Back To Case Studies
Case Study
Cybersecurity Foundations Assessment for a Growing Manufacturing Company
A growing manufacturing organization engaged Blackwood Enterprises to conduct a Cybersecurity Foundations Assessment focused on governance, access management, vendor oversight, customer-data visibility, and external asset exposure.
The organization had experienced significant operational growth and increased reliance on cloud platforms, third-party vendors, and digital business processes. Leadership wanted greater visibility into cybersecurity risks and practical recommendations for improving security maturity.
The assessment identified that the organization's primary risks were not driven by a single technical weakness. Instead, risk was accumulating through inconsistent ownership, access governance gaps, excessive administrative privileges, incomplete vendor oversight, customer-data visibility challenges, and limited attack-surface management.
Overall cybersecurity maturity was assessed as Developing, with a recommended target of Defined within 12 months.
Client Overview
The client is a mid-sized manufacturing organization supporting both commercial and residential customers.
Operations depend on a combination of:
Microsoft 365
Cloud storage platforms
ERP systems
Accounting systems
Project-management tools
Third-party service providers
External-facing customer and employee portals
As business complexity increased, leadership sought an independent assessment to better understand cybersecurity risk and identify opportunities for improvement.
Engagement Objective
The assessment was designed to:
Evaluate cybersecurity governance practices
Review identity and access management controls
Assess administrative privilege management
Improve visibility into customer-data handling
Review vendor ownership and oversight
Identify externally visible assets
Evaluate security documentation maturity
Develop a practical improvement roadmap
The goal was to provide leadership with actionable recommendations that aligned cybersecurity improvements with business priorities.
Scope and Methodology
Scope
The assessment included:
Identity and Access Management
Administrative Privilege Management
Vendor Risk Management
Customer Data Governance
Security Documentation
Account Lifecycle Management
External Attack Surface Visibility
Methodology
Activities included:
Leadership interviews
Technical walkthroughs
Documentation review
Vendor inventory review
Asset inventory review
Passive OSINT and attack-surface analysis
Customer-data flow review
The engagement focused on governance, visibility, and cyber hygiene. Active penetration testing, vulnerability exploitation, and social engineering activities were excluded.
Key Areas Reviewed
Area | Focus |
Identity Management | User access, account governance, privilege management |
Administrative Access | Elevated account usage and justification |
Vendor Governance | Ownership, accountability, and third-party dependencies |
Customer Data | Storage, handling, visibility, and ownership |
Documentation | Procedures, standards, and operational consistency |
Attack Surface | Public assets, portals, domains, and discoverability |
Account Lifecycle | Onboarding, transfers, and offboarding practices |
Observed Strengths
The assessment identified several positive practices that provided a strong foundation for future improvement.
Leadership Engagement
Leadership demonstrated a clear commitment to cybersecurity and actively participated throughout the assessment process.
Modern Technology Adoption
The organization had adopted modern cloud technologies that support scalability, collaboration, and operational efficiency.
Operational Discipline
Many operational processes already demonstrated strong ownership and accountability outside of formal cybersecurity governance.
Security Awareness
Employees demonstrated awareness of common cybersecurity threats such as phishing and account compromise.
Business Continuity Focus
Management showed strong awareness of operational resilience and the importance of protecting customer information.
Maturity Assessment
The organization's overall cybersecurity maturity was assessed as:
Developing
Basic cybersecurity controls were present; however, several critical governance processes lacked consistent ownership, documentation, and recurring review.
Target State
Timeframe | Target Maturity |
12 Months | Defined |
Long-Term | Managed |
The recommended path forward focuses on strengthening governance, accountability, access management, vendor oversight, and asset visibility.
Findings Summary
ID | Finding Area | Description | Rating | Priority |
F-01 | Access Governance | Access reviews were not consistently performed | High | Immediate |
F-02 | Administrative Privileges | Excessive elevated access existed within reviewed accounts | High | Immediate |
F-03 | Vendor Governance | Ownership gaps existed across critical vendors | Medium | Near-Term |
F-04 | Customer Data Visibility | Data was distributed across systems without formal mapping | Medium | Near-Term |
F-05 | Documentation Maturity | Critical procedures relied on institutional knowledge | Medium | Near-Term |
F-06 | Attack Surface Visibility | Public-facing assets lacked centralized tracking | Medium | Medium-Term |
F-07 | Account Lifecycle Controls | Onboarding and offboarding processes were inconsistent | Medium | Near-Term |
Detailed Findings
F-01: Access Governance Gaps
Observation
Formal recurring access reviews were not consistently documented across reviewed systems.
