Cranmore Consulting obtains Cyber Essentials certification
Cranmore Consulting is one of Northern Ireland’s leading independent software development firms. Founded in 2008 by IT developer Chris Price, the company offers software products such as its LiveQ form builder, as well as bespoke consulting services. Cranmore works with customers across a range of industries such as food services (Moy Park), energy (Energia and Furnace), government (NI Direct) and telecommunications (BT).
With the assistance of Vertical Structure, starting in January 2020, Cranmore embarked on a process to gain Cyber Essentials accreditation.
What fuelled the desire to gain Cyber Essentials certification?
Katie Murry, project manager for Cranmore, said:
“We had many cyber security practices in place already, as a company we were already very conscious of the requirements for robust cyber security. But the certification gave us something that our clients would recognise, to officially show that we have the right measures in place to protect data.”
What does the LiveQ product do?
“It is software that can automate paper processes – those that would have historically been done on a form, such as the driving test – and ensures it can now be completed on a mobile device.”
“Another example would be farmers’ inspection forms – historically, they would have been paper forms, and we transformed them into a mobile app. Now, farmers can fill in the data on their phones or tablets.”
“In addition to the front-end apps, there is corresponding backend case management software which allows the data captured out in the field to be processed, viewed and managed by admin or managerial staff from their office location.”
With data coming in from compliance forms, it is critical to ensure data is handled correctly.
“It is so important to us that we can show our clients that we’re handling data appropriately, with robust security and privacy measures in place.”
The Cyber Essentials process brings it owns benefits
Vertical Structure’s team was led by Simon Whittaker and Lukasz Mrozowski, with a very human-centric approach to the process. The team went through all of Cranmore’s process documents, ensuring they were all up to date and correct.
“A lot of the things we talked through with Simon and Lukasz were things we already had in place – so it was really about formalising it – to reassure clients that we take their data security seriously,” said Katie.
She went on, “The communications with Vertical Structure were great – we were never left chasing anything, and they were really proactive and helpful.”
Simon and Lukasz were able to identify a few minor issues that needed attention, such as the joiners and leavers process.
The process around former employees’ accounts was overseen by one team member. They would ensure the employee account was disabled and that their access was removed. As a small company, Cranmore was like most SMEs, in giving one person the job of ensuring people had access to systems, projects and code. Although the process was in place, it wasn’t formally documented and written down.
Simon of Vertical Structure said:
“We work with a large number of SMEs and frequently find that they have many hidden processes and procedures in place. Our role is to help them discover, formalise and implement processes where required. Our philosophy is to work together with our clients, as one team. It’s vital that the organisation develop and use their own procedures, rather than having anything forced on them.”
Procedures around personal devices
Another area that Vertical Structure zeroed in on was employees’ usage of their own mobile phones to access email accounts.
“We provided guidelines around what was acceptable usage of personal mobiles, and what wasn’t – to define how company data is used and transferred, and how they were password and PIN protected,” Simon said.
After tweaks were fixed, Cyber Essentials certification was gained
Katie said, “The benefits went beyond just having the certification – it ensured everything was more organised and everyone was aligned.”
Threat modelling and security testing for web apps
After the certification came through, Simon also visited Cranmore to train the rest of the team. He completed a two-day training course for the Development and Infrastructure team. The feedback was very positive.
“The course includes a review of any vulnerabilities to hacking – to find out how bad actors could get into their systems,” said Simon.
Positive feedback from the course
After the course, one of Cranmore’s developers said:
“Thoroughly engaging course - real eye opening into how to identify security flaws and implement solutions. I cannot recommend this enough for any developer who wants to help lockdown and make their applications more secure, and also create a threat model for applications to highlight possible pain points and steps that can be taken to mitigate said risks. This course is a must do!”
Or send us a quick message