Case study: Enhancing cyber security for a civil engineering company

The client

We partnered with a leading civil engineering company, that sought to bolster their cyber defences. Our team supported them in achieving Cyber Essentials and Cyber Essentials Plus certifications, performed their first annual internal and external penetration tests, and cultivated a culture of cyber awareness within the organisation.

Achieving Cyber Essentials and Cyber Essentials Plus

Cyber Essentials: Cyber Essentials is a government-backed certification scheme which helps organisations protect themselves against a range of common cyber attacks. Achieving this certification demonstrates a basic level of cyber hygiene and safeguards against the most common threats.

Cyber Essentials Plus: This certification builds upon the basic certification by requiring a more rigorous assessment, including hands-on technical verification. It ensures a higher level of security assurance.

Our approach:

1. Initial assessment: We conducted a thorough assessment of the company’s current cybersecurity practices and infrastructure.

2. Collaboration with IT: Working closely with the IT team, we identified gaps and areas for improvement to meet the Cyber Essentials standards.

3. Implementation: We assisted in implementing necessary changes, including configuring firewalls, enhancing password policies, and ensuring proper access controls.

4. Certification: The company successfully achieved Cyber Essentials certification, followed by the more stringent Cyber Essentials Plus.

Pitching the significance of penetration testing to the board

Understanding executive buy-in is crucial for effective cyber security, we helped the IT team articulate the importance of penetration testing to the board members. Our approach included:

1. Educational sessions: Conducting sessions to explain the concept of penetration testing, its benefits, and how it fits into the broader cyber security strategy.

2. Risk assessment: Highlighting the potential risks and financial impacts of cyber incidents, thereby underscoring the necessity of proactive security measures.

3. Success stories: Sharing case studies and examples of other companies that benefitted from regular pentesting, emphasising the return on investment.

Conducting the First Annual Penetration Test

What it is: Penetration testing involves simulating cyber attacks on an organisation’s systems to identify vulnerabilities. This includes both internal (within the organisation) and external (accessible from outside) testing.

Why it's effective:

1. Identifies vulnerabilities: Helps in discovering and fixing security weaknesses before they can be exploited by attackers.

2. Proactive defence: Provides actionable insights for strengthening defences.

3. Compliance: Ensures the company meets regulatory requirements and industry standards.

Our approach:

1. Preparation: Collaborated with the IT team to define the scope and objectives of the pentests.

2. Execution: Conducted comprehensive internal and external penetration tests, simulating real-world attack scenarios.

3. Reporting: Compiled detailed reports outlining the findings, including strengths and areas needing improvement.

Presenting Findings to the Board and Executives

After conducting the penetration tests, we presented the findings to the board and executive team:

1. Clear Communication: Ensured the findings were articulated in a clear, non-technical manner, making it accessible to all stakeholders.

2. Strengths and Improvements: Highlighted the areas where the company was performing well and pinpointed specific areas requiring further investment.

3. Strategic Recommendations: Provided strategic recommendations for enhancing cyber security, including potential investments in technology and training.

Building a strong relationship

Over time, we developed a robust relationship with both the IT teams and the executive leadership, fostering a culture which prioritises cyber security:

1. Ongoing support: Provided continuous support and advice to the IT team, ensuring they remained compliant with evolving cyber security standards.

2. Executive engagement: Maintained regular communication with the executives, keeping them informed of the latest cyber threats and trends.

3. Training and awareness: Conducted training sessions and workshops to elevate the overall cyber security awareness across the organisation.

Outcome

Our partnership with the civil engineering company has significantly elevated their cyber security posture. By achieving Cyber Essentials and Cyber Essentials Plus certifications, conducting comprehensive penetration tests, and fostering a culture of security awareness, we have helped integrate robust cyber security controls into the forefront of their business operations. This strategic approach not only protects their valuable data and infrastructure but also positions them as a trusted and secure player in the civil engineering industry.

Get in touch

Georgia Price-Hunt | Head of Global Sales | georgia_pricehunt@ajg.com

Arthur J. Gallagher Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: Spectrum Building, 55 Blythswood Street, Glasgow, G2 7AT. Registered in Scotland. Company Number: SC108909. FP02-2025 Exp. 03.01.2026

© 2025 Arthur J. Gallagher & Co.