About Hepburn Delaney
Hepburn Delaney Solicitors, established in 2013 by Jane Hepburn and Rebecca Delaney, operates as a law firm in Hemel Hempstead, specialising in family matters. With a focus on tailored services and efficiency, the firm embraces innovative technology, evident in its adoption of a paperless system and ongoing efforts to modernise their services securely.
The Challenge
Hepburn Delaney, dealing with sensitive personal data, sought to ensure GDPR-compliant data systems and low cyber and commercial risk perpetually. As a fast-growing company, digital changes were frequent, and the historical approach of annual testing was deemed woefully inadequate. If vulnerabilities existed or were introduced during the year the business needed to know and act on them quickly.
Independent testing is crucial due to potential biases in results from internal or outsourced providers; this is a result of fear it will reflect badly on their previous data management. Unfortunately, that does little to address security issues and poses a significant risk.
Recognising this, GDPR now mandates independent testing to mitigate such risks effectively. In light of lengthy testing durations, which typically span 2-3 months and involve substantial internal resource consumption, Hepburn Delaney sought after a faster and higher-quality testing approach.
What We Did
Hepburn Delaney opted to use TotalPenTest, the UK’s leading Pen Test as a Service solution (PTaaS, or Penetration Testing as a Service). Providing scheduled or on-demand tests with assured compliance and knowing peace of mind with risk mitigation only ever a mouse click away.
Total Group swiftly dispatched its plug-and-play micro test server the same day and we were testing within 24 hours.
Whilst managed and deployed by Total Group, strict independence and integrity are maintained using the leading global penetration testing engine from Vonahi Security with over 15000 tests performed on the platform. Unlike manual or consultative testing the TotalPenTest automation never makes a mistake or an omission and delivers the highest quality results consistently every time.
Simply faster and better than other tests by 50%.
Technologies Deployed:
TotalPenTest provides comprehensive environment testing, regime including network and cloud penetration testing and vulnerability scanning.
External Test 1 – We attacked from the outside targeting the perimeter firewalls of Hepburn Delaney’s head office and branch offices.
External Test 2 - We attacked their Microsoft 365 environment.
Internal Test 3 – We attacked inside and out using a micro test server evaluating every device attached to the network, from Windows devices to CCTV cameras to printers. No device was safe from our attempts to hack and test its resistance to attack.
The Results
Being the first test incorporating a new office and following a period of major IT change there was an expectation that some high-risk issues may be found, however this was not the case. The Windows network and all computers passed with flying colours. Some issues were found with print copier devices, despite being new their default configuration had vulnerabilities that needed to be addressed.
Many copiers can interact with business data, via services like scan to email or scan to folder, so need to be as secure as is possible.
The ability to update and secure the printers was deemed to be outside of the ability of print management companies. Whilst they often install or physically maintain such devices this service seldom extends to being accountable for data security.
Total Group collaborated closely with Hepburn Delaney to gain admin access to the devices and then took on responsibility for hardening them. Firmware was updated, legacy functionality and services not required was disabled, password complexity was improved.
On completion of the mitigation works, the pen test was rerun to verify that the risks were resolved and that the entire network was secure.
What Hepburn Delaney Said
"We were not aware that the printer / copiers represented a risk to data security and whilst they were physically well maintained the need for security updates, and more secure settings (then default) was not known.
Total Group were able to identify the risks and tell us exactly what needed to be done. We secured admin access to the devices that, shared with Total Group who implemented the mitigation steps recommended by the Pen Test. We then retested to make sure the risks were resolved.”
