A global bank requiring an investigation into the banks vulnerabilities via its building management systems.
The customer has a large portfolio of facilities around the world, including 130 critical facilities and 350 non-critical sites, with hundreds more branches. The management of these facilities are mostly outsourced to facilities management providers who manage the running of the building management systems (BMS) as well as other similar systems on site. The main users of the BMS were M&E engineers with limited knowledge of IT best practice, so a review of cyber security was necessary to ensure the customer was as secure as possible.
Given the size of the organisation it was imperative that a detailed assessment was conducted to determine the exposure of their IT systems to vulnerabilities in the BMS network. With the size and scale of the business, and the outsourced nature of how the system was managed, the initial challenge was ensuring that all relevant parties were involved in the process and understood the importance of strong cyber security.
We conducted a number of vulnerability assessments and workshops with the facilities management providers to fully understand the systems and processes used on the core sites. Once this had been completed, we used network analysis to determine integration between IT and BMS systems.
Our team of cyber experts then conducted assessments and interviews with the smaller, non-critical sites to establish a holistic view of compliance to cyber security best practice across the whole organisation.
Throughout the whole process we identified a number of vulnerabilities in the system, ranging from anti-virus and operating system risks to governance and users’ IT skills. All vulnerabilities were addressed individually in order to best resolve them, with a comprehensive set of recommendations the outcome to help the bank to implement measures to mitigate and manage the risks across their entire estate.
Having identified a number of areas for improvement, and taken steps to address them all individually, we delivered a set of detailed recommendations to the customer, which set out measures they could implement in their security strategy that would mitigate future cyber risks and threats.
The action plan provided helped the customer remediate the identified cyber security weaknesses and put in place an ongoing regime that enabled the maintenance of adequate cyber controls in the future. By involving the customer and all providers with access to the system, the team delivered a comprehensive and holistic review of the customers cyber security profile