In order to manage the risks associated with BYOD, we worked with the Cabinet Office and NCSC to produce guidance on how you can use Microsoft technologies to mitigate the risks associated with employee access to systems and services remotely through unmanaged devices.

Improve employee access

Specifically, we’re looking at how you can access Microsoft 365 services in a way that helps you meet your obligations and leverages its features and capabilities. This guidance doesn’t suggest a BYOD policy is a one and done job. It does, however, draw on the broad experience across the UK government industry and draws heavily on already existing best practice.

The controls described in this document intend to help you understand why the specific security controls are used. It also provides step-by-step configuration guidance which your IT team can use to quickly set up and manage your data on personal devices. This allows organisations to understand how the features and capabilities in Azure Active Directory, Microsoft Intune, and Microsoft 365 can be used.

These factors all come together to ensure employees can securely access their work while keeping your organisation’s data secure on personal devices. It helps employees stay productive and collaborate together securely, no matter what device they are using.

Good, better, best blueprint for your BYOD policy

To support this effort, we’ve created a blueprint. This blueprint has been developed to support the use of BYOD scenarios where organisations are not able to provide corporate laptops or mobile devices.

The technical controls that are described in this document have been grouped into three categories, good, better, and best. The rationale for the groupings is described below:

Good

• Forms the minimum level of configuration that all organisations should meet.
• Available with Microsoft 365 E3 license.
• Can be implemented using simple configuration tasks.
• Browser-based access for PC and Mac.
• Approved apps for mobile devices.
• MFA and Restricted Session Controls in Exchange Online and SharePoint Online.

Better

• Forms the level that organisations should aspire to.
• Available with Microsoft 365 Security and Compliance Package components or M365 E5.
• Might require more complex configuration tasks.
• More flexible and granular control of user policies, session controls using Microsoft Cloud app.
• Lower residual risk than Good pattern.
• Browser-based access for PC and Mac.
• Approved apps for Mobile Devices.

Best

• Utilises Windows Virtual Desktop (WVD) to provide a solution that matches as closely as possible the same experience of working in the office on corporate IT, from any device.
• With good management it significantly reduces the unmanaged surface by providing a virtualised corporate desktop for home workers, utilising their personal computing device.
• Lowest risk approach compared to Good and Better patterns.

So which BYOD policy route is right for you?

The decision flow below aims to help you determine which of the patterns you should use. For example, if an organisation has Microsoft 365 Security and Compliance Pack (SCP) or M365 E5 licenses, then the control used in the Better solution will provide a lower residual risk and therefore should be used.

Reduce your risk security posture with BYOD

Having a strong BYOD policy improves barriers to work for your remote workforce. It also enables them to be able to connect, work, and meet together online no matter where they are, securely.

For your IT team, this guide provides thorough step-by-step instructions to set up BYOD controls while helping manage security. This means they can implement these controls across your digital estate quickly and remotely.

By using the guidance, you can enable your organisation to move to a lower risk security posture when utilising BYOD.

Find out more

Download the blueprint: BYOD Technical Guide

Watch the webinar: Security controls for remote work

Read more: 4 ways to protect your organisation and mitigate the threat of ransomware

About the authors

Stuart has been with Microsoft in the UK since 1998 and is the National Security Officer for Microsoft in the UK. Prior to that, he has worked as strategy consultant to a variety of UK Government customers, mostly within the defence arena, and run a number of Government Programs with the UK including the Government Security Program, the Security Co-Operation Program, and the Welsh Language Program. He still continues to run the UK GSP program today. Prior to joining Microsoft, Stuart worked as a consultant for ICL in their Power of 4 Consultancy, mostly focused in the defence and government spaces. Before ICL, he worked for Barclays Bank in a number of application development and IT infrastructure roles. He has been actively involved in computer security-related activities since the early 1980’s.

Nick is passionate about transforming every person and organisation to be more productive and more secure in his role as Security Product Marketing Lead within the Microsoft modern workplace team. A geek at heart, he spends his spare time experimenting with lasers and 3D printers with his two sons, keeping old computers alive (particularly Commodores), and learning about mechanics to keep an ageing British sports car on the road.

The post How to have secure remote working with a BYOD policy appeared first on Microsoft Industry Blogs - United Kingdom.

