Alle artikelen

Why we get our own software hacked every year (and why that's good news)

HG
Harmony Group
Business
Harmony is known for its collaborative, no-nonsense approach to both business and IT. We help organisations transform to a digital organisation and we do this within various sectors and domains. Harmony provides an integrated service: from consulting, to implementation of 'off the shelf' solutions and managed services.
Deel deze post

When you're responsible for managing the personal data of millions of people, simply thinking "it's secure" simply won't cut it. That's precisely why we engage ethical hackers every year to actively try and breach our CustomerConnect platform. And yes, without fail, they always manage to find something.

That might sound alarming, but that’s entirely the point. What separates a truly secure organisation from one that isn't? It's not about pre-empting every conceivable vulnerability—that’s just a digital fantasy in our complex world.

The true difference lies in how rigorously you approach security, how proactively you hunt for weak spots, and how swiftly you rectify them when they surface.

The weight of processing sensitive data

Harmony CustomerConnect serves, among other things, as the central nervous system for communication between major Dutch health insurers and their policyholders. Other major firms, like the Dutch Postcode Lottery, also rely on the platform.

We don’t take that level of trust lightly. When organisations hand over data to us via secure channels, they need to have implicit faith that we will protect that information as if it were our own most sensitive corporate secrets.

How do you put a complex ecosystem to the test?

CustomerConnect is a sophisticated platform: it liaises with external service providers, processes structured data from client back-office systems, and is accessible via a secure web interface with modern authentication.

A system this intricate can't be tested with a bog-standard checklist. That's why we partner with specialist external penetration testing (pentest) firms. They meticulously scrutinise the entire platform using internationally recognised methodologies, such as the Pentest Execution Standard (PTES) and the OWASP Testing Guide.

Multiple testing perspectives

We test our platform from various angles to build the most comprehensive picture possible of our security posture:

  • The Outsider: Pentesters initially only receive publicly available information—mimicking the resources a malicious actor would have. No login details, no background on the architecture. The question is simple but stark: can someone from the outside break through our defences?
  • The Insider Threat: In a subsequent phase, pentesters are given legitimate access rights, comparable to a regular platform user. This simulates a compromised account or a malicious insider. The crucial question here is: are our different client environments genuinely segregated? Can a user from Company A gain access to Company B’s data? Are users strictly limited to their appropriate permissions?
  • Configuration Review: We commission a thorough review of our configurations and our connections with external service providers. How do we transmit data to our partners? Are our connections correctly secured? Are we deploying the appropriate encryption standards for all data transfers? These reviews don’t involve active penetration but are equally vital. An incorrect configuration can lead to a data breach just as easily as a flaw in the code itself.

What We Find (and How We Action It)

Every year, a penetration test yields findings. These range from vulnerabilities demanding immediate attention to 'best practice' recommendations that simply further strengthen the security posture.

The key takeaway isn't if findings appear—they always will—but how you address them. At Harmony Group, we maintain a stringent remediation roadmap.

A concrete example of our process: when a significant finding is confirmed, it is allocated to our development team’s sprint within a matter of days. We then schedule a mandatory retest to validate the fix. The final report is only officially closed once that retest gives an approving result.

This speed of action is non-negotiable. A vulnerability you are aware of but fail to resolve is, in essence, a conscious decision to carry risk. And that fundamentally contradicts the responsibility we hold for the data of millions of policyholders.

Certifications: More Than Just a Piece of Paper

Penetration tests are just one element of a much wider security framework. Harmony Group holds certifications for two critically important standards:

  • ISO 27001: This is the global standard for Information Security Management. It outlines what organisations must have in place to handle data safely: policy, procedures, technical controls, access management, incident handling, and risk analysis. ISO 27001 certification forms the essential baseline for any software provider handling business-critical data.
  • NEN 7510: This is the specific Dutch standard for information security management in the healthcare sector. It was developed to support healthcare institutions and their suppliers with the secure processing of patient data, adding extra, stringent requirements derived from Dutch law and the exceptional sensitivity of medical records.

Beyond these certifications, we also have an independent assurance statement prepared by an accountant. This confirms that we don't just have documented procedures; we actively execute them. The accountant verifies that our control measures function exactly as intended in a real-world setting. It’s the difference between saying "we do it" and being able to prove "we've done it."

For our clients, who often have stringent compliance demands of their own, these certifications and assurance reports are a vital source of trust.

Security Is a Team Sport

Security is not the sole domain of one individual within our organisation. At Harmony Group, it’s a genuine collaboration across multiple disciplines:

  • Our CustomerConnect Team handles the day-to-day development and management of the platform. They are intimately familiar with every function, every integration, and every data flow. When a finding comes in, they are the ones who design, implement, and test the fix.
  • Our Security & Privacy Officer coordinates the pentests, assesses findings from a risk perspective, and ensures the remediation roadmap is strictly adhered to. This role also oversees compliance with ISO 27001, NEN 7510, ISAE 3000, and other relevant regulations such as GDPR.
  • Our Infrastructure Partners provide the underlying cloud environment, network segmentation, firewalls, and all other infrastructural security layers. Many modern attacks target the infrastructure itself, not just the application. These partners must meet security standards that are at least as demanding as our own.
  • And, of course, the External Pentest Partner who scrutinises the entire picture with an independent, highly critical eye.

