BUSINESS: Founded in 1961 in London, England, the British Heart Foundation raises money to fund research into all heart and circulatory diseases and the things that cause them.
BUSINESS CHALLENGE: As part of its fundraising activities, BHF holds personally identifiable information and financial data. How can the company guard against the reputational and regulatory risks of a data breach?
SOLUTION: Qualys VMDR® with integrated apps for asset identification and management, vulnerability management, threat detection and prioritization and response; Qualys Web Application Scanning, Qualys Global AssetView
For 60 years, the British Heart Foundation (BHF) has led the way in fundraising for pioneering research into heart disease, helping scientists and healthcare professionals develop better prevention, diagnosis and treatment methods. As a charity, the BHF is funded entirely by public donations, and is supported by a network of charity retail stores across the UK staffed by over 16,000 volunteers.
William Atkins, Information Security Manager at the BHF, elaborates: “We collaborate with many different stakeholders, ranging from individual members, contributors and volunteers to large healthcare organizations such as the UK National Health Service [NHS]. As custodians of our members’ personally identifiable information, it’s crucial that our security and data governance capabilities are robust.”
The BHF operates an extensive IT estate, including on-premises systems and private and public cloud environments comprising around 300 Linux and Microsoft Windows servers in total. The organization also manages a wide range of corporate-controlled endpoints, including 1,200 laptops and workstations and approximately 2,000 tablets and mobile devices.
For the BHF, information security is imperative for regulatory as well as reputational reasons. The company must comply with the General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS), and with new requirements such as Cyber Essentials Plus—a mandatory security certification for organizations that engage with the NHS.
“Because we hold personal and financial data on behalf of our supporters and volunteers, it’s vital that we protect their trust by safeguarding their data,” Atkins continues. “One of the most effective ways to shrink the risk of data loss is through an effective vulnerability management program, and we strive to minimize the number of critical vulnerabilities across our entire IT landscape.”
Why they chose Qualys:
To help maintain a strong information security posture, the BHF uses Qualys solutions to scan its environment for vulnerabilities and enable timely, targeted action to shrink the attack surface. For over eight years, the charity has relied on Qualys Vulnerability Management and Qualys Web Application Scanning (WAS) to deliver actionable intelligence into cyber threats.
“One of the great things about working with the Qualys Cloud Platform is that we can cover a large proportion of our estate with automated network scans—freeing our teams to focus on other tasks,” says Atkins. “Once we’ve added and tagged an asset in the Qualys solution, we receive timely data on its security status from a single point of control.”
For assets such as laptops and mobile devices that are not always connected to the internet, the BHF harnesses Qualys Cloud Agents to continuously collect data in the background and send it to the Qualys Cloud Platform when assets come online.
Atkins adds: “Qualys Cloud Agents are so lightweight that most of our users don’t even know they’re there. Agents are also extremely valuable for gaining insight into some parts of our retail IT estate, which aren’t accessible via network scans.”
To support its fundraising efforts and engage with its supporters, the BHF runs several public-facing websites, which are managed and maintained by third-party providers. Using Qualys WAS, the organization can verify that these sites are well protected against cyber threats.
“With Qualys WAS, we gain the peace of mind that our websites are effectively managed and maintained on our behalf from a security perspective,” explains Atkins. “If we ever need assistance with interpreting the results of a scan or diagnosing a technical issue with scanning, we know that Qualys support is only an email or a phone call away.”
Since it first deployed Qualys solutions, the BHF has been driving continual investments in the people, processes and technology that underpin its security capabilities. As the organization’s approach to information security has matured, the BHF has significantly improved its responsiveness to cyber risks.
Atkins comments: “In the last year, we’ve begun expanding our information security team. Our increased headcount—combined with the fine-grained information on vulnerabilities that we’re getting from our Qualys solutions—allows us to step up our remediation efforts dramatically. In fact, we’ve cut the number of severity four and five vulnerabilities across our environment in half, which helps us to ensure our data is always protected and mitigates the risk of reputational damage.”
He continues: “Insights from Qualys will also be very useful in gaining and maintaining new security certifications such as Cyber Essentials Plus—crucial for our partnership with the NHS.”
When the COVID-19 pandemic struck, the BHF leveraged Qualys solutions to smooth the transition to remote working for its 4,000 employees while enforcing its rigorous security and governance policies.
“Using Qualys Global AssetView, we gain a complete list of all the software installed on our employees’ IT endpoints,” explains Atkins. “This visibility was especially beneficial during the pandemic period of remote-working, when IT department access to our endpoints was restricted. As well as giving us the ability to verify that laptops and workstations are patched correctly, Qualys Global AssetView lets us confirm that we are complying with our software licensing agreements and that employees haven’t installed any non-compliant software on a corporate-controlled device.”
Looking ahead, the BHF plans to build on its success with Qualys solutions to further strengthen its information security capabilities. For example, the company plans to use Qualys APIs to create customized vulnerability management reports that reveal month-on-month trends, and Qualys VMDR®, with integrated apps for asset identification and management, vulnerability management, threat detection and prioritization and response.
“We see great potential to use Qualys VMDR to further increase the speed and effectiveness of our remediation efforts by automatically prioritizing vulnerabilities based on which have the most prevalent real-world exploits,” continues Atkins. “We are also very interested in exploring additional Qualys solutions—including Qualys Network Passive Sensor, which will help us detect unmanaged devices in our estate.”
“We see great potential to use Qualys VMDR to further increase the speed and effectiveness of our remediation efforts by automatically prioritizing vulnerabilities based on which have the most prevalent real-world exploits.”
Information Security Manager, British Heart Foundation
Atkins concludes: “Information systems play a crucial role in BHF’s ability to raise money for research into cures and treatments for heart disease. Through our work with Qualys, we can support our information security professionals and system owners with the accurate, timely insights they need to keep IT assets patched and protected against potential threats.”