Organisations are moving to cloud/digital records. Each day, more and more data is created globally. Governments are updating and creating new compliance and regulations as a result to ensure everyone’s personal data stays safe and secure.

The digital landscape is changing rapidly

And it’s no small task. Global data centre traffic is expected to triple and by 2021, it’s forecast to be 20.6 zettabytes a year. A zettabyte is equal to a trillion gigabytes. That’s equivalent to 36,000 years of watching HD video, or streaming Netflix’s entire catalogue over 3,000 times. Or, in more visual terms, if the gigabyte was your morning cup of tea, a zettabyte would be the Great Wall of China.

We’ve already seen it in the UK with the changes to the Data Protection Act and the arrival of GDPR. Moreover, there are also potentially hundreds of other regulations you have to meet. And this is not just to work locally in the UK, but also in Europe or the rest of the world as well.

Mix that in with the shift of cloud computing, the speed of change, and the cost of not meeting these regulatory requirements. You could potentially be spending a lot of time managing a confusing obstacle course of compliance and regulations.

How Microsoft can help

We have over 200 data centres globally, which are all subject to rigorous technical and business process engineering to ensure we’re compliant in many formal standards, such as ISO, Cloud Security Alliance, ENISA Information Assurance Framework, HIPPA, SOC 1 and SOC 2, and many more.

Ensuring compliance isn’t a one-and-done job, it means annual audits that take time and resources. That’s why we have a specific organisation whose full-time job it is to manage these continuous audits. This powerful team is working with you, behind the scenes, meaning you don’t spend all your time using precious resources.

Microsoft works hard to ensure this compliance. The built-in security takes these rules and automatically replicates it across your digital infrastructure. It even stretch as far as into your third-party companies.

Tools to make your life easier

1. Service Trust Portal
   The Service Trust Portal provides tools, content, and other resources about Microsoft’s security, compliance, and privacy practices. This is where you can find third-party audits on our online services. In addition, you can find more information on how we can help you track compliancy.
2. Compliance Manager
   Compliance Manager makes it easy for you to track your organisation’s compliance across your cloud services. It makes it easy to stay compliant by providing you with an ongoing risk assessment and actionable insights on how you can improve on an easy to navigate dashboard. You can track, record, and assign compliance activities. This makes your compliance journey easy. It means your employees can spend more time on what’s important to your business, as well. ¹

Compliance by design

Being compliant is just as important as being secure. However, due to constant change and updates of regulations, this can sometimes seem more daunting. But ensuring you are compliant is good for your reputation and builds customer trust. Therefore, it’s an important thing to consider alongside your cybersecurity health. By building in security and compliance by design, we make it easier for you to meet the tough regulations you’re facing on a day-to-day basis.

[msce_cta layout=”image_center” align=”center” linktype=”blue” imageurl=”http://approjects.co.za/?big=en-gb/industry/blog/wp-content/uploads/sites/22/2019/02/compliance.png” linkurl=”http://approjects.co.za/?big=en-us/trustcenter/compliance/complianceofferings” linkscreenreadertext=”Find out why we’re one of the most trusted names in business security” linktext=”Find out why we’re one of the most trusted names in business security” imageid=”7486″ ][/msce_cta]

¹Compliance Manager is a dashboard that provides the Compliance Score and a summary of your data protection and compliance stature as well as recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate and validate the effectiveness of customer controls as per your regulatory environment. Recommendations from Compliance Manager and Compliance Score should not be interpreted as a guarantee of compliance.

The post How to be compliant in a regulation-heavy world appeared first on Microsoft Industry Blogs - United Kingdom.

Taking security seriously at Telit

Telit has spent the last 20 years enabling customers all over the world to design and implement IoT solutions, before they were called IoT. Connecting IoT devices, infrastructure, and sensors to the internet creates more entry points for a devious cybercriminal. That’s why Telit has to take security seriously.

They used to use different products from separate vendors to handle specific threats. “We worked with some of the best vendors and software in the industry,” says Itzik Menashe, the VP of IT and Information Security, “but they sometimes had a high total cost of ownership, and their effectiveness is limited when they don’t talk to each other. We couldn’t see clearly how our solutions were performing together.” It also meant they often had to pick and choose what to deploy based on budget, creating ‘grey areas’ of coverage.

