BCIS (Building Cost Information Services) is the UK’s leading provider of construction cost and pricing data, supporting the built environment with trusted insight for over 65 years. Its data underpins critical decisions for surveyors, insurers and developers across the UK. With around 100 employees, BCIS operates as a lean but nationally critical organisation, delivering data, forecasts and consultancy services that underpin decisions for surveyors, insurers and developers across the UK.
In May 2025, BCIS faced a serious security incident. An administrator account without multi-factor authentication was compromised, putting systems and client trust at risk. The organisation needed immediate clarity on what had happened, decisive containment and confidence that it would not happen again.
The Challenge
The immediate priority was incident response. BCIS needed to understand how the breach occurred, whether data had been accessed and what steps were required to secure the environment quickly and correctly.
Beyond the incident, there was a broader challenge. Like many growing organisations, BCIS wanted always-on protection without building or running a 24x7x365 security operations centre. Attacks spanned identities, endpoints, email and cloud services, but security signals were fragmented. Without unified telemetry and automation, teams risked drowning in alerts while real threats slipped through.
BCIS also wanted to maximise its existing Microsoft investment. The requirement was clear. This had to deliver outcomes, not add another security tool to manage.
Choosing the Right Partner
BCIS selected CyberOne for its ability to respond under pressure and stay engaged long-term.
CyberOne’s NCSC-accredited Cyber Incident Response capabilities provided assurance that the incident would be handled correctly and deliver regulator-ready outputs. As a Microsoft Security Solution Partner and MISA-verified Managed XDR provider, CyberOne also brought deep experience in turning Microsoft security platforms into effective, operational defences.
Just as importantly, CyberOne operates as an extension of internal teams, combining technology, process and people rather than handing over tools and walking away.
The Solution
Cyber Incident Response
CyberOne mobilised their Cyber Incident Response capabilities within hours of notification. The compromised account was isolated, the threat contained and analysis confirmed that no data had been exfiltrated.
A plain-English forensic report was produced, including Information Commissioner’s Office guidance suitable for regulatory review. Urgent guardrails were enforced immediately, including global multi-factor authentication and hardened privileged access, to prevent recurrence.
Operations remained stable throughout, with no downtime or service interruptions.
Managed eXtended Detection & Response (MXDR)
Following recovery, BCIS onboarded CyberOne’s Managed eXtended Detection & Response service to provide continuous protection.
CyberOne integrated Microsoft Defender XDR, delivering unified detection and response across identities, endpoints, email and SaaS, with Microsoft Sentinel as the cloud-native SIEM. This provided full visibility, high-fidelity detections and rapid containment backed by 24x7x365 security operations centre coverage.
The service is supported by continuous tuning, automation and monthly service reviews to ensure detections remain aligned to real-world threats.
Why Microsoft Security?
BCIS chose to build its defence around Microsoft’s integrated security platform rather than a patchwork of third-party tools.
Microsoft Defender XDR and Microsoft Sentinel operate as a single platform across Microsoft 365 and Azure, reducing complexity, speeding investigations and lowering the cost to serve. CyberOne’s Microsoft-aligned delivery ensured BCIS could realise value quickly from investments it already had in place.
The Results
The outcome was not just recovery, but just as important, resilience too.
-
The incident was contained with no downtime or data loss
-
One hundred percent of endpoints and cloud services are now covered by Defender and Sentinel
-
Average response time is under one minute with 24x7x365 security operations
-
Multi-factor authentication (MFA) and privileged access controls are enforced across the environment
-
BCIS has experienced zero breaches since partnering with CyberOne
-
Leadership and clients have increased confidence backed by always-on response
-
Enterprise-grade security was achieved without adding multiple vendors, delivering cost-effective resilience
“CyberOne gave us a clear explanation of how the breach happened and what to do next – exactly what we needed.”
Alan Churley, Product & Engineering Director, BCIS
CyberOne continues to operate as an extension of the BCIS team, providing continuous detection, investigation and response aligned to the organisation’s growth.
Next steps
If your organisation experienced a real cyber incident tomorrow, would you have the clarity, response speed and confidence BCIS now has?
Speak to CyberOne about cyber incident readiness and Managed XDR and understand how Microsoft-led security can protect your business without adding complexity.