Cybersecurity Overhaul for a
Regional Investment Firm
A pending regulatory audit with no security baseline in place
A UK-based investment firm managing assets for private clients faced a mandatory third-party security audit as part of its FCA compliance obligations. An internal review revealed significant gaps โ no MFA policy, unpatched systems across the estate, weak network segmentation, and no centralised logging. The firm had 8 weeks before the external auditor arrived.
- No MFA enforced on any system โ email, VPN, or internal applications
- 37 unpatched endpoints, including 4 running end-of-support Windows versions
- Flat network with no segmentation between client data systems and general office traffic
- No SIEM or centralised logging โ no way to detect or prove breach attempts
- Sensitive client financial data accessible from personal devices with no MDM controls
The firm's previous IT provider had managed day-to-day helpdesk but had no security specialism. GBWise was brought in with a hard deadline and a clear mandate: pass the audit.
Risk-prioritised hardening against CIS Controls framework
GBWise conducted an initial security gap assessment mapped against CIS Controls v8, producing a prioritised remediation plan. Work was sequenced by risk severity and audit impact โ highest-risk items addressed first.
MFA rollout across all systems
Enforced MFA on Microsoft 365, VPN, and all internal applications within week one. Conditional Access policies configured to block non-compliant devices.
Endpoint patching and EOL remediation
All 37 endpoints patched; 4 EOL machines upgraded to Windows 11 with hardened baselines applied using CIS-benchmarked GPOs.
Network segmentation
VLAN architecture implemented separating client data systems, general office traffic, and guest networks. pfSense firewall rules enforced least-privilege inter-VLAN routing.
SIEM deployment and logging
Centralised logging via Wazuh SIEM deployed, ingesting Windows Event logs, firewall logs, and Microsoft 365 audit logs. 90-day log retention configured to satisfy audit requirements.
MDM and device policy
Microsoft Intune deployed for device management. Personal device access to client data blocked; compliant corporate devices enrolled with encryption enforced.
Stack
(Name withheld at client request)
Outcomes at audit and 60 days post-engagement
Facing a security audit or compliance deadline?
We offer a free security gap assessment for qualified prospects.