*Reassuringly dull cyber security

Cavendish Maxwell

Back

Cavendish Maxwell is the Middle East and North Africa’s leading independent firm of property consultants and chartered surveyors (MENA). Established in 2008, the company has grown into one of the region’s largest and most respected property consultancies and is a fully certified member of the Royal Institution of Chartered Surveyors (RICS).

As a firm we offer a number of services to our clients. We’re growing rapidly and maturing as a business, which means we need to protect our information assets and those of our clients. Working closely with banks and financial institutions means that we are asked to prove that we have robust and comprehensive cyber security controls in place. Without them, our ability to grow the business would be severely compromised.” Jessica Taylor, HR Director, Cavendish Maxwell.

The Challenge
Cavendish Maxwell provides a variety of property, valuation and consultancy services to a diverse portfolio of clients across the MENA region. These include banks, insurers, government entities, developers and retailers amongst others. As well as protecting its financial and commercial interests against the risks posed by cyber attacks, the firm is also required to undergo assessments and audits by a number of its clients in order to satisfy their cyber security and data protection obligations. This is a trend which is only set to rise as organisations realise that it isn’t enough to have their own house in order – those of their suppliers, partners and clients must be too.

In recognition of this, the team at Cavendish Maxwell decided to work towards achieving ISO/IEC 27001 – the internationally recognised information security standard. Organisations that are awarded ISO 27001 accreditation are widely recognised as having best practice information security management systems in place, by addressing people and process in addition to technology controls.

ISO 27001 represents the highest level of information security standard and is a clear signal of our commitment to managing the security of our information assets and those entrusted to us by third parties,” continues Jessica. “This wasn’t a box ticking exercise, but a part of the ongoing expansion and development of the business. If we want to meet our goals, we need to safeguard our people, data and clients against cyber security risks and be recognised as a trusted partner.”

It was at this point that Cavendish Maxwell first engaged with NormCyber and selected its team of compliance specialists to support the firm in gaining the ISO 27001 accreditation.

Shortly after appointing NormCyber, the Covid-19 pandemic hit the region and forced the team at Cavendish Maxwell to change their practices almost overnight. Similar to many other businesses, remote working and online collaboration became essential to its operations, which brought the need for a more mature cyber security defence sharply into focus. With their people, devices and data now outside of the corporate network, the potential attack surface had expanded rapidly. In a matter of days, the risk of a cyber attack compromising the business and possibly rendering it unable to operate had increased exponentially.

Solution
“We knew we needed to roll out advanced cyber security tools, educate our staff and implement new processes quickly,” explains Jessica. “We didn’t have the in-house resources to procure and manage this ourselves – it would have taken too much time and been too expensive. Not only that, but we needed to focus our efforts on supporting our clients and making sure that we continued to provide the levels of service and quality we always have. Norm’s Cyber Security as a Service (CSaaS) offering was the ideal solution – a comprehensive package of fully managed, advanced cyber security technologies, training and best practices, which could be deployed in a matter of days, with no disruption to our core operations.”

Cavendish Maxwell chose to subscribe to the full CSaaS service, including:

  • Cyber Safety and Phishing Service – delivering regular, bite-sized security awareness training combined with simulated phishing attacks to test ongoing awareness and compliance
  • Vulnerability Management – to continuously monitor the network and end-user devices for known vulnerabilities
  • Threat Detection and Response – to provide near real-time security monitoring of the corporate technology platform across Cavendish Maxwell’s multi-office network, Office 365 environment and remote end user devices.
  • Penetration Testing across the entire technology footprint
  • Ongoing management of Cavendish Maxwell’s Information Security Management system to ensure the ISO27001 system is continually validated and performing as required.

The service also includes access to norm.’s Cyber Security Incident Response Team, should it ever be required. In the event of a security or data protection breach, Cavendish Maxwell can call upon norm.’s specialist investigation teams to support them through initial incident identification and analysis, breach containment, malware eradication and the restoration of services. All with the goal of allowing the team to resume business in the shortest possible time and with minimal impact on its clients.

Benefits
As a fully managed service, CSaaS provides comprehensive protection against known and unknown cyber threats for a fixed monthly fee. The benefits for Cavendish Maxwell include:

  • Enterprise-grade cyber protection at around two thirds of the cost of procuring individual products
  • Allowing its internal IT team to focus on projects aligned with scaling the business and serving its clients
  • The peace of mind of knowing it is fully supported by a UK-based Security Operations Centre (SOC)
  • Complete clarity on its current level of cyber risk via simple, jargon-free monthly reporting.

This last point was particularly attractive to the team. As Jessica explains, “We’ve been very impressed by the level of transparency we have into how the service is performing and our overall cyber stress score. We aren’t cyber security experts, and nor do we want to be. But we do need to know that we’re in the best possible position to meet the increasing demands of our financial services and government clients and expand the business further. CSaaS from norm. has given us a competitive edge, and given our clients the confidence of knowing that they are partnering with a firm who takes the security of its assets just as seriously as it does its own.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager
Marmalade

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group