A leading European player in security, safety and surveillance solutions, Scutum employs 1,300 people across more than 40 offices in Belgium, France, Germany, the Netherlands, Switzerland and the United Kingdom. The company helps protect more than 100,000 sites, under both public and private ownership, and has competencies ranging from economic risk intelligence through to the protection of people and property. These skills enable the company to address the safety and security requirements of clients of all sizes across multiple sectors.

Growing digitisation

As the world becomes ever more digitised and the potential attack surface grows, organisations in all sectors face new cyber-security challenges. And in a digital ecosystem that is becoming increasingly more complex, and which changes hugely from day to day, the risks are always growing.

Antoine Rodriguez, Cybersecurity Manager at Scutum, comments: “Today, even smaller enterprises are taking cyber security very seriously. They’ve raised their internal standards and they expect their partners and suppliers, such as Scutum, to do the same.

“We’ve been investing seriously in cyber security for some years now, so we’ve not experienced any major problems. However, we lacked a standardised methodology for vulnerability management. It’s vital to know where our weaknesses are and to be able to correct them as rapidly as possible - and, critically, to be able to prioritise our remediation activities.

“Cyber security is a constant and evolving battle so, to stay on top of these new challenges, we decided to focus on the continuous improvement of our information systems. As part of this strategy, we’re aiming for an ISO 27001 certification extend, which provides a model for implementing, operating, reviewing and improving an information security management system.”

Scutum recognised that most cyber attacks focus on exploiting known defects in systems, rather than on innovative methods.

Antoine Rodriguez adds: “As the number and variety of attacks grows, we’re seeing a trend towards attacks focused on failures in patch management - that’s a weak spot for everyone. In this context, automated protection is the most appropriate tool, so we began looking for the right technology for the job.”

Finding the right solution

Scutum considered a range of IT security tools before selecting the Qualys Cloud Platform, as Antoine Rodriguez describes: “As part of our corporate will to close the loop on continuous improvement, we’d agreed internally that we needed a neutral third-party partner.

“Perhaps counter-intuitively, the fact that Qualys offers a cloud-based solution seemed a better guarantee of security. Unlike some other solutions we looked at, we can’t alter the reports in Qualys, as the Qualys server isn’t on our premises. This really appealed to us from the audit point of view, because Qualys is uniquely able to provide a neutral, external and impartial view.

“We also knew Qualys by name and by reputation, and we liked the fact that, even though it’s American today, Qualys originated in France - its history is a bit like ours.”

Scutum deployed Qualys Vulnerability Management (VM) for the eight most critical IP addresses on its French network. The cloud-based solution constantly monitors and identifies vulnerabilities with 99.99966% accuracy, protecting IT assets. The company also implemented Qualys Web Application Scanning (WAS), a robust cloud solution for continuous web app discovery and detection of misconfigurations, covering five IP addresses.

Antoine Rodriguez comments: “The implementation was smooth and we haven’t really had any experience of support so far – we simply haven’t needed it. The Qualys solutions can’t magically solve everything, but the vulnerability reports are very useful when brought together with our internal expertise. Thanks to the Qualys Cloud Platform, we’ve already been able to correct some security holes in our web apps and now the developers are sometimes asking to run a scan even before the planned date! So despite some initial resistance to change, it’s fast becoming adopted into our standard workflow.

“In fact, WAS is the higher-profile solution for us at the moment. It’s installed on our client extranet portal, where we really need visibility of information security, and it talks to developers in a way they understand.”

Boosting cyber security

With the Qualys Cloud Platform in place, Scutum has successfully implemented its strategy of continuous improvement and significantly reduced its vulnerability to cyber attacks.

Antoine Rodriguez notes: “Working with Qualys has given us a third-party overview of our activities, and enabled a noticeable improvement in identifying and removing known vulnerabilities. It’s also vital to our strategy of continous improvement. Qualys VM keeps a history of past actions, so we can see if an issue is new or if we’ve seen it before, and make sure it doesn’t recur.

“In addition, the Qualys solution highlighted some process shortcomings around the remediation of vulnerabilities, prompting process review. This has given us greater strength and speed in prioritising and removing vulnerabilities. All of these improvements contribute towards our plans for extending our ISO 27001 certification.”

Moreover, Scutum’s enhanced cyber security gives its clients greater peace of mind.

“Our clients are reassured by the fact that we have a clear internal policy on vulnerability management based on continuous improvement, and that we’re working with Qualys – which has a very strong reputation in the cyber-security world,” Antoine Rodriguez continues. “We think that working with Qualys has a positive impact on our business, as it makes us more attractive to current and prospective clients, some of whom have stringent regulatory requirements regarding the security of suppliers.”

He concludes: “In terms of cyber security, we never take the attitude that this is a fortress and we can rest easy - there will always be new vulnerabilities. What’s important is detecting and removing each vulnerability before anyone has a chance to exploit it. With the help of Qualys, we can continue improving the speed at which we address vulnerabilities, keeping us and our clients secure.”