We were approached by a software company who were developing a new iteration of their most popular product.  We were tasked with not only performing penetration tests on the new software, but also assessing how secure their environment was, as they had concerns that the successful launch of the new product could be compromised if pirated copies were made available on the internet  

A very large, global business engaged us with a view to creating a new Information Security Strategy after suffering from a number of security breaches which incurred significant losses – one of which was valued at over £20m.  After reviewing their current Strategy and Policies, we discovered four key areas that needed improvement; Their current strategy was too focused on technology, with little attention given to the human factors in Information Protection.The result was a strategy that dictated technical solutions (“You must use this specific type of Firewall”) but neglected to consider the wider implications of security. Information Security decisions were based entirely upon what the IT Department thought it should be doing, with no input from the business.  There was no clearly identifiable single point of contact for the business to engage with for Information Security concerns. The current practices of the IT Department were directly contributing to the loss of information, with issues such as cloning current or former user accounts for new starters, failing to revoke access for users who had moved on, and neglecting to fully wipe desktops, laptops and external hard drives prior to re-use or disposal.

A very large, global UK business had a history of recurring Access Control issues in SAP which caused a number of serious security breaches.  The internal IT team reacted to those control issues and mitigated them as part of a BAU process, but the solutions that were applied did not address the root causes of the access violations and only treated the symptoms. . There was also a lack of security governance for SAP, resulting in inconsistent processes, absence of standards and policies, and incomplete security controls.