Identity and Access Management: It’s not a matter of if, but when. Are you secure?

Summary

Spinal Home Help (SHH) is a not-for-profit based in Brisbane that provides services and support to Queenslanders living with spinal cord injuries. The National Disability Insurance Scheme (NDIS) registered organisation, had recently undergone a regular NDIS audit which included a review of their systems and processes to ensure they had robust protection for client information.

SHH director Malakai Tava says the audit highlighted some key areas of concern. The organisation had been managing the licensing and implementation of its Microsoft Office 365 Tenancy internally, and this had led to a number of security vulnerabilities.

“In addition to our office staff , we have volunteers and our board as well, all accessing our Microsoft Office 365 apps. Our volunteers get work experience with us, so we’re regularly getting new volunteers coming onboard. We’d already identified the need to improve both our email security and training around cybersecurity, but just as we started this process, we were targeted by an impersonation scam where the scammers attempted to spoof our email address.”

Tava says that to pass its NDIS audit SHH needed to improve its security posture and formalise its security procedures. As a non-profit, SHH has not had a large budget to dedicate to IT. Fortunately, Alliance Business Technologies (ABT), a leading Managed IT Services, Security and Cloud Solutions provider for small and medium businesses had been supporting SHH’s cause by providing pro bono external IT support service for the past 8 years. With a relationship built on trust, Spinal Home Help now turned to ABT for help improving its security compliance.

Challenge

SHH is not a typical small business, in that its non-profit status and turn-over in the volunteer portion of its workforce create Identity and Access Management: It’s not a matter of if, but when. Are you secure? special circumstances influencing its cybersecurity profile. However, Byron Howie, Client Relationship Manager at ABT stresses that their situation was not unusual for SMBs.

“SHH’s situation is not a one-off case. Many SMBs are in a similar situation where whether for budgetary reasons, or historical ones, they don’t have the resources to develop a strong understanding of their IT infrastructure and its effect on their security profile. Understanding the need for robust Identity and Access Management (IAM) is often not there and in many cases, they don’t become aware of the problem until there is a cybersecurity incident.”

The absence of good IAM processes plays a key role in security breaches globally each year. The most common attack vectors for data breaches in 2021 continued to be compromised credentials, phishing attacks, and cloud misconfigurations, while business email compromise had the highest average cost associated with it (Cost of a Data Breach Report 2021, IBM Security). Since remote working expanded due to the pandemic, cyber threats have increased significantly, making the need for robust security more acute than ever. For many small businesses, the environment is now more complex than they can successfully manage without specialist help.

“Many SMBs are not necessarily aware of cybersecurity best practices or have the internal resources to stay on top of the issues,” says Howie.

Yet even when companies acknowledge the need, there can exist an internal culture that is resistant to fully embracing the solutions. Important security measures such as Multi Factor Authentication (MFA) are sometimes seen as too intrusive or not necessary.

“It’s a fact that the better your security is, the more intrusive it tends to be,” says Howie. “So we try to strike the right balance to ensure the security regime is seamless and as unobtrusive as possible, while still providing the necessary protection. The more hoops people have to jump through, the more annoyed and unproductive they become. We find that it’s an education process. Once people understand the issues and the reasons behind enhanced security, they’re happy to make the shift to adopting better processes.”

Strategy

In SHH’s case, ABT set out to improve its security posture by onboarding it as a fully managed IT customer. ABT started with its standard onboarding process for a Managed Services Agreement, which included a comprehensive audit of its business systems, talking to staff and clients to get a deeper understanding of how they use their systems, what their day-to-day operations looked like and what some of their challenges were. This process revealed some immediate vulnerabilities, which combined with the impersonation scam that targeted SHH led to ABT fast-tracking some changes to address urgent issues.

Being a non-profit, the budget SHH could allocate to systems was a vulnerability as was the high-turnover and variable technical skill set of its volunteers. Combined with SHH’s self-managed Office 365 tenancy this created issues. Multi Factor Authentication was not enforced and there were no formal cybersecurity processes or training in place for staff and volunteers. Protecting personal client data and its own reputation were of primary concern to SHH, so this core issue needed immediate attention.

ABT took over management of theMicrosoft Office 365 tenancy, including the licensing. Using their Microsoft Certified Engineers, ABT applied its security best practices, including updating SHH’s current Office 365 licenses to take advantage of Microsoft’s new M365 identity and access security features, ensuring important security options were available. Legacy authentication policies were blocked along with the removal ofmultiple global admin access. MFA and Conditional Access policies were applied within their Microsoft 365 and Azure tenants, improving their security posture. Crucially, and fundamentally, identity governance and management were applied and enforced for amore seamless user experience with better control over the high turnover of staff across all Microsoft 365 identities, apps, and data access.

Bringing staff and volunteers up to speed on cybersecurity posed an issue since SHH had volunteers cycling through the organisation regularly. ABT provided one-on-one security adoption training with their chosen internal resource, ensuring that moving forward, new volunteers and staff were onboarded and off boarded with ease by a security ‘champion’ at the organisation.

Additionally, a physical audit of the site showed staff relying on USB drives for file portability, leading to a recommendation to shift to OneDrive for better security.

Result

SHH’s Tava says adopting Microsoft Identity and Access Management like MFA was a big change for the team. “We have some people working from home and things like MFA and SharePoint security were new to them. It took a little bit of time for everyone to get the hang of the new processes, but it was all a change for good in the end. Everyone understood the need for it, and we passed our audit with NDIS.”

“Now, whether someone is working from the office or from home, everything is consistent and locked down. I saw the results immediately with my own inbox, where the spam and junk are
now gone. Previously I was working through a lot of junk email whereas now I only get the email I need to see. Eliminating that potentially dangerous email from peoples’ inboxes is both more productive and more secure. We’ve had nomore security scares. It’s been a good outcome for us.”

ABT’s Byron Howie says that even though the upgrade in licensing adds cost and enforcing security measures like MFA might be a major cultural change for an organisation, at the end of the day security is the most important consideration.

“You don’t want to learn that you’ve got a security issue by being the victim of a breach or scam. In an environment where security threats are changing all the time, it is a business risk to not be reviewing your security posture on a regular basis. That includes your software licenses. In the case of Microsoft Office 365, users on older licenses should be reviewing their licensing regime, since they don’t want to be missing out on new security features. For SMBs looking to save costs, choosing to manage vital business systems yourself – particularly where security is concerned – when you don’t have the internal resources to do it well is a false economy. Prioritise your security and you’re unlikely to regret it.”