Client Story

Global supply chain logistics company

Building cyber security and operational resilience

Want to know more?

Let's talk

Increasing investment in cyber security maturity

Our client – a global supply chain logistics company – works with many well-known consumer goods brands, making them an attractive target for potential cyber criminals. In the wake of several well-publicised major supply chain cyber-attacks on other companies, the executive leadership team and board recognised they faced a significant risk – which could result in substantial damage to financial performance, business continuity and reputation.

The company embarked upon a three-year scope of work to realise their strategy of increasing their cyber maturity and mitigating their most immediate risks. They needed to be able to identify and manage cyber risks; protect themselves from attacks; efficiently detect and respond to incidents when they did occur; and have the capability to recover quickly. Having historically under-invested in their cyber security defences, they correspondingly raised their cyber security spend from the previous 2-3% of the total IT budget to the industry standard of 6-8%.

Berkeley helped mobilise and then deliver the global programme of work required over a three-year period to achieve the agreed improvements and successfully meet the risk reduction and security maturity targets (as measured against the NIST cyber security maturity framework).

The main benefits of Berkeley’s involvement were strong programme oversight, significant contributions to the strategy evolution, and excellent support for executive leadership team and board briefings. They brought really strong oversight on the many moving parts and engagement across the teams.”

VP, GLOBAL IT INFRASTRUCTURE

Programme mobilisation – setting up cyber security transformation for success

Good programme mobilisation is the essential bridge between a cyber security strategy and the required delivery projects so we had to lay a firm foundation at this vital stage before we could hope to build anything more. Over the three-month mobilisation phase, we ensured the security programme had a clearly defined scope, delivery roadmap and the right governance to manage and control the delivery.

We also recognised and addressed the fact that people can be a significant vulnerability in an organisation’s cyber security defences. Leading an organisation-wide communication campaign, we raised awareness of cyber threats and the security programme. Just raising investment and implementing state-of-the-art technology won’t lead to your desired outcomes unless human behaviour is changed too. Analysis of historic data from the UK Information Commissioner’s Office has shown that human error causes 90% of cyber data breaches in the UK.

One of our consultants filled the Security Programme Manager role, working within the client team rather than as an external advisor, supported by one of our partners. When we moved into the programme delivery phase, the client asked us to continue to provide overall global programme management for the next two and a half years.

Delivering a portfolio of cyber security solutions and services

Berkeley had overall delivery responsibility, comprising a total portfolio of 10 projects. Some of our key achievements included implementing a range of new technology capabilities, selecting and transitioning to new service partners, and delivering a range of company-wide training and change management. Berkeley is fully independent, so we were trusted to lead vendor selection and management activities.

We also continued our work on addressing the human factor by publishing and communicating a new data classification and handling policy, which included deploying training to all users. We further reduced risk by leading a project to review and redesign user access and permissions to platforms and applications.

The table at the end of this case study details more of the work we delivered.

Throughout delivery, our consultants worked embedded within the client organisation, working hand-in-hand with their team. One highly-experienced consultant took the full-time role of overall Programme Manager, with a partner providing support, advice and guidance at the senior executive level.

The case for consolidating and standardising technology

Standardisation of the infrastructure base and a global approach were significant additional success factors. While the security programme was not responsible for delivering hardware refresh projects, under our leadership, the security programme became a key driver for these initiatives. A standardised technology base is key to providing a consistent level of security and a more easily defendable footprint.

Achieving a measurable increase in cyber security maturity

Over two and a half years, we successfully delivered the maturity targets set out in the cyber security strategy and achieved 92% of milestones on time and on budget. We were successful despite COVID-19 disruption to the second half of the programme.

Due to our achievements in the first half of the programme, such as implementing multi-factor authentication, we were able to support the move of more than 6,000 staff to remote working without incurring any related security incidents.

Overall, we achieved an independently validated, measurable increase in cyber security maturity for our client. We also significantly reduced the net risk position from ‘critical’ to ‘medium’ against the top cyber security-related corporate-level risks.

But cyber threat is an ever-evolving landscape. While the security programme was a significant step forward for our client, they knew they couldn’t afford to stand still – or risk falling behind again. The client went on to ask for our support to help shape their security strategy and roadmap for the subsequent three years, ensuring they would continue to protect themselves.

Domain	What was delivered
Identity and access management	An enterprise-wide identity management solution, to provide single sign-on and multi-factor authentication capabilities to secure the log-in process to core applications such as Workday and O365. Okta’s “User Lifecycle Management” capability, to provide greater security and automation around the user joiner, mover and leaver processes.
User endpoint security (laptops, servers and mobile devices)	Full anti-malware and EDR (endpoint detection and response) capabilities across all PCs and servers, so threats could be detected and contained. Automated patching across servers, to ensure operating systems stayed protected from new and emerging vulnerabilities. Increased mobile device security, by restricting access to company data on mobile devices through only corporate-managed O365 applications. Restricting access to removable media (e.g. USB) devices – a major source of malware.
Data security	Publication and communication of a data classification and handling policy, including deploying online training to all users. Restricting access to non-approved file storage and sharing platforms, ensuring company data was not stored or shared on non-managed platforms.
Network security	Implementation of next generation firewalls at all Data Centres, increasing the capability to inspect network traffic for threats. Deployment of secure Wi-Fi to all locations using network access control technology, to prevent non-corporate devices from accessing the internal network and to provide greater visibility of the users and devices connecting. Implementation of a web filtering solution, preventing potentially malicious websites from being accessed.
Application security	Global re-design of all user roles within the core enterprise resource planning (ERP) platform to reduce segregation of duty risk and restrict user permissions to perform only those transactions required for the role.
Security operations	Supplier selection, negotiation, contracting and onboarding of a managed security operations centre (SOC) provider, who now provide a significantly enhanced capability to detect and respond to security threats 24/7/365 as well as providing proactive threat hunting and global threat intelligence.