win concludes, "We are still in the early days of using the Qualys solutions, but we can already see the huge potential they offer for strengthening our security posture and for proving to both internal and external regulators that systems are secure. Even as threats evolve and become more complex, with Qualys solutions, we feel confident that we have all the tools we need to keep our most critical assets protected.”