With built-in security, you can make cybersecurity so seamless that your users won’t even realise they’re being protected across all their tools and devices. And for your IT team, it becomes a lot easier to manage, protect, detect, and respond.

Telit upgraded to Microsoft 365 Enterprise E5, adding Enterprise Mobility + Security to the rest of their Microsoft services and cloud infrastructure. Menashe says, “The choice was relatively simple. Through the E5 license, we found that we could meet our key security requirements at a lower cost and with better incorporation into our existing infrastructure.”

Keeping BP cyber-resilient

BP is another name that made the change. Their vast network and stakes in the oil and gas industry make them a high target for breaches and attacks.

“The digital landscape—and associated cyberthreats—will continue to grow rapidly,” says Simon Hodgkinson, Group Chief Information Security Officer at BP. “We need to keep BP cyber-resilient and continually improve our ability to protect, detect, respond, and recover in the event of a cyberattack. Everything we do has to be secure by design.

“We chose Microsoft 365 because of its components’ tight integration, intuitive user experiences, the strong Microsoft cloud roadmap and their commitment to security. We also find it easy to attach best-of-breed security add-ins where we like. Perhaps most important, we use the native security capabilities in Microsoft 365 to reduce complexity and streamline processes.” Hodgkinson says.

Built-in security enabling employee collaboration, no matter where they are

Both companies can use tools within Microsoft 365 to drive collaboration and productivity across time zones and locations knowing they stay safe with the built-in security offered. BP, for example, uses the business-to-business collaboration features in Azure AD to collaborate with third parties on Teams, while ensuring the rest of their data is safe.

Telit takes advantage of identity and access management tools to ensure people easily access what they need when they need it, no matter the risk level.

“Some of our executives don’t want to be asked to provide multi-factor authentication every time they sign in,” says Menashe. “So now we can automate when that happens, like when they’re not using a managed device or while they’re out of office working from areas that aren’t quite as secure as the office. Overall, these features of Microsoft 365 reduce barriers to productivity without compromising on security.”

Making security easier for everyone

And it’s not just productivity for the everyday that is improved. Cybersecurity, as a whole becomes a lot easier to manage.

Telit’s security team uses Office 365 Threat Intelligence to reveal insights and actions based on real-time data. “It helps us to protect our organisation by making it easy to identify, monitor, and understand attacks, and we quickly get insights about risks and how they relate to our organisation, so we can adjust our safeguards accordingly,” says Menashe.

They also use Microsoft Secure Score which suggests security improvements. “I can take numbers and actions from Secure Score to management to explain what we’re going to do next and how that will improve our level of protection,” says Menashe. “It helps us keep on top of security.”

BP have teamed up with Microsoft to help shape their individual needs. For example, they’re integrating Windows Advanced Defender Threat Protection into their security information and event management framework to generate deeper and earlier insights on cyberthreats.

“By implementing Microsoft 365, we’ve reduced our integration costs and complexity, and we’re using the time saved to do higher-order work. If you make security hard, people may work around it. A single security platform provides a significant benefit. With Microsoft 365, we get native capabilities, visibility into our operational environment, and simplicity for all employees.”

– Simon Hodgkinson, Group Chief Information Security Officer at BP

Find out more

How to give workers the freedom they need, without undermining security

Microsoft Security – the team you never knew you had 

[msce_cta layout=”image_center” align=”center” linktype=”blue” imageurl=”http://approjects.co.za/?big=en-gb/industry/blog/wp-content/uploads/sites/22/2019/02/compliance.png” linkurl=” http://approjects.co.za/?big=en-us/trustcenter/compliance/complianceofferings” linkscreenreadertext=”Find out why we’re one of the most trusted names in business security” linktext=”Find out why we’re one of the most trusted names in business security” imageid=”7486″ ][/msce_cta]

About the author

Nick is passionate about transforming every person and organisation to be more productive and more secure in his role as Security Product Marketing Lead within the Microsoft modern workplace team. A geek at heart, he spends his spare time experimenting with lasers and 3D printers with his two sons, keeping old computers alive (particularly Commodores), and learning about mechanics to keep an ageing British sports car on the road.