Current State
Access decisions were generally managed by business teams but lacked a structured review process.
Business Impact
Over time, users may accumulate access that is no longer required, increasing the risk of unauthorized access and privilege creep.
Remaining Risk
Without periodic reviews, outdated permissions may remain active after role changes or organizational restructuring.
Recommendation
Implement quarterly access reviews, assign system owners, and require documented certification of user access.
F-02: Excessive Administrative Privileges
Observation
Several administrative accounts retained elevated permissions beyond operational requirements.
Current State
Administrative access was generally controlled but lacked recurring validation.
Business Impact
Compromise of an unnecessary administrative account could significantly increase the impact of a security incident.
Remaining Risk
Elevated privileges increase exposure to phishing, credential theft, and accidental misconfiguration.
Recommendation
Reduce unnecessary administrative access, separate privileged accounts from standard accounts, and require MFA for all privileged users.
F-03: Vendor Ownership Visibility Gaps
Observation
Several critical vendors lacked clearly documented internal ownership.
Current State
Vendor relationships existed but accountability was not consistently assigned.
Business Impact
Unclear ownership may delay decision-making, incident response, contract reviews, or access validation.
Recommendation
Maintain a centralized vendor inventory and assign ownership for all critical vendors.
F-04: Customer Data Visibility Gaps
Observation
Customer information existed across multiple platforms without a formal data-flow map.
Current State
Data was being managed operationally but lacked centralized visibility.
Business Impact
Incident response, retention management, and privacy oversight become more difficult when data locations are not clearly documented.
Recommendation
Develop customer-data flow maps and assign ownership for major repositories.
F-05: Security Documentation Reliance on Institutional Knowledge
Observation
Several critical processes depended on undocumented knowledge held by experienced personnel.
Business Impact
Staff turnover or role changes could negatively affect consistency and security operations.
Recommendation
Develop formal procedures for onboarding, offboarding, access requests, and vendor management.
F-06: Attack Surface Visibility Gaps
Observation
Multiple externally visible assets were identified without a centralized inventory.
Business Impact
Untracked assets may increase exposure to phishing, unauthorized access attempts, or unmanaged infrastructure.
Recommendation
Create and maintain an external asset inventory and perform periodic attack-surface reviews.
F-07: Inconsistent Account Lifecycle Controls
Observation
User provisioning and deprovisioning processes varied across departments.
Business Impact
Inconsistent account management may result in excessive access or delayed account removal.
Recommendation
Standardize onboarding, transfer, and offboarding procedures across the organization.
Prioritized Recommendations
Immediate Priorities (0–3 Months)
Remove unnecessary administrative privileges
Enforce MFA for privileged accounts
Assign owners for critical systems
Launch recurring access reviews
Document onboarding and offboarding procedures
Medium-Term Priorities (3–6 Months)
Complete vendor ownership assignments
Build customer-data flow maps
Formalize privileged-access reviews
Improve documentation governance
Long-Term Priorities (6–12 Months)
Establish attack-surface management processes
Mature vendor-risk governance
Develop cybersecurity metrics and reporting
Conduct recurring maturity assessments
Client Perspective
The assessment provided leadership with improved visibility into cybersecurity risks and governance gaps that had developed during organizational growth.
Particularly valuable outcomes included:
Clear prioritization of improvement opportunities
Independent validation of operational concerns
Improved understanding of access-management risks
Better visibility into vendor and customer-data dependencies
A practical roadmap aligned to business priorities
Conclusion
The assessment concluded that the organization's greatest cybersecurity challenge was not a single technical weakness but the accumulation of risk caused by inconsistent governance, ownership, and visibility.
The organization already possessed strong operational foundations, engaged leadership, and modern technology platforms. By focusing on access governance, privilege management, vendor oversight, customer-data visibility, and attack-surface management, leadership can significantly reduce preventable cybersecurity risk and improve overall resilience.
The recommended roadmap provides a practical path from Developing maturity toward a Defined operating model within the next 12 months.
Engagement Summary
Engagement Type: Cybersecurity Foundations Assessment
Industry: Manufacturing
Primary Focus Areas:
Identity and Access Management
Administrative Privilege Management
Vendor Risk Management
Customer Data Governance
Security Documentation
Attack Surface Visibility
Account Lifecycle Management
Overall Maturity Rating: Developing
Target Maturity Rating (12 Months): Defined
Key Outcome: Improved visibility into governance, access-control, vendor, and asset-management risks, supported by a practical cybersecurity improvement roadmap.