Case studies

Helped national UK charity migrate to Microsoft 365 to prevent security breaches

Wed, 19 Jun 2019 00:00:00 +0000

The problem

Security is paramount these days and if you are not careful with the data you store you could be liable for a BIG fine.

GDPR (the General Data Protection Regulation) was brought into enforcement on 25th May 2018. It had been legislation for two years prior to this however it was not enforced to give businesses time to adopt new ways of working.

In the past security of data was not see as that big a deal because it was far cheaper to pay the fine than it was to have good security measures, the maximum you could be fined was £500,000 if the Information Commissioner’s Office (ICO) found out about a security breach. This was with the Data Protection Act that had been in force for 20 years, however, as stated earlier, businesses were not obliged to inform the ICO if they had had a security breach which is why it was not a viable approach.

GDPR was introduced to add weight to the regulators across the EU, it is a pan EU directive which now obliges businesses to inform the regulator if they have a breach, if they do not inform the regulator within a set time they are liable for a fine. Not only that but if you do inform the ICO you can still be liable for fine, each determined on a case by case basis, determined by size of the breach, how much security had been implemented and whether GDPR has been implemented.

Up until September 2019, the various EU’s regulatory authorities have issued, or announced they will be issuing, fines of approx. €372,120,990.50 which has made businesses appreciate the need for security.

What we did

With this in mind we have been assisting a National Charity in the UK with implementing security policies and processes that help prevent security breaches.

In order to do this, we have firstly helped them migrate to Microsoft 365 and then implement the following:

Setup policies for Data Loss Prevention (DLP) which scan for:

UK Financial Data

UK Access to Medical Reports Act

UK Data Protection Act

UK Privacy and Electronic Communications Regulations

UK Personally Identifiable Information Data

UK Personal Information Online Code of Practice

The above policies scan the content of Exchange emails, SharePoint sites, OneDrive accounts, teams chat and channel messages. The policies have been configured to intercept data if it is attempted to be shared externally and the user trying to share the data will be emailed with policy tips to ensure they do not violet the policy that triggered the alert.

The owner of the SharePoint site or one drive will also be notified as well as the owner of the content. The data controller and the compliance office are notified about policy violations.

The other feature that have been configured is to have Information Governance using custom labels that have been setup.

The labels are:

Public

Commercial Confidential

Internal Confidential

Management Group

Private

The labels are used to trigger events or to manage how the data is stored or shared. Specific data labels trigger specific events, for example only public labelled data can be shared openly, Commercial Confidential can only be shared with specific partner businesses and the other labels cannot be shared externally by policy. Users are forced to label data when it is created and saved or created and shared such as documents, spreadsheets, email etc. Only specific users can lower the sensitivity of labels meaning that general users cannot change a label once it has been assigned to the data which stops users from demoting data in order to share it when it shouldn’t be.

The Compliance Administrator can now to Data Subject Requests (DSR) within the organisation, allowing reports to be generated showing all of the locations that data is stored and gathering all instances in a report that can be supplied to the user that has made the request, something they couldn’t do easily before which would potentially put them in breach of GDPR if they were found not to have supplied all the info from a DSR.

Lastly, we have configured Microsoft Service Trust portal which enables the charity to self-score GDPR compliance and allows the charity to show all steps taken to ensure data is secure within Microsoft 365. This provide a GDPR checklist the charity can follow to ensure they are compliant or if not, document what they are doing to work towards compliance.

Migrating to Microsoft 365 rather than Office 365 allows you to utilise these additional features.

Resource booking system implemented for new company head office building

Thu, 24 Oct 2019 00:00:00 +0000

the problem

One thing that is surprising to many businesses is how much it costs to have office space.

Especially if you are planning on growing a business or if you have transient staff that aren’t always in the office, instead on the road, doing their job.

Paying for empty desks with no one using them is expensive for any business which is why a lot more businesses are looking to smarter ways of working.

It is very common that you do not need to have the same number of desks as you do staff because a lot of the time the desks are empty, so ways of working are changing. Instead of having desks that are the domain of one person, more businesses are implementing flexible working where desks become bookable resources instead of fixed to individuals.

The easiest way to think of it is that each desk becomes like a meeting room but for one person. If you need a desk, you look in the desk booking tool (something even as simple as just a calendar) and if it is free, you book it.

One thing that does occur with systems like this is that people can decide to block book a desk for weeks and then not use it, making the system invalid because others cannot book the resource, so this is where some intelligence comes in.

