tiero - Fotolia

Sustrans opens door to NCSC cyber certification via the cloud

Sustainable transport charity turned to Qualys to help it attain needed certifications to bid for government work

Cycling and walking charity Sustrans has brought in Qualys to enhance its overall security posture through a deployment of its Cloud Platform service, enabling it to bid for more government work to support its agenda around sustainable, car-free transport.

With over 40 years of transport policy advocacy behind it, Sustrans now employs 500 people across multiple locations in the UK, managing a network of volunteers to build and maintain pedestrian- and cycle-friendly infrastructure, and engage with decision-makers around planning and investment.

But to secure a major government contract to support cycling and walking, the organisation needed to quickly align with government security requirements and, specifically, achieve compliance with the National Cyber Security Centre’s (NCSC’s) Cyber Essentials kitemark.

The government-backed Cyber Essentials certification is designed to give its holders peace of mind that their organisation can withstand the most common varieties of cyber attack and security threat and is increasingly a requirement to work on government contracts.

“Many of our employees work side-by-side with local and national government employees across the UK,” said Lyndsey Melling, IT and systems project manager at Sustrans. “Because we collaborate closely on projects, it’s vital that we comply with the latest government procurement and contracting requirements.

“We needed to gain Cyber Essentials accreditation in just three months, or risk missing out on a major, multi-year programme of work.

“One of the key requirements of Cyber Essentials is the ability to identify and remediate potential security vulnerabilities in a timely manner. We knew that our existing, manual approach to vulnerability management would be unable to meet Cyber Essentials requirements, so we decided to look for a new solution.”

With a brief including rapid compliance with government standards around external and internal threat scanning; fast and accurate detection and remediation of vulnerabilities, preferably with some degree of automation; and enterprise-class vulnerability management capabilities via a cloud-based subscription model to keep costs down, Sustrans picked Qualys’ Cloud Platform as a foundation after a brief evaluation.

In particular, the service met the charity’s requirements around speed and responsiveness, and costs, said Melling.

Sustrans first configured the platform to discover its network-connected assets and added Qualys’ Vulnerability Management and Web Application Scanning options to start a regular vulnerability-scanning programme, which can now deliver analytics across more than 1,100 endpoints around the organisation. This caused some issues at first with network overload, but was quickly solved with the addition of a lightweight Cloud Agent scanner.

Read more about cloud-based security

  • Cloud-based security tools can hasten threat detection and response, but adoption will depend on where an enterprise is on the cloud readiness scale. Read more in this guide.
  • Cloud-based security services can help organisations with a growing cloud footprint to reduce cost and address the manpower crunch in cyber security.
  • VMs and cloud environments make the task of protecting workloads more difficult than ever. Can a cloud workload protection platform help your organisation solve the problem?

The sheer volume of vulnerabilities detected with the initial Cloud Platform scans prompted Melling to go further still, adding Qualys’ Patch Management to automate the patching process.

“Within just a couple of weeks, we had successfully used Qualys Patch Management to remediate two-thirds of those vulnerabilities, of which over half were the highest level of severity – an extremely positive result,” she said.

Melling said that patching in this way makes it easier to keep Sustrans’ users secure, even remote workers who fully connect to the organisation’s network only intermittently.

“Better still, patching has been entirely transparent to the end-user, which means our people can continue with their work while the process runs in the background,” she said. “Going forward, we believe that staying on top of the latest vulnerabilities will only require a few hours of work each week. As a result, we’ll be able to protect our environment from cyber risks while keeping our IT security headcount flat.”

Melling credits fully embracing the Qualys service with achieving its goal of Cyber Essentials accreditation within a tight three-month timeframe. The charity is now preparing to get to work on a multi-year contract to extend the health and social benefits of cycling and walking to thousands.

“Complying with the requirements of Cyber Essentials was absolutely essential to winning this major contract – and that’s exactly what Qualys helped us to achieve,” said Melling.

“Despite the fact that the Covid-19 crisis struck right at the start of our engagement with Qualys, the team went out of their way to help us gain the capabilities we needed on time and within budget.”

Read more on Regulatory compliance and standard requirements