Cyber Security First

Hedgehog is Cyber Security First

As a cyber security company, Cyber Security is First and nothing is more important to us than the security of our customer’s data. That is why we have a Cyber Security First program internally. A breach of our customer information could cost us our entire business, and that’s why we go above and beyond to implement the latest cutting-edge security tools, as well as ensure robust processes and the fundamentals of information security management are in place.

Cyber Security First

Cyber Security First is a series of specific controls and approaches that we take to secure the different aspects of our business, from the office we use to our data centres, access control, and prevention and detection strategies. The controls are grouped into three specific control groups:

  1. Monitor
  2. Detect
  3. Protect

Monitor

Continuous security monitoring: All of our services provide high-quality assessments of weaknesses in internet-facing systems. Using our own service against ourselves through our Cyber Security First program allows us to be rapidly informed whenever new vulnerabilities are released.

Governance & Responsibility: No amount of technical security controls would be sufficient unless backed up by robust process and governance. Hedgehog has a robust governance model in place which makes specific staff members responsible for information security in the organisation, in line with ISO27001 principles.

Least privilege: We follow the principle of least privilege as a general model within the business. Where employees do not require access to information or systems, they are not given it.

Detect

Access reviews: We perform regular access reviews of employee privileges to ensure that as employee roles change over time their privileges are updated and in sync.

Anti-virus and anti-malware: All infrastructure is protected by anti-virus and anti-malware systems.

Background checks: We vet every employee with third-party background checks for authentication purposes, and for criminal records, as well as following up on character references.

Detection: Cyber Security First mandates that we use industry-standard intrusion prevention tools to protect our online services and infrastructure against active attacks.

Endpoint protection: State-of-the-art anti-virus and anti-malware solutions are mandated by Cyber Security First and by Cyber Essentials Plus as part of a suite of next-generation endpoint protection requirements.

Penetration testing: We perform penetration testing against our application on every major release using our own in-house CREST and TIGER qualified security experts.

Secure coding: We adopted secure coding principles during development. All code is checked in is reviewed for security weaknesses by both humans and automated scanning tools.

Protect

Backups: We perform regular full backups of our customer and company information and store it securely in a separate cloud zone. Backup restore procedures are tested bi-annually to ensure that any disasters can be recovered. We extended our backup program to ensure we have a full offline backup taken every week.

Datacenter security: We exclusively use UK-based data centres with numerous security certifications, including ISO27001, PCI DSS and more.

Data separation: Our client portal uses industry-standard libraries and software engineering techniques to ensure logical data separation between clients’ datasets within the SaaS environment.

Hardened builds: All of our systems use hardened builds for their application servers. No software runs with root privileges and application and deployment accounts do not have access to the rest of the operating system or network beyond what is necessary.

Individual accounts: Cyber Security First and Cyber Essentials both require all privileged users with individual accounts to enable auditing and logging of privileged access to customer data.

Insurance: We always ask you what is out of scope and to inform us of any particularly unstable or badly configured devices on your networks. While we cannot be held responsible for poor IT competence, we do carry extensive insurance. This is a requirement of our ethical operating status, and our CREST membership and is just common sense. Our insurance coverage is through TOKIOMARINE HCC. The geographical limits of our insurance are Worldwide and we have the following cover:

  • Professional and Employers Indemnity: GBP 10,000,000
  • Public, Product and Pollution Liability: GBP 5,000,000

No passwords: We use SSH keys to control access to its infrastructure. No passwords are in use in the estate, protecting us from standard brute forcing and password stuffing attacks.

Patching: Hedgehog has robust policies and implements processes to ensure we regularly perform essential maintenance activities such as patching software, taking data backups and testing controls that are functional as expected.

Transport encryption: Cyber Security First requires we use banking-grade 256-bit AES Transport Layer Security (TLS) encryption on all transport links carrying customer information or controlling our infrastructure.

Storage encryption: We use full-disk encryption on all company devices as standard, as well as cloud volumes storing customer information. This enables us to protect data on equipment that is lost or stolen.

Two-factor authentication: Cyber Security First and Cyber Essentials uses two-factor authentication on all corporate accounts. This helps us prevent common attacks like email phishing, which aims to capture user credentials to gain access to company information and services.