With resource booking systems now, such as Condeco, your bookable resources become smarter, so if someone books a desk, they need to be at the desk to electronically check in within 15 minutes of the booking start time otherwise the resource is automatically released into the available resources pool. This ensures that resources cannot be block booked and left empty whilst other staff struggle to find desks or other bookable resources.

Speaking of other bookable resources it is not only desks that can be allocated as smart bookable resources, other commodities such as parking spaces, company vehicles, meeting rooms and conference systems.

What we did

We helped a company fit out a new head office building with a new resource booking system

We helped then to make it smarter, allowing a reduction in the number of desks they needed which reduced the amount of floor space needed which in turn considerably reduced costs.

After doing some audit work it became obvious that a lot of real estate within their existing offices was unused and it was costing the business a lot of money to pay for empty space and after calculation it transpired that at least 70% of desks and resources were allocated to staff but went unused.

To combat this we came up with a solution using the Condeco smart resource booking system which allows the client to control how resources are deployed to staff members and also to define who could use which resources.

The resources within the building were all made smart although not all resources were bookable by everyone. For example we made sure the exec suite resources were only bookable by execs and their personal assistants. The training rooms which could be opened up into a single auditorium were also restricted as to who could book these resources.

All other resources were bookable by all staff which comprised of:

Desks

Meeting rooms

Video conference systems

Parking spaces

Catering facilities

Public spaces for town hall style meetings

How it works:

Staff can use an application on their mobile to check if resources are free prior to attending site and can book them if free, allocating a start time.

When the member of staff gets to site they can navigate to the resource using a digital floorplan on their mobile.

Once they get to the booked resource, they an tap to check into the resource using an RFID card to tap the sensor.

When the sensor has been activated it marks the resource as in use, below is an example of one of the desk pucks that show the resource status and what its up coming bookings are. If the Puck is green it means the resource is currently free, if it is red it means it is in use. If it is amber it means the resource is in use but is becoming free.

If a user has finished with the resource sooner, they can tap the same sensor to show they are not longer needing it and it will automatically check the resource back into the availability pool.

Sometimes we run a little late, through no fault of our own which is why we added flexibility into the solution. As this office space was a new building in London a lot of people need to travel considerable distances to get there and are often at the mercy of public transport not running to time. In order to accommodate people running late, we build some flexibility into the solution, allowing a user to remotely check into the desk to ensure they keep the resource and it is not released before the get there.

Technology strategy implemented to align with business strategy.

Fri, 25 Oct 2019 00:00:00 +0000

The problem

Understanding where you are headed

When running a business, the leadership team has an understanding of what you want they achieve with what the business is doing and where it is headed in terms of growth and profit.

There are business plans, outcomes, goals and strategies that are constantly developed and reviewed on how to get there. Business development is a journey.

As with any journey, if you do not have the right direction, you can either end up totally lost or arrive at the wrong destination. Imagine if the captain of a ship set sail from Southampton to New York but they were 1 degree off course at the start of the journey, they would end up hundreds of miles away from New York when they reached the other side of the Atlantic.

One of our clients is fantastic at the business strategy and planning side of their business but they never incorporated the technology strategy into business planning which often resulted in a lot of frustration as they could not grow as flexibly as they wanted to but the technology held them back.

They were also not at a size where they could justify a full time IT Director to help them plan for business growth from a technology viewpoint which is why they engaged with us.

What we did

We provided them with a “Virtual IT Director”

Our virtual IT director is effectively a part time resource that works closely with the leadership team and understands their business, their business process and where the business is heading, and we were able to develop an technology strategy and budget that helps them get to their destination. This is an ongoing process because a business is constantly evaluating how things are and adjusting how they engage accordingly.

What we discovered was that the technology strategy was fighting against the business strategy , not working with it. Staff were frustrated which resulted in shadow IT solutions emerging which had introduced significant risk.

What’s shadow IT? It is IT systems that are implemented in a business by staff to try to make their lives easier often without the person responsible of the IT systems knowing about it. This can inadvertently introduce some serious security flaws as the data is in systems that the business doesn’t know about but is still responsible for! Including fines if the data is compromised. It can also put the business at risk because of software license infringements, with staff using software that was licensed for personal usage but were using it for business.

This was the case with our client, the staff, being frustrated with how the IT was not allowing them to work efficiently, they had introduced various tools and services that the leadership team was unaware of. This included sharing data with external third parties using personal versions of Dropbox and Google Docs meaning that company data was in locations that the business was unaware of. This also meant that the leadership team was liable for any data breaches even though they didn’t know about the shadow IT.