The post How to increase productivity and security appeared first on Microsoft Industry Blogs - United Kingdom.

New threats and more sophisticated attacks are always on the horizon in the cybersecurity world. This new normal means you must not only block known threats, but you need to look for and protect against new unknown threats – and this is where AI and machine learning come into play.

The Intelligent Security Graph powers Microsoft’s built-in security. This means you benefit from advanced analytics collected from trillions of threat indicators generated by Microsoft and our partners. Using AI and machine learning to trawl through these signals, they find the ones that matter. Therefore, these insights power real-time threat protection.

According to PandaSecurity, last year a staggering 285,000 new malware samples were created each day. 96 percent of malware is only used once. This means the next malware attack could be completely different to the last.

You need to be just as protected from that new malware landing in your organisation’s inbox as you were from the one last week.

Built-in security to make security easy

Back to that pesky malware. Thanks to built-in intelligent security, different cloud-based machine learning models detect, scan, and block, proactively defending and remediating systems. This means that malware could be stopped before anyone has a chance to even be tempted to open it.

How can we know it works?

This is the exact scenario that stopped Ursnif, an info-stealing malware.

Every month our security…

• Blocks 5 billion threats
• Scans 18 billion webpages
• Analyses 400 billion emails
• Interprets data from 700 million Azure accounts
• Checks 450 million authentications

That’s a lot of checks on a lot of data. Much more than an average IT team can do. Now, not only do you have an extra security-focussed team you never knew you had, but you have the power of advanced analytics behind you.

It’s now easier to detect, protect, and respond to threats. You can keep track of the latest threats and trends without disruptions and get insight on how to ensure you stay secure.

Cybersecurity defence starts with your employees

Intelligence isn’t just about a great big machine in the background helping your cybersecurity infrastructure. It’s also important to keep your staff up-to-date. According to the NCSC cybersecurity breaches survey, only 20 percent of businesses have staff who completed training in the last 12 months. Also, it is mainly directors and senior management attending training. It’s no surprise that one in ten of these businesses report cyber skills gaps.

What about Ursnif, the malware that was stopped by intelligent security? If it slipped through the cracks, it presented itself as a macro to enable in an emailed document. If one of your staff clicked on that, then the damage would have been done.

Even though your organisation feels protected with built-in security, it’s important to ensure you empower your staff to help detect, protect, and respond. Have a formal policy covering cyber security risks. Astonishingly, only 27 percent of businesses have one. Provide regular training for all staff. Microsoft has plenty of online resources to help start your skills journey.

By having empowered, cyber-aware people, coupled with built-in security powered by intelligence, you’ll be a stronger organisation ready to detect, protect, and respond.

Find out more

Reduce risks and speed up detection time 

Microsoft Security – the team you never knew you had

[msce_cta layout=”image_center” align=”center” linktype=”blue” imageurl=”http://approjects.co.za/?big=en-gb/industry/blog/wp-content/uploads/sites/22/2019/03/banner_rethink.jpg” linkurl=” http://approjects.co.za/?big=en-us/trustcenter/compliance/complianceofferings” linkscreenreadertext=”Find out why we’re one of the most trusted names in business security” linktext=”Find out why we’re one of the most trusted names in business security” imageid=”8758″ ][/msce_cta]

About the author

Nick is passionate about transforming every person and organisation to be more productive and more secure in his role as Security Product Marketing Lead within the Microsoft modern workplace team. A geek at heart, he spends his spare time experimenting with lasers and 3D printers with his two sons, keeping old computers alive (particularly Commodores), and learning about mechanics to keep an ageing British sports car on the road.

The post How to have intelligent cybersecurity appeared first on Microsoft Industry Blogs - United Kingdom.

Cybersecurity has slowly grown higher in importance, both with businesses and customers. Cyber crime damages set to cost the world $6 trillion annually by 2021 according to Cybersecurity Ventures, so it’s clear why it’s such an important subject globally.

A breach not only hits you in the pocket, with loss of sales and any fines you face. It can also affect your reputation. Ensuring your systems are secure and having the technology to detect and respond is an important part of building trust with your customers. Without that trust and peace of mind that their data is secure, you’re likely to damage important customer relationships along the way.

