Mansfield Building Society
case study
Mansfield Building Society had an IT team consisting of four generalists and were unhappy with the cost and duration of manual penetration testing engagements.
Being regulated by the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), cyber security needed to remain high on the agenda.
AppCheck helped by introducing year-round vulnerability testing at an affordable cost and provided clear and actionable insights on demand.
Tell us a bit about yourself and your organisation
We are Mansfield Building Society, a modern independent building society with an individual approach to lending which allows us to offer flexible solutions for a variety of needs.
We were established in 1870 and although today our assets exceed £400m, we still very much care about our customers and our local community. We make a number of donations to local charities and support groups and every one of our customers is a member of the society and we value their loyalty.
We are a fairly small IT Department consisting of myself and 4 technical support analysts – they are IT generalists, so we don’t have specific in-house technical skills, particularly around security and penetration testing, which is where we saw AppCheck filling that gap.
What was the business need for AppCheck?
Obviously there is now a heightened awareness around cyber risk. We are regulated by the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), so operational resilience and cyber security are very high on the agenda. Due to this, we’ve built a cyber security project plan and as part of the process, identified that vulnerability scanning and penetration testing was something we needed to be doing on a regular basis. This enables us to test the effectiveness of our security controls and identify any weaknesses that exist so that we can remediate against them.
What were your main challenges with security before AppCheck?
Traditional manual testing was very expensive. If we were to go out and engage with a pen testing company, this would typically be a several day engagement and then there would be follow up, remediation and usually a subsequent test. The costs soon added up.
The real benefit I saw from the AppCheck platform was that we can get the best of breed in terms of automated testing tools and we have the ability to re-test whenever we want, 24 hours a day. Prior to that, we would engage with pen test companies and it would be a long process to scope out exactly what they would be doing and when they would be doing it. This was followed by a period of time while we waited for reports to be written and distributed and then any follow-up testing once the issues have been closed. We then had to repeat the whole process, this was very timely and costly to do. With AppCheck we are now able to do all of this this in-house.
Why did you choose AppCheck?
I think the key benefit with not being a pen tester myself was that we were able to get it up and running very quickly, AppCheck provided a lot of help around this. We now have the scope to test a lot of different interfaces/IP addresses and even our Web Apps.
I was impressed with the speed at which we could do a test and we can now log on 24/7 and set a test up whenever we want, without any constraints. If we have suppliers or data processors who might be doing something on our behalf, we have to go through the same security due diligence as if this were something we were doing internally. Being able to use the tool to do that makes the whole process very quick and easy. A recent example of where this was useful was during the move of our email filtering from on premise to a cloud hosting environment. We were able to initiate the test on our own timeframe without having to involve anybody else and get the results back instantly. That for me is a real benefit. Usually these requirements can stall implementation for those kinds of services which can have a negative impact across the business – now we can just crack on and do the testing ourselves, we are confident in the answers and know what the risks are. It makes it much easier.
What is your favourite thing about AppCheck?
The accessibility. Just being able to logon at any time of the day and setup a scan or re-run an existing scan is a major benefit for me. If I was having to go out to a pen test partner that could take me weeks to sort out, particularly where it involves third parties… that always gets more complicated.
Sum up your experience with AppCheck in 1-2 sentences
Cost-effective, easily accessible and the ability to re-test very quickly. We can do that within minutes and know the results will be accurate.
Want to scan your critical assets?
What has been the impact of using AppCheck?
Reduction in cost. The cost of the annual AppCheck licence when compared with annual testing provides significant savings.
Being able to look at the trend history so we can see over time what has been uncovered and how that has been closed off is very useful. From an audit point of view, we can demonstrate that we are actively looking at what potential threats exist and closing them off as quickly as we can.
Overall visibility is really good. Whilst I have a technical background, I don’t have expertise in penetration testing. However, I can go on the platform and understand the results that are coming in, see where the biggest threats are, and where we need to focus our immediate attention. This ensures that we close off any of the high risk vulnerabilities as quickly as we can. We now also have the ability to re-test just as fast once issues are remediated too.
What advice would you give to other companies looking to manage vulnerabilities?
I don’t like to put all my eggs in one basket and do not rely solely on one system. As different testers and platforms will use different techniques and toolsets, I do still run a manual test once a year. The benefit to year round penetration testing is that when we have a manual test, they do have to work that little bit harder. Ultimately, this provides an increased value for money and ensures our security posture is as robust as it can be. It just gives us that assurance that we are not missing anything.
From a technical perspective, it’s good to have a plan and prioritise vulnerabilities. AppCheck as a tool is very good at showing you how to do this and exactly where you need to be focusing your attention.
Want to see what AppCheck can find in your websites, applications, network, and cloud infrastructure?
Put us to the test.
Try AppCheck for free
Contact us or call us 0113 887 8380