MHR Gives a Further Boost to Its Security Processes to Tackle Growing Online Risk

To further protect sensitive client data from today’s ever-increasing number of cyber security threats, MHR deployed a cloud-based security management platform to identify and manage the resolution of network vulnerabilities.

Headquartered in Nottingham, UK, MHR is a leading provider of solutions and outsourcing services for human resource (HR), talent management and payroll. Working with some of the largest organisations in the country, MHR solutions support the management and payment of around 3 million employees—approximately 10% of the total UK workforce.

Growing Cyber Security Risk

Hosted in its data centres in Nottingham, MHR offers a diverse range of cloud-based services and tools to clients across the UK and global clients with a worldwide presence. David Mold, Head of Information Security at MHR, elaborates: “Given the nature of HR management—storing highly sensitive client data, such as payslips, bank account details, and performance reviews—we naturally take our data security extremely seriously. We constantly review our security processes and procedures and believe in investing in the best security measures possible. It’s critical that we protect our entire network and all web applications against any emerging vulnerabilities that could potentially compromise confidential client data.”

Additionally, working with organisations in heavily regulated industries, such as the financial and public sectors, MHR must ensure it complies with strict cyber security regulations. David Mold explains: “Organisations are now judged on information security. It is crucial that our clients—many of whom regularly audit and assess our capabilities in this area—have the utmost confidence in our security credentials.”

“Against a constantly rising level of online threats, MHR has to be prepared for all kinds of information security challenges such as attempted SQL injection attacks, phishing attacks, trojans, viruses and other malware,” states David Mold.

Qualys Solution

Previously, MHR used several different vulnerability management consoles and ran Qualys Web Application Scanning (WAS) as a supplementary project assurance tool. “Strengthening our security credentials was the main reason for expanding our investment with Qualys,” says David Mold.

After carefully evaluating solutions from other vendors, MHR chose to deploy a range of solutions from the Qualys Cloud Platform, an integrated suite of IT security and compliance solutions, including Vulnerability Management (VM), and Policy Compliance (PC) and WAS. These cloud-based solutions enable MHR to scan its entire network for vulnerabilities, and to prioritise and track remediation. The Qualys Cloud Platform gives the IT team a single central viewpoint, enabling them to identify security threats quickly and ensure adherence to agreed security standards across the network.

David Mold adds: “Initial scans with the Qualys VM tool automatically found over 80% of our known vulnerabilities, which was very impressive. The Qualys solution generates user-friendly reports that highlight and rank vulnerabilities according to the risk they represent using the Common Vulnerability Scoring System (CVSS) – ranging from 1 to 5 in terms of criticality. These reports tell us how rapidly we need to react and what patches we need to install. This helps us to prioritise our response, enables us to present an informed view to the Board, and breaks what would otherwise be a daunting task into manageable steps.”

More Informed, More Efficient

Today, MHR runs automated VM and WAS scans on a weekly basis, giving the IT team a comprehensive overview of security. David Mold elaborates: “The most powerful aspect of the Qualys solution is that it gives us a bigger picture. For example, thanks to the wide-ranging scope of Qualys VM scans, we are able to promptly resolve vulnerabilities on smaller edge-of-network devices. We can now react even faster than before, making informed decisions based on the CVSS rating. Better vulnerability visibility has greatly contributed to MHR’s overall security profile.”

The use of the Qualys Cloud Platform has performed a key role in working towards Cyber security standards like the Cyber Essentials certification MHR recently gained — part of a UK government-backed scheme to improve professional cyber security standards. Armed with a heightened understanding of vulnerabilities across its infrastructure, MHR is now better equipped to more easily keep its network, and sensitive client data, safe from unauthorised access or damage.

David Mold points out MHR’s reaction to the Heartbleed bug as an example. “Thanks to early warning from Qualys VM, we were able to get on top of the situation rapidly, send out clear instructions to the relevant technical teams, inform the board of directors, and issue guidance to our clients immediately. This meant that we were able to quickly reassure our clients that we were dealing with the situation well. Our clients put their trust in MHR’s competence and technical expertise. In matters of information security, it is our goal to always inform customers rather than wait to be asked—the Qualys Cloud Platform plays a vital role in this capability.”

Keeping Cloud-Based Services Secure

MHR uses Qualys WAS to test client-facing web applications as part of its standard quality assurance process. The solution accelerates the process of ensuring watertight security for new code releases, enabling MHR to launch new or updated services faster and at lower cost.

“Web application scanning means our applications are already hardened when we perform manual penetration tests; maximising their value, and gives us the best assurance possible that our apps are protected against known vulnerabilities,” says David Mold. “This is a highly visible part of our infrastructure, and it’s important for ourselves, our clients and our reputation to get things right here.”

He concludes: “Now that we have all the tools and processes in place, we are working to get our Qualys Cloud Platform deployment fully baselined to give us a view on network security that is as close to real-time as possible. We are confident that the Qualys technologies will help to keep us prepared to face new threats to network security.”