Cultivating cyber resilience: Case study - People’s Postcode Lottery.

It helped the leadership team identify areas for training and process improvements while showcasing the strength and effectiveness of many existing procedures.   

The findings of the penetration test were varied, but every aspect of the report was well-received by senior leaders, facilitating swift decision-making and positive changes across the organisation. 

Mark Sandison said: “At People’s Postcode Lottery, we have a responsibility to our supported charities, our ambassadors, and most importantly, our players – a responsibility we take very seriously.  

“With so much external scrutiny, it is vital that we ensure our safety measures keep pace with the constantly evolving nature of our organisation and any potential threats it faces. 

“PPL has a wide range of cyber and data security measures in place but we are always looking to improve and mature where we can, so we engaged Waterstons to conduct a physical penetration testing. “ 

“People’s Postcode Lottery was willing to test themselves and their controls,” explains Simon Evans, Principal Security Consultant at Waterstons and physical penetration test expert.  

“Without that openness and willingness, a penetration test of any kind cannot be successful. It’s not just about identifying existing gaps but also understanding how they can be closed to drive meaningful improvements.  

“Months of planning and preparation can go into a physical penetration test, often without the client knowing. We’re not going to give away our secrets, but it takes a lot of the same skills as being a member of a determined threat group, a mystery shopper and an actor.” 

Physical penetration testing takes both technical and social engineering to be successful. 

Mark further explains how physical penetration testing will continue to play a key role in Postcode Lottery’s business strategy. 

He said: “We constantly need to be looking ahead and futureproofing our organisation – we’re always working several years in advance. Partnering with experts like Waterstons allows us to rely on their cyber security and technology expertise to ensure we remain up to date. 

“We’re proud to be ISO27001 certified and BS10012 compliant and we plan to maintain these standards. 

“A key part of this is developing and implementing an ongoing penetration testing programme – both physical and network – to complement our wide range of existing cyber and data security measures. This helps us fulfil our responsibilities to our people and players while reinforcing our competencies and certifications. 

“Working with Waterstons means having trusted, accredited advice and experts in our corner. We’re able to make informed decisions based on the information they provide. They understand us, our needs and what matters most to us.”  

Physical penetration testing gives organisations the opportunity to understand how their physical security controls are working, to identify areas for staff training and improvement required in building and procedures and provides information for positive change – and its management.  

To find out more about physical penetration testing, get in touch with Simon Evans at simon.evans@waterstons.com