We worked with the business to identify the frustrations that the staff had in how they were working whilst at the same time doing a full audit of software and how the users were carrying out their jobs which identified significant levels of shadow IT which came as a shock to the leadership team, especially when the risks and potential outcomes were highlighted to them.

To help the business perform the way they wanted to meant that we needed to develop an IT strategy that aligned the IT to where the business was heading and also to provide staff with tools to carry out their roles without them needing to resort to using software they were not meant to. Interestingly by also changing the approach to IT spend we helped implement new services whilst reducing capital expenditure by switching the software purchasing to an operational expense.

By agreeing the new technology strategy we then went ahead and rolled out the software they needed in order to do their work which was primarily Microsoft 365 in conjunction with Salesforce. This gave staff the tools and flexible ways of working that they needed in order to work collaboratively, internally and externally with third parties. After basic training, staff quickly adapted to the new ways of working and whilst there was some resistance from a minority of staff, they soon came on board when they saw the benefits of the new ways of working. Understandably people are uncomfortable with change but the implementation, coupled with training on how to use the solutions, meant that uptake was straight forward.

In conjunction with the roll out of new software, the shadow IT solutions were migrated and decommissioned and to ensure they didn’t reappear, we created security policies for the staff machines which prevents them from installing unauthorised applications and also created policies within Office 365 to ensure that data would not leak from within the organisation. Data can still be shared with strategic partners but with strict controls in place.

Staff also saw increased productivity because we introduce unified communications allowing them to be more mobile whilst still having full access to the office telephony system, meaning that extensions could follow staff around without them needing to forward calls manually to their mobiles or worse still, giving out personal mobile numbers to customers. Staff are given a stipend to use their personal mobiles to ensure they are not out of pocket and a soft phone on the mobile allows telephony services to work with the office telephone solution.

Staff found that Office 365 meant they could also be more flexible with how they worked and by implementing Microsoft 365 within the organisation, it meant that the leadership team were able to have security measures in place that protected the business data, the business reputation and the business from fines!

The security policies that have been configured mean that the staff can work from home in a controlled way without there being the danger of data leaking onto their personal devices, they can access corporate data but only using the webtools in Office 365 meaning that they are getting a controlled window into the business data instead of full access.

All shared data within the organisation was centralised into SharePoint online allowing controls to be put in place as to who could see it and share it, both internally and to third parties externally.

Microsoft Teams allowed all the staff to start working in a collaborative way that they had not been able to before by allowing them to create project oriented team spaces which allowed controlled sharing of data with third parties whilst allowing all communication about the project, both chat and email, to be held in one message stream.

By also having up to date, evergreen software meant better integration between Office 365 and Salesforce, before this, staff were having to manually copy data between systems which would lead to data becoming orphaned, out of date and lead to mistakes. By integrating the cloud based services the business was working with one source of data which eliminated costly mistakes and improved both staff and customer experiences by having accurate data.

We have also developed the business continuity and disaster recovery plans to help with the business growth, ensuring that the business can survive if the unthinkable happens, which is something that they had not considered before, more information about the BCP and DR plans will be shared in a further case study.

Microsoft Teams calling

Mon, 22 Jun 2020 00:00:00 +0000

There has been an ad campaign run by Microsoft recently highlighting the effectiveness of using Teams for collaboration in these unusual times where a lot of the commentators in the ad say they are “living in teams” which is a very accurate statement for many businesses but there is often a sense of something missing in Teams and that is the integration with the business phone system.

One of our clients found themselves in that very same boat, they wanted to have the flexibility of extending their internal phone system into Microsoft Teams so that their staff, who were working from home due to lock down, could still make and receive calls without having to rely on emails and falling back to using a mobile. The problem they thought they faced was that they had only just purchased a new phone system and are tied into a long term contract so were worried that they would either have to pay to get out of contract or have to pay the considerable sum the Telco was asking for in order to deploy an on premises session border controller with Direct Routing to integrate the voice system into Teams. This would have left them with an initial capital outlay of several thousands of pounds and the headache of buying direct routing licenses which are sold in blocks of 10.

This is where we helped them by deploying voice calling in Microsoft Teams using a cloud based solution for the executive teams so that they could still use the office telephone system wherever they were, relying on the Microsoft Teams client when they were not in the office. The initial pilot was meant to last for 25 days but that switched to rollout well before the free trial had expired! The solution we use is flexible, scalable and you are not tied into any longer term contracts, just a rolling 30 day notice period, allowing the expansion and contraction of the solution as users require.

If you would like to try integrating your internal phone system with Microsoft Teams on an 25 day trial, call us on 020 3744 8548 and you too can discover the flexibility that voice integration with Teams can provide.

If you would like more