BUSINESS: Sustrans is a charity dedicated to making it easier for people to walk and cycle in the UK.
SIZE: 500+ employees
BUSINESS CHALLENGE: To continue its close collaboration with local government organisations across the UK, Sustrans needed to achieve compliance with the government-backed Cyber Essentials scheme in just three months.
According the UK National Health Service, regular exercise can cut the risk of major illnesses such as heart disease, stroke and type-2 diabetes in half. Even small lifestyle changes, such as walking or cycling to work, can add up to big benefits for the nation’s health.
For over 40 years, Sustrans has been working with partners, including national and local governments, workplaces and industry organisations to make it easier for people to walk and cycle in the UK. A registered charity, Sustrans employs more than 500 people across offices in England, Scotland, Wales and Northern Ireland.
Community outreach plays an important role in Sustrans’ mission. As well as a large network of volunteers who help to build and maintain places that are pedestrian- and cycle-friendly, the organisation engages with decision-makers to inform planning and investment for walking and cycling.
Data-driven solutions are a key enabler of these operations, and Sustrans provides a wide range of digital services for its employees. These include desktops, laptops and smartphones for day-to-day productivity, as well as cutting-edge geographic information systems to help map and analyse the UK’s roads and cycleways.
Lyndsey Melling, IT & Systems Project Manager at Sustrans, takes up the story: “Many of our employees work side-by-side with local and national government employees across the UK. Because we collaborate closely on projects, it’s vital that we comply with the latest government procurement and contracting requirements.”
To secure a major contract to support cycling and walking, Sustrans needed to achieve compliance with the government-backed Cyber Essentials scheme. Developed in cooperation with the National Cyber Security Centre, Cyber Essentials accreditation demonstrates that organisations have the capabilities to prevent the most common attacks.
“We needed to gain Cyber Essentials accreditation in just three months, or risk missing out on a major, multi-year program of work,” Melling continues. “One of the key requirements of Cyber Essentials is the ability to identify and remediate potential security vulnerabilities in a timely manner. We knew that our existing, manual approach to vulnerability management would be unable to meet Cyber Essentials requirements, so we decided to look for a new solution.”
Why Sustrans chose Qualys:
After evaluating security and compliance solutions from several leading vendors, Sustrans selected the Enterprise TruRisk Platform as the foundation for its new vulnerability management capabilities.
“One of the things that impressed us most about Qualys was their speed and responsiveness,” recalls Melling. “We were working to a tight deadline, and Qualys showed us from the outset that they understood the urgency and were willing to do what it took to achieve the result we wanted.”
She adds: “As a charity, it’s also crucial for us to stay within our budget. The Enterprise TruRisk Platform was particularly well-suited to this requirement—it delivers everything we need without any need for large, up-front capital investment.”
Working together with Qualys, Sustrans configured the Enterprise TruRisk Platform to discover its network-connected assets, and Qualys Vulnerability Management and Qualys Web Application Scanning to establish a regular vulnerability-scanning regimen. Today, the Qualys solution delivers fine-grained analytics on more than 1,100 endpoints, including Mac and Windows desktops and laptops, as well as Windows and Linux network devices.
“At first, we had some challenges with vulnerability scanning traffic overloading our internal network, but deploying lightweight Qualys Cloud Agent scanners across the estate helped to solve that issue almost overnight,” comments Melling. “The Qualys solution is also relatively easy to use, and we now have full visibility of our landscape through an intuitive web dashboard.”
Shortly after its Enterprise TruRisk Platform deployment, Sustrans decided to trial Qualys Patch Management to test the effectiveness of automated patching.
“Our initial scans with Enterprise TruRisk Platform detected several thousand vulnerabilities of various levels of severity across our IT estate,” explains Melling. “Within just a couple of weeks, we had successfully used Qualys Patch Management to remediate two thirds of those vulnerabilities, of which over half were the highest level of severity—an extremely positive result.”
She adds: “Patching using the Qualys Cloud Agent makes it so easy for us to keep all our users safe and secure—even people with laptops that only connect to our network intermittently. Better still, patching has been entirely transparent to the end user, which means our people can continue with their work while the process runs in the background. Going forward, we believe that staying on top of the latest vulnerabilities will only require a few hours of work each week. As a result, we’ll be able to protect our environment from cyber risks while keeping our IT security headcount flat.”
“Thanks to the Enterprise TruRisk Platform, we’re confident we have the tools we need to keep on top of the latest threats and build strong new partnerships across the UK government sector.”
IT & Systems Project Manager, Sustrans
By embracing the Enterprise TruRisk Platform, Sustrans achieved its goal of Cyber Essentials accreditation within the tight three-month deadline. The organisation is now preparing to work on a major multi-year contract that will bring the benefits of cycling and walking to thousands of people.
“Complying with the requirements of Cyber Essentials was absolutely essential to winning this major contract—and that’s exactly what Qualys helped us to achieve,” Melling elaborates. “Despite the fact that the COVID-19 crisis struck right at the start of our engagement with Qualys, the team went out of their way to help us gain the capabilities we needed on time and within budget.”
Based on its success with the Enterprise TruRisk Platform, Sustrans is already planning for the future.
“Looking ahead, we intend to enhance our approach to analysing, categorising and prioritising unpatched vulnerabilities such as zero-day exploits, as well as broadening our scans to include additional IP-connected devices and voice-over-IP services,” concludes Melling.
“Cyber security is a constantly evolving discipline, but thanks to the Enterprise TruRisk Platform we’re confident we have the tools we need to keep on top of the latest threats and build strong new partnerships across the UK government sector.”