Our client, a mid-sized construction firm specialising in project management and construction services, aimed to achieve Cyber Essentials certification to enhance its cybersecurity posture, comply with industry regulations, and build trust with clients and partners. They engaged Coffee Cup Solutions, as current partners managing their IT infrastructure and services, to assist them with the readiness and certification process.
A growing construction management company with a diverse portfolio, including commercial, residential, and infrastructure projects. With around 30 employees spread across different sites, the organisation heavily relies on digital tools and software for project management, client communication, and financial transactions.
The company handles sensitive data such as project plans, financial information, and client details, making it a target for cybercriminals. Our client realised the importance of achieving Cyber Essentials certification, a UK government-backed scheme designed to protect organisations against common cyber threats and demonstrate their commitment to cybersecurity.
Decentralised IT Environment:
With multiple construction sites and a mix of on-site and remote working, there was no centralised management of IT systems, leading to inconsistent security controls and practices.
Use of Legacy Systems and Software:
The company relied on several legacy applications for project management and finance, which were not regularly updated and had potential vulnerabilities.
Third-Party Contractors and Supply Chain Risks:
As is common in the construction industry, our client worked with numerous subcontractors and partners, increasing the risk of supply chain attacks due to varying levels of cybersecurity maturity among partners.
Limited Cybersecurity Awareness Among Staff:
Employees lacked adequate cybersecurity training, resulting in vulnerabilities related to phishing attacks, poor password hygiene, and unsecured devices.
Remote Access and Mobile Device Security:
With engineers and managers frequently accessing systems from construction sites using laptops, tablets, and smartphones, there were concerns around secure remote access, data loss, and device management.
To help our client achieve Cyber Essentials certification and strengthen its cybersecurity posture, Coffee Cup Solutions employed a comprehensive, phased approach:
Initial Assessment and Gap Analysis:
We conducted a thorough assessment of our clients' existing IT infrastructure and cybersecurity practices.
Identified gaps and vulnerabilities related to endpoint security, firewall configurations, software updates, user access controls, and remote work setups.
Developing a Customised Remediation Plan:
Created a detailed remediation plan tailored to address the identified gaps and align the company's IT practices with Cyber Essentials requirements.
Prioritised critical actions such as updating legacy systems, implementing endpoint protection, and ensuring secure configurations for all devices.
Centralising IT and Security Controls:
Standardised IT management across all construction sites and remote workers by centralising security policies and controls.
Deployed a unified endpoint management solution to ensure consistent security settings, patch management, and device monitoring.
Enhancing Network and Perimeter Security:
Configured and optimised firewalls to provide robust perimeter security, blocking unauthorised access and mitigating risks of network breaches.
Implemented secure VPN access with Multi-Factor Authentication (MFA) for remote workers and mobile devices, ensuring secure connections to the corporate network.
Strengthening Supply Chain Security:
Developed a third-party risk management strategy to evaluate and improve the cybersecurity posture of subcontractors and partners.
Provided guidelines and best practices to third parties to ensure that their systems did not introduce vulnerabilities into our clients network.
Employee Training and Awareness Programs:
Conducted tailored cybersecurity awareness training sessions for employees to help them recognise phishing attempts, use strong passwords, and understand the importance of securing their devices.
Regularly updated training content to reflect the evolving threat landscape and held simulated phishing exercises to reinforce learning.
Ongoing Monitoring and Incident Response Planning:
Set up continuous monitoring to detect potential threats in real-time and maintain compliance with Cyber Essentials standards.
Developed an incident response plan to ensure swift action in case of a cybersecurity incident, minimising downtime and data loss.
Assisting with the Certification Process:
Guided our client through the Cyber Essentials self-assessment questionnaire, ensuring all responses were accurate and met the certification body’s expectations.
Provided documentation support and pre-certification audits to identify and rectify any remaining gaps before the official certification audit.
By achieving Cyber Essentials certification, our client gained several key benefits, mainly to have enhanced cyber security posture and compliance with industry regulations and new client requirements. With this certification comes operational resilience and business continuity as well as improved reputation and client trust.
We've got a friendly team waiting to help you with your IT needs. Contact us now