With 98 percent of businesses relying on digital communication or services which exposes you to risks, you need to ensure you’re protected and know how to detect and respond to any threats.

But if you have laptops, mobiles, and hundreds of other devices – including personal ones, ensuring strong security can seem like an impossible task, right? How can you make sure all these devices are secure without your IT team spending 100 percent of their time managing this?

Security by default; not just an add-on

One of the easiest ways is to look for products and services that are built with security in mind. This not only ensures you’re secure, but also works in and across your whole digital infrastructure. It even stretches into the third parties you work with.

In fact, the NCSC recommends that technology be secure by default. This innovative way of thinking treats security problems at the root cause, instead of adding them on later to treat the symptoms. By adopting this approach and ensuring the security adapts and updates to new threats; products and services that have built-in security tend to have better usability. Not only does this mean it’s secure, but it’s easy to adopt and be productive in the long-term.

It’s no longer important just to build ‘stronger walls’. You don’t just need to protect against risks; you also need to be able to detect and respond quickly to them.

1. Protect

Don’t just wait for an attack to happen, assume it will and act proactively. Ensure you have the protections you need. By having built-in security, you can ensure all devices across your digital estate have the same level of protection and compliance.

Take an ‘assume breach’ approach and protect data through identity and access management tools. Not only does this automatically prevent those who shouldn’t see sensitive information from ever seeing it, but it helps your employees work on and off-site, and even lets you share documents with third-parties.

2. Detect

Did you know hackers spend on average 200 days inside a system before they’re detected? That’s over six months spent with you and your customer’s data. Which is why you need to ensure you have security that can detect cyber breaches and their evolving tactics in real-time.

Use analytics-based detection to leverage insights of new and daily threats. It can also automatically take appropriate prevention action to stop any breach in its tracks before it occurs. Microsoft’s built-in security benefits from drawing threat intelligence from all points in its and its partners technology chain, globally and across industries. Meaning it provides an unparalleled view of the threat landscape.

3. Respond

Microsoft’s security and cloud technologies have built-in intelligence and work together to report malicious data threats as they occur. This provides a record that helps us diagnose attacks, reverse engineer advanced threat techniques, and apply this intelligence across all platforms.

This means that your technology is working to quickly detect and block cyberthreats and safeguard your data using advanced analytics, freeing up time for you to get on while your work.

Manage your whole digital estate

Built-in security provides native solutions that work together to deliver coordinated protection and remediation to maximise security. This means it’s easier for you to manage your whole digital estate, collaborate with third-parties, and ensure your whole organisation remains secure. All while staying productive and focussing on your business value.

Find out more

Microsoft Security – the team you never knew you had 

7 tips to rethink your security

[msce_cta layout=”image_center” align=”center” linktype=”blue” imageurl=”http://approjects.co.za/?big=en-gb/industry/blog/wp-content/uploads/sites/22/2019/03/banner_rethink.jpg” linkurl=” http://approjects.co.za/?big=en-us/trustcenter/compliance/complianceofferings” linkscreenreadertext=”Discover why we’re one of the most trusted names in business security” linktext=”Discover why we’re one of the most trusted names in business security” imageid=”8758″ ][/msce_cta]

About the author

Nick is passionate about transforming every person and organisation to be more productive and more secure in his role as Security Product Marketing Lead within the Microsoft modern workplace team. A geek at heart, he spends his spare time experimenting with lasers and 3D printers with his two sons, keeping old computers alive (particularly Commodores), and learning about mechanics to keep an ageing British sports car on the road.

The post The 3 most important words in cybersecurity appeared first on Microsoft Industry Blogs - United Kingdom.

It’s 9am as you walk into the office. The lights are out. The doors lock behind you. You try to check your email, but the internet has been disconnected. When you reach your desk, you’re astounded to find it’s been replaced with a soundproof box.

This is the ideal world of security. Nothing gets in, nothing gets out. But, of course, nothing would get done.

It sounds ridiculous, but it’s not far from the reality I left behind to join Microsoft in 2012. On my first day here, I brought my laptop from home, just in case. Of course, I wasn’t sure how useful it’d be; surely there would be no chance I’d be allowed to plug into their network and join the domain…

So when Microsoft let me do exactly that, I figured it was a test – the job I’d just left would’ve fired me for gross misconduct. But it’s nothing like that here. Here, we trust people to work their way. But we always assume compromise. Employees can work on any device they want, because our network carries out a security check automatically, every time.

