The importance of digital security
Digital security has become an increasingly important part of our day-to-day operations at Supercool.
With changes to PCI compliance and a rise in both the frequency and complexity of cyber threats – including some aimed at cultural institutions – we’ve prioritised digital security across the agency.
From the tools we use to training-up the team in digital security, we have a strong focus on keeping our clients – and their customers – safe. Here’s an overview of some of the things we've done, and are doing:
Testing
Cyber Essentials certification
We’re Cyber Essentials certified. This is a UK government-backed scheme aimed at helping to protect against the most common cyber threats. The certification process is very thorough, and includes independent testing. Plus it's regularly reviewed to ensure it stays effective in the "ever-evolving threat landscape". So we decided it was worth doing.
Penetration tested infrastructure
Our entire infrastructure has been independently penetration tested. Sometimes called a 'pentest', this means our infrastructure has undergone a simulated cyberattack in order to evaluate how secure it is. Pentesting not only ensures we meet a high standard of security, but also helps identify any potential weaknesses before they cause issues.
Tools
Craft – a security-minded CMS
We’ve long championed Craft CMS as our content management system of choice. Not only for its accessibility, flexibility, and performance – but also for its strong focus on security.
We back that up with proactive support from Pixel & Tonic (the makers of Craft), enabling us to stay ahead of any potential vulnerabilities, and respond quickly. The latest versions of Craft include native multi-factor authentication (MFA) – which we encourage clients to use.
Servd – hosting with built-in protections
All our client websites are hosted with Servd, whose infrastructure includes:
- An ephemeral file system, which resets automatically between deploys and builds
- Managed hardware with routine patching and update management
- Built-in firewall management which helps to control and monitor traffic
In essence, what all of this means is that server-level security is always up-to-date.
Everything else
Process improvements and team training
Security isn’t just about tools – it’s also about behaviour. So we’re ensuring everyone is equipped to make good choices around security. We’ve run security training for the team and made changes to our internal processes, including:
- Company-wide device management to ensure all staff devices are secure and centrally-monitored
- Better password and credential management
- A shared security checklist for new projects and ongoing maintenance
Privacy and data protection
We take privacy and GDPR compliance seriously across all projects. That means:
- Designing for data minimisation wherever possible
- Ensuring secure storage and transmission of all data
- Working with clients to responsibly manage data retention, access, and deletion
Our privacy-by-design approach means thinking about data protection from the very beginning of every project.
Incident response and resilience
We’ve introduced an internal incident response plan so that if something does go wrong, we’re ready to act quickly and transparently.
From logging and monitoring, to team alerts and client comms, we’re building resilience into how we work — as well as the things we build.
What's next?
Digital security isn't the sort of thing we can tick-off a to-do list, and get finished. Security checks, tests, updates, and changes to tools and procedures are all part of an ongoing process. But by making digital security a core focus, we’re helping to ensure that the websites we create for our clients are secure, resilient – and built to last.
Stay up-to-date with what we're up to, and what's new in the cultural sector – join the Supercool Mailing List