Skip to main content

The importance of digital security

Written by James
25 March 2025

Digital security has become an increasingly important part of our day-to-day operations at Supercool. 

With changes to PCI compliance and a rise in both the frequency and complexity of cyber threats – including some aimed at cultural institutions – we’ve prioritised digital security across the agency. 

From the tools we use to training-up the team in digital security, we have a strong focus on keeping our clients – and their customers – safe. Here’s an overview of some of the things we've done, and are doing:

Testing

Cyber Essentials certification

We’re Cyber Essentials certified. This is a UK government-backed scheme aimed at helping to protect against the most common cyber threats. The certification process is very thorough, and includes independent testing. Plus it's regularly reviewed to ensure it stays effective in the "ever-evolving threat landscape". So we decided it was worth doing.

Penetration tested infrastructure

Our entire infrastructure has been independently penetration tested. Sometimes called a 'pentest', this means our infrastructure has undergone a simulated cyberattack in order to evaluate how secure it is. Pentesting not only ensures we meet a high standard of security, but also helps identify any potential weaknesses before they cause issues.

Tools

Craft – a security-minded CMS

We’ve long championed Craft CMS as our content management system of choice. Not only for its accessibility, flexibility, and performance – but also for its strong focus on security

We back that up with proactive support from Pixel & Tonic (the makers of Craft), enabling us to stay ahead of any potential vulnerabilities, and respond quickly. The latest versions of Craft include native multi-factor authentication (MFA) – which we encourage clients to use.

Servd – hosting with built-in protections

All our client websites are hosted with Servd, whose infrastructure includes:

  • An ephemeral file system, which resets automatically between deploys and builds
  • Managed hardware with routine patching and update management
  • Built-in firewall management which helps to control and monitor traffic

In essence, what all of this means is that server-level security is always up-to-date.

Everything else

Process improvements and team training

Security isn’t just about tools – it’s also about behaviour. So we’re ensuring everyone is equipped to make good choices around security. We’ve run security training for the team and made changes to our internal processes, including:

  • Company-wide device management to ensure all staff devices are secure and centrally-monitored
  • Better password and credential management
  • A shared security checklist for new projects and ongoing maintenance

Privacy and data protection

We take privacy and GDPR compliance seriously across all projects. That means:

  • Designing for data minimisation wherever possible
  • Ensuring secure storage and transmission of all data
  • Working with clients to responsibly manage data retention, access, and deletion

Our privacy-by-design approach means thinking about data protection from the very beginning of every project.

Incident response and resilience

We’ve introduced an internal incident response plan so that if something does go wrong, we’re ready to act quickly and transparently.

From logging and monitoring, to team alerts and client comms, we’re building resilience into how we work — as well as the things we build.

What's next?

Digital security isn't the sort of thing we can tick-off a to-do list, and get finished. Security checks, tests, updates, and changes to tools and procedures are all part of an ongoing process. But by making digital security a core focus, we’re helping to ensure that the websites we create for our clients are secure, resilient – and built to last.

Stay up-to-date with what we're up to, and what's new in the cultural sector – join the Supercool Mailing List