This is our security culture. It’s a quick process that doesn’t intrude on the way we work. And it’s how we’ve helped employees care about security.

The security to say “yes”

Now, in my role here at Microsoft, I’m on the other side of things. Trying to keep up with the new technology my team needs to work. The biggest lesson I’ve learned from our security culture has been: You’ve got to trust your people.

Employees just want to do their jobs the best way they can with the tools they prefer. That’s why they send work to devices and services at home, even though they know they shouldn’t. They download apps they’re familiar with, even if they’re not approved. And they reuse the same password, even when they know it’s been compromised, because it’s better, easier, and faster.

They want to do the right thing, but not at the cost of their productivity – or satisfaction. You have to accept they’re not going to put security before either of those things. That’s why, in a security culture, well-meaning employees aren’t punished for making honest mistakes. It’s up to technology and managers to make security easy for employees to manage on their own.

After all, what’s the alternative? Enforce security measures without explaining them – and punish any employee who doesn’t follow them? That’s how you push your people into finding faster and riskier ways of working.

Instead of saying no, a security culture welcomes new technology – because a security culture is prepared. It relies on people but it’s supported by apps, features, and AI tools that make security part of the culture. Apps, features, and AI tools like these…

Five tools you can use to start building your security culture

1.     Add extra layers of security with multi-factor authentication

If you’re only going to take one thing away from this blog, take this. Switch on multi-factor authentication on any device or service that supports it. If it’s not supported, question whether that device or service is right for you. Multi-factor authentication kills the vast majority of attacks and, when it’s done right, makes for a better user experience.

2.     Put the rules where nobody can miss them with Tool Tips

Turn your security policy from some abstract list of rules, into practical pointers employees can use every day. You can do this with Tool Tips on Office 365 and Azure. This uses AI to prompt people when it looks like they’re about to do something risky like opening an unknown attachment, sharing their personal details, or sending information to someone they shouldn’t be sending it to.

3.     Assess the risk and respond appropriately with risk-based conditional access

It’s not enough to just say yes or no. These days, different devices, tasks, and requests all come with different degrees of security risk. That’s why we built risk-based conditional access into Office 365 and Azure. So you can assess the risk for yourself, implement a rule specific to the case, and use AI to apply it automatically in the future.

4.     Know where you’re starting from by turning on reporting

To totally understand your current security culture, log every breach. Take notes. Have conversations. Once you understand how and why your employees are breaking your rules, you can find ways of making them easier and more productive to stick to. Instead of implementing and enforcing severe data protection policies on your well-meaning employees.

5.     Protect your devices and accounts with a password manager

You’ve got lots of passwords. Or maybe you’ve only got a few that you use on lots of digital accounts. But until password-less authentication is the norm, that’s the way it is. You’re bound by policies and complexity requirements. A password manager is a simple way of ensuring every service has a unique and complex password – all you have to remember is the master, and the app completes the login for you. There’s a password manager like this built into Windows.

So how do you get employees to care about security?

You make it easy. You make it better than not caring – and not through threats.

When employees can confidently use their own devices and apps, you’ve made security an enabler, not an obstacle. When following the rules means employees have the power to work their way, you’ve made security a carrot, not a stick. And when working safely is just another part of your employees’ everyday, you’ve got a security culture.

And it’s easy to build yours with Microsoft 365 so you can empower your people to do their best work securely.

Learn more

4 ways to transform your employees into cyber security champions

Empower your employees to be creative and work together securely

Talking 365: How to avoid security nightmares

Forrester’s Risk-Driven Identity and Access Management Process Framework

About the author

Nick is passionate about transforming every person and organisation to be more productive and more secure in his role as Security Product Marketing Lead within the Microsoft modern workplace team. A geek at heart, he spends his spare time experimenting with lasers and 3D printers with his two sons, keeping old computers alive (particularly Commodores), and learning about mechanics to keep an ageing British sports car on the road.

The post How do you get employees to care about security? appeared first on Microsoft Industry Blogs - United Kingdom.