*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Case Study: Fowler Welch

Back

Fowler Welch selects CSaaS from norm. to deliver cyber security protection peace of mind

Fowler Welch is a UK supply chain and logistics expert specialising in flexible, reliable and cost effective supply chain services for major names in both supply and retail. One of the company’s key differentiators is its eight strategically located depots covering the UK, with dedicated teams on each site as points of contact and with full traceability of product in real time. As specialists in supply chain services for temperature controlled products, Fowler Welch has expert knowledge in advanced transport and warehouse systems to deliver a range of specialised services for its customers.  Fowler Welch relies on an extensive EDI integration with its customers for real time transactions and depends on its systems and networks being available 24×7 to ensure that goods are delivered on time and in good condition.

In brief

  • Following a spate of serious cyber security incidents targeting organisations in both the UK and further afield, Fowler Welch began evaluating their own exposure to cyber threats and started researching potential solutions.
  • Norm. was recommended as a potential cyber security service provider which offered managed Endpoint Detection and Response (EDR) as well as a complete managed cyber security service encompassing all of the elements of an effective cyber defence – people, process and technology.
  • As a result of selecting Cyber Security as a Service from norm., Fowler Welch now has complete visibility into the strength of its cyber security controls and a clear path to continue reducing its level of cyber risk.

The challenge
As the frequency and sophistication of cyber attacks in general and ransomware attacks in particular continues to rise, Fowler Welch – specialists in supply chain services for temperature controlled products – asked themselves whether the same thing could happen to them. They had many of the classic and most common cyber security solutions in place, such as anti-virus and email filtering, but quickly realised that in the event of a more sophisticated attack – involving a “zero day” exploit or previously undiscovered malware – they could be at risk of a cyber issue affecting their ability to deliver services to customers.

For a company whose customers include some of the biggest and best known retailers in the UK, and whose reputation hinges on providing a reliable and resilient service, the risk of a cyber attack forcing operations offline and disrupting the flow of goods and services is very real. Not only could such an attack mean significant time spent on investigation, recovery and remediation – it would also incur a cost both financially and, potentially, to the company’s reputation.

Matthew Downes, IT Director at Fowler Welch, explains: “We’re a medium-sized business with around 1500 employees in the UK. We were increasingly learning of cyber incidents affecting other similar businesses, which were sophisticated in terms of how the attackers gain access, remain inside the network and then extract information and encrypt data, it was something of a wake up call for us. These types of attack not only disrupt internal operations, but also have a knock on effect for suppliers, customers and partners. We knew we needed to assess our own exposure to cyber threats of this kind, and do whatever we could to mitigate the risk.”

Until this point, the risk posed by a cyber attack was well understood by the technical team at Fowler Welch, but was less tangible to business leaders and Board members. In the wake of such close exposure the business agreed that a more cohesive approach to managing cyber risk was required – one which took into account the core systems, assets and data that needed to be protected, the cyber threats most likely to compromise them and the key actions required to address those threats.

The solution
With first-hand experience of how traditional cyber security technologies could easily be thwarted, the team turned its attention to more advanced solutions – like Endpoint Detection and Response (EDR). The automated and continuous nature of EDR technology appealed to the team on account of its ability to instantly recognise threats using Indicators of Compromise, and to respond to threats in real-time.

“It’s the difference between a classic alarm on the front of your house which tells you when someone has broken in through the front door, and the surveillance system that recognises the signs that something is out of the ordinary – like the guy sitting in a van across the road who’s been monitoring the activity of the residents for a few days,” Matthew continues. “EDR seemed like a good fit for us because it looked for the signs that something out of the ordinary or unexpected was occurring – and would stop it in its tracks without first having to know exactly what was causing the anomalous behaviour.”

After doing some initial research on EDR vendors, Matthew contacted one of the leading providers of security operations and threat intelligence solutions to enquire about the partners they would recommend for Fowler Welch. From their extensive network of partners they came back with five suggested managed service partners. Norm. stood out as a specialist cyber security service provider that could offer a standalone managed EDR service, or a fully comprehensive service that combined a number of leading technologies, along with other process and people components, to give customers end-to-end visibility of the strength of their cyber defences across all devices and locations.

Matthew picks up the story: “We did speak to other, larger providers, but with norm. it felt like a much more collaborative and personal process. They took the time to understand what it was we were trying to achieve, and presented various modules which we could either take on an as-needed basis, or as a complete managed service. We quickly recognised that as well as EDR we would benefit from a solution that would help us to identify and patch vulnerabilities, as well as educating and training our employees to be aware of cyber threats and avoid falling victim to phishing and other scams. That’s why we chose to take the full Cyber Security as a Service offering – it included the technology we knew we needed, the training aspect and set us on the path to achieving compliance with industry recognised standards that are becoming increasingly important.

The benefits
Despite the initial impetus behind implementing EDR, initially it was the vulnerability management module that had the most impact. All CSaaS customers have access to its online Visualiser portal which provides a complete overview of the performance and strength of their current cyber security measures, as well as key actions to improve. Deploying vulnerability management, and gaining instant visibility of the assets and vulnerabilities across the entire estate was quite an eye opener for Matthew and his team, as it illuminated a number of devices, platforms and applications with vulnerabilities that had not been patched on a regular basis, and allowed them to prioritise them according to the assets which were most affected. Highlighting this as a critical area, the team set to work making the necessary updates, removing unnecessary devices and removing redundant applications in order to reduce the potential attack surface.

As well as providing data relating to the specific modules deployed, the Visualiser is also used as a management tool to track overall progress against cyber risk management milestones and to communicate what is being done – and how effective those measures are – back to the business.

“Prior to signing up to the norm. service it was a case of we didn’t know what we didn’t know. Deploying the service has been like switching the lights on and finally being able to see what’s lurking in the dark corners of the room. Until you have visibility of what’s going on across your entire technology estate, you can’t address it, which means you have no real idea of whether you’re protected against cyber threats or not,” Matthew goes on.

As well as the prioritisation and peace of mind that the Visualiser has delivered, Matthew and the team have also benefited from having direct access to the team of cyber security specialists at norm.

“We feel as though we can pick up the phone at any time and speak to someone who understands our business and can give us a sensible answer to any queries we may have. They help us to decide whether something that has been flagged is something we actually need to worry about, or not. We’re not cyber security experts, and we don’t have to be, because the guys at norm. are,” says Matthew.

In addition, as a food distributor Fowler Welch is subject to the standards set by the British Retail Consortium, and as a key part of the supply chain for a number of very large retailers is contractually obliged to have technology and cyber resiliency measures in place. A further benefit of the Visualiser is that it allows Fowler Welch to clearly demonstrate the cyber security controls it has in place and how they are helping to reduce their exposure to cyber risk.

Matthew concludes “Before choosing norm. cyber security was very much in our minds but out of sight. We knew we needed to do something, but we weren’t sure where to start. We began this process thinking that we needed an EDR solution, and quickly realised that we needed something far more wide-ranging if we really wanted to increase our levels of protection and deliver the peace of mind the business needs. For us, this is just the start of the journey, and we’re really pleased to have embarked on it with norm.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager
Marmalade

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group