Managed IT Support and Cyber Security

BPI Auctions

Founded in 2010 and headquartered on the Normanton Industrial Estate in Wakefield, BPI Auctions is the nation’s No.1 online marketplace for industry. The company delivers fast, hassle-free commercial asset disposal for businesses that are retiring, relocating, restructuring, renewing fleet or closing, running online auctions across sectors including construction plant and machinery, engineering and fabrication, commercial vehicles, catering equipment, agricultural machinery and UK liquidation and insolvency sales. Alongside the auction platform, BPI Asset Advisory provides RICS-regulated valuation and advisory services, and the group is trusted by national partners including Jewson, KFC, Whitbread and Siemens.

As a digital-first marketplace, BPI’s auction platform is the business. Thousands of buyers and sellers rely on it every day to bid, transact and settle high-value sales, and the company processes a constant flow of payments, invoices and personal data. Platform availability, transaction integrity and the security of buyer and seller information are therefore fundamental to BPI’s revenue, its reputation and its obligations under UK data protection law, a standard the business underlines through its ISO 9001, ISO 14001, ISO 27001 and ISO 45001 accreditations and Cyber Essentials certification.

Fold 1 Image

Executive Summary

BPI Auctions engaged TwentyFour IT Services with a clear objective: to strengthen the company’s cyber security posture, protect its online auction platform and the buyer, seller and payment data it handles, and modernise its IT estate in line with Cyber Essentials and ISO 27001 standards, all without disrupting live auctions or the day-to-day work of its valuers, auction teams and back-office staff. Auction houses and online marketplaces are prime targets for cyber crime: high-value transactions, published sale timetables and constant invoice and payment traffic make them attractive to phishing, Business Email Compromise and payment-diversion fraud, where attackers impersonate the auctioneer or its clients to redirect deposits and settlement funds. For a business built on trust between buyers and sellers, the consequences of a breach extend far beyond downtime, putting client funds, accreditations and hard-won reputation at risk.

Prior to engagement, the business was operating with limited visibility of its devices, inconsistent patching, no centralised identity and device management, and limited protection against email-borne impersonation and payment-diversion fraud.

Through a structured assessment of BPI’s environment, TwentyFour IT Services identified the risks and gaps that mattered most to a high-volume online marketplace and designed a remediation and modernisation programme around them. The result is a secure, centrally managed and resilient foundation that protects the platform, its users and their funds, while keeping auctions running and staff working without interruption, at head office, on client sites or on the move.

Objectives

BPI Auctions’ goals centred on protecting the availability and integrity of its auction platform, safeguarding buyer, seller and payment data in line with its UK GDPR obligations and ISO 27001 commitments, and defending the business against email-borne fraud, while modernising its devices and identity controls and maintaining a familiar working environment for its team. Resilience was equally important: auctions end on the hammer, not on a convenient date, so systems, listings and communications needed to remain available and recoverable at all times. These priorities required a carefully planned programme between TwentyFour’s implementation engineers and BPI that balanced security requirements with the practical realities of a busy, deadline-driven auction operation, with every change clearly communicated as part of TwentyFour’s wider Change Management implementation strategies.

Technical Solution & Implementation

Assessment and Visibility

TwentyFour IT conducted a structured discovery phase using on-site assessment and automated endpoint discovery, supported by CREST-Certified Penetration Testing. This provided a full picture of the environment, highlighting the risks, vulnerabilities and gaps most relevant to an online marketplace handling high-value transactions, which were integrated into the proposal and remediation roadmap.

Outcomes & Benefits

Through a structured review and targeted uplift of its security controls, devices and email defences, BPI Auctions now operates on a secure, centrally managed and resilient technology foundation with the policies, processes and controls required to achieve Cyber Essentials Plus certification. The auction platform and the buyer, seller and payment data behind it are protected by Zero Trust-led endpoint security, hardened identity controls and robust email fraud defences, while encrypted backup and a documented recovery plan ensure the business can meet its commitments to buyers, sellers and corporate partners whatever happens.

By partnering with TwentyFour IT Services, BPI Auctions has built a long-term resilient foundation that supports both its position as the nation’s No.1 online marketplace for industry and the thousands of buyers and sellers who rely on it, because when the hammer falls, every bid, every invoice and every payment has to be one the client can trust.

Whenever we have been unsure of an answer or needed assistance obtaining information, the team's approach has consistently been to take ownership and resolve the matter on our behalf. Their willingness to step in, provide solutions, and follow through on commitments has been greatly appreciated.
The "nothing is too much trouble" attitude that Twenty-four IT demonstrates is both reassuring and refreshing. Having a partner that approaches challenges with a positive, solution-focused mindset has given us confidence and peace of mind throughout our engagement.

Joanne