BUSINESS: Connect Group is a UK distribution company with an increasing focus on digital information assets.
SIZE: 6,000 employees
BUSINESS CHALLENGE: As it adopts an increasingly digital business model, Connect Group must protect its own and clients’ valuable information assets, both in internal systems and in web applications.
- Enterprise TruRisk Platform
- Qualys VM
- Qualys WAS
WHY THEY CHOSE Enterprise TruRisk Platform:
- Enables business-focused prioritisation of the most important systems
- Provides comprehensive, centralised overview of IT environment
- Rapid deployment meant vulnerable systems were protected faster
Protecting What Matters Most with Business-Focused Vulnerability Management
Strengthening defences against cyber risk to keep information assets secure
Founded in 2006, Connect Group PLC is a specialist distribution company with operations predominately in the UK. Its four operating divisions—News & Media, Books, Education & Care and Parcel Freight—cover diverse markets and dispatch goods to over 70,000 customers internationally. Connect Group employs over 6,000 people and reported combined revenues of GBP 1.8 billion in 2014. As a rapidly expanding organization, Connect Group is currently engaged in a major strategic initiative to reshape its business for an increasingly digital future.
Seamus Macloughlin, Group Head of Information Security at Connect Group, explains: “The provision of digital services is growing rapidly in our markets, and this introduces significant new challenges in terms of information security. In the past, our security processes were somewhat inconsistent across divisions. While some parts of the business were well protected, processes were less formal and consistent in others. Vulnerability scans and penetration testing were performed in different ways, and we were reliant on external companies for some activities. As we geared up to support the business and its customers, it was clear that we needed a centralised, internal capability to identify and manage potential vulnerabilities across our organization and in our new digital assets.”
As Connect Group offers an increasing number of digital information assets online—for example, its online academic ebook library, dawsonera.com—it needs to protect them or risk both financial losses and reputational damage. To ensure a consistent, comprehensive and high-quality approach to information security, Connect Group looked for a third-party solution that it could deploy rapidly and use cost-effectively.
“Being able to configure the Qualys solution to our specific business needs enables us to focus our resources on addressing the most important systems. This business context awareness is what elevates the Enterprise TruRisk Platform far beyond generic security tools.”
Group Head of Information Security,
Simple, Sophisticated Security Solution
Wanting to get web-facing systems under greater control, Connect Group followed recommendations from a leading technology analyst firm and deployed Enterprise TruRisk Platform, an integrated suite of IT security solutions.
“Ease of execution and simplicity of service were key deciding factors,” says Macloughlin. “The Enterprise TruRisk Platform is delivered as a Software as a Service (SaaS) solution, which made for a quick, easy and pain-free deployment.”
Part of the Enterprise TruRisk Platform, the Qualys Vulnerability Management (VM) and Web Application Scanning (WAS) solutions monitor 3,000 internal and external IP addresses at Connect Group, as well as 20 web applications, including transactional e-commerce platforms. During automated regular scans, the Qualys solution detects and flags up known vulnerabilities and generates detailed reports for the relevant IT teams, enabling them to take targeted action.
“We are now able to identify and respond to potential threats much more quickly and in a consistent way across all parts of the group,” confirms Macloughlin. “Previously, we had to scan assets within each division individually – with the Enterprise TruRisk Platform, we have gained a much-needed comprehensive overview and can now spot potential vulnerabilities rapidly and manage their resolution with greater clarity and control.”
The Right Business Fit
Recognising that it had a backlog of assets to scan and secure, Connect Group used the Enterprise TruRisk Platform to prioritise remediation and protection.
Seamus Macloughlin elaborates: “Certain systems are high revenue-earners or contain huge volumes of intellectual property that we need to safeguard. These are currently our key focus: we are protecting what matters most and are taking a carefully staged, risk-based approach—only reporting on critical and high-level vulnerabilities.”
Configured to be contextually aware, the Enterprise TruRisk Platform tags and values individual systems and applications in line with Connect Group’s business criteria, varying the frequency, breadth and depth of scan coverage accordingly. This ensures high-value—that is, high revenue-generating or highly sensitive —systems are given the closest attention and fastest remediation. “Being able to configure the Qualys solution to our specific business needs enables us to focus our resources on addressing the most important systems. This business context awareness is what elevates the Enterprise TruRisk Platform far beyond generic security tools,” says Macloughlin.
He continues: “With Qualys, we do not need to scan every single IT asset. We currently scan all of our servers and a sample of all other standard-build systems, such as desktops and printers, which gives us a very good indication of what patches are required.”
Using Qualys WAS has accelerated the process of testing web applications and removed the need to regularly engage external penetration testers, which would have been a considerable expense. The ability to integrate testing into the software development process—and have it instigated by the developers themselves—saves time and leads to shorter cycles, cutting time-to-market for new or updated apps.
“WAS gives us the insight we were previously getting from pen testers, but at much lower cost and without delay,” says Macloughlin. “What’s more, we can more easily test apps throughout the development cycle, so everything is faster and more efficient.”
Proactive Protection for Past, Present and Future
Today, Qualys is helping Connect Group to manage potential vulnerabilities on its most critical business systems and applications with great efficiency. Reports from the solution are presented at board level, and information security is one of the operational KPIs for the Group as a whole.
Seamus Macloughlin concludes: “The Qualys solutions help us to demonstrate to senior management that our ongoing efforts to address vulnerabilities are having the desired impact and that our overall security posture is improving.”