This multidisciplinary approach ensures we view security not just as a technical hurdle, but as an organisational responsibility that involves every single person.

Transparency as the bedrock of trust

We could easily have written this piece without mentioning that vulnerabilities are ever found. We could simply settle for external communication stating, "we are ISO certified and carry out the necessary pentests," without offering any detail. We choose not to do that.

The reality is that every complex software system contains vulnerabilities. The right question isn't whether you have them, but whether you can find them before malicious actors do. And once you find them, do you then act quickly and effectively?

By being upfront about our security approach—including the fact that we find vulnerabilities and then resolve them—we hope to build trust, not undermine it. Because genuine security is not a marketing slogan; it is a profound, continuous commitment.

For any organisation considering using CustomerConnect, this is perhaps the most critical signal: we take security so seriously that we actively hunt for issues, have it rigorously tested externally, and are transparent about our methods. That is fundamentally different from organisations that only take action after an incident has already occurred.

Finally: security is never 'done'

There will never be a time when we can confidently declare: "CustomerConnect is now 100% secure; we can stop." Security is not an endpoint; it is a process. A perpetual cycle of testing, learning, improving, and testing again.

What we can promise is this: we take this responsibility with the utmost gravity. We invest in pentests, certifications, training, and tooling. We are fully transparent in our approach. And we move with speed and decisiveness when action is required.

For the millions of people whose data is processed via CustomerConnect, for the clients who place their faith in us, and for the service providers we work alongside: that commitment is our unwavering promise.

Want to know more about how CustomerConnect makes communication between businesses and clients safer, more efficient, and more reliable? Discover our client communication solutions.

Let's get in touch!
We're passionate about driving innovation and delivering value. So, whether you're a potential new colleague or client, we'd love to hear from you.
Chat about a project
Gerelateerde artikelen
Alle artikelen
Harmony IT and Jetmail BV Join Forces to Transform Customer Communications
Customer Communication
Harmony IT en Jetmail BV hebben vandaag hun strategische samenwerking aangekondigd om samen een geïntegreerd communicatieplatform aan te bieden.
Read more
Behind the scenes of health insurers' premium adjustments
Customer Communication
In the world of health insurance, the end of the year is a crucial period. It is the time when health insurers such as Menzis, ONVZ and Zorg & Zekerheid announce the New Year's premiums to their customers. This means a wave of information that reaches insured persons via various channels such as paper, e-mail and websites. But how does the right information reach the right customer exactly?
Read more
How do you personalise customer communication?
Customer Communication
Customer experience (CX) stands for the emotional and rational human connection that is established between the customer and an organization. CX encompasses the customer experience and looks at how the entire service is experienced. This also includes the experience with various channels and contact moments. Customer communication can be seen as the business card for your organisation. Through our CCM in the Cloud (Customer Communication Management) solution, you can stand out from the crowd!
Read more
Email Effectiveness Decrypted
Customer Communication
Despite the fact that email is already 52 years old, it is still one of the most powerful means of reaching your target group. A good email can capture the attention of (potential) customers and make your business shine amidst the competition. But for this to happen, they have to be used correctly. That's why it's crucial to understand the effectiveness of your mailings. In this blog, we take you into the art of measuring and optimizing.
Read more
CCM in the Cloud & Corporate Social Responsibility
Customer Communication
At Harmony, we are aware of our impact on society and the environment. We strive to minimize this impact and take responsibility. From Customer Communication Management (CCM), we are involved in customer communication. When it comes to customer communication, the impact of digital communications on the environment is smaller than physical communications and often more efficient. Think of digitally (multiple) signing a communication. This is much faster than the conventional way of printing and scanning a paper document and it is a time-consuming and labour-intensive task to ensure that the document is signed by all parties.
Read more
Take your email communication to the next level with CustomerConnect
Customer Communication
E-mail has become an integral part of companies' communication toolkit. It's a fast and cheap way to reach customers with personalized messages. But communicating via email also has a pain point that companies sometimes don't think about, namely the layout. With CCM in the Cloud, Harmony's communication platform, you can ensure that the emails you send always look neat and in line with your corporate identity.
Read more

We help companies grow through digital transformationwith business consultancy and IT solutions.

Our products
Business Next StepMuleSoftOutSystemsCustomerConnect
Our services
Business ConsultancyBusiness Architecture24/7 Servicedesk
Learn more
Book a demoBlog
Our products
ContactWorking @ HarmonyNetherlands - Belgium - Bosnia
Follow us:
Responsible DisclosurePrivacy Policies
No items found.