Whether someone is a nurse, a social worker, or a knowledge worker, being part of a public sector organisation can be uniquely rewarding. This is due to the significant value they deliver to people across the UK and their deep connection with local communities.  

Yet it’s also uniquely tough.

Resources are precious everywhere, but especially within the NHS and local government. The independent think-tank Institute for Government reports that local authority spending in England fell by 17.5% between 2009 and 2020, largely because of reductions in central government grants. The government’s Department for Levelling Up, Housing & Communities also published a local government funding reform policy paper in March 2024, concluding that local authorities have seen significant reductions in their spending power coincide with increasing demand for their services and inflationary pressures exceeding those in the wider economy.  

Building on this, a new report called Harnessing the Power of AI for the Public Sector, featuring findings and analysis from Goldsmiths, University of London, reveals the scale of the administrative burden on public sector workers, and how it compounds the effects of existing resource constraints. 

The admin burden takes a toll 

Researchers found that simply managing information and data is taking each public sector worker more than eight hours every week, and that this is having a major impact on staff performance and morale. A shocking 45% of public sector respondents say they are “drowning in unnecessary administrative tasks” and 45% also say this high admin workload is negatively affecting their mental health and wellbeing. More than half (55%) say the sheer amount of admin work is having a negative impact on their ability to “get on with the day job”, and 54% feel the admin load is reducing their job satisfaction and motivation.

Half of respondents also say high admin workloads are compromising the quality of service they provide (48%) and limiting the time they can spend with the public or patients (49%).   

How AI can help

The good news is that Goldsmiths’ analysis¹ indicates AI could save each public sector worker more than four hours a week on administrative tasks. With an estimated 5.93 million public sector employees in the UK (as of December 2023), this equates to an overall saving of 23 million hours every week. That’s a lot of time that could be clawed back, enabling public sector employees to focus on what matters most, while also enhancing service delivery for citizens.  

These latest findings follow research on AI’s potential from Public First, commissioned by Microsoft, showing that, if AI is rolled out effectively across public services, it could save the UK’s public sector over £17 billion by 2035. That sum could fund the salaries for all vacancies currently in the NHS or to re-invest in driving better public health outcomes, a key contributor to productivity.² 

For an example of AI in action, we can look to Barnsley Council in South Yorkshire, which is using Microsoft Copilot for Microsoft 365 to reduce admin load, summarise documents, automatically record meetings, and produce notes and actions. This frees up Barnsley’s office workers and social workers to be more present in meetings or focused on the family they are there to support. Thanks to the power of generative AI and its seamless integration into the productivity apps staff use every day, from Microsoft Word and Teams to Excel and Outlook, Copilot is already achieving more than a 50% adoption rate and saving workers a great deal of time. 

As Wendy Popplewell, Executive Director Core Services at Barnsley Council, explains:  

“Our employees spend a lot of time reading emails, reports, spreadsheets and compiling various documents for things like funding bids. That first draft where you spend time getting started and think: ‘What do I need to write here?’ Copilot just creates that for you, which is a total game changer.  

We also have people within social care who spend a huge amount of time writing up case notes, meeting minutes and actions – taking them away from face-to-face interaction with our residents. If Copilot saves them a few hours every week, the impact on community and employee wellbeing is massive. People don’t become a social worker to do admin, they want to be spending time with families to help solve their problems.  

Of course, we want people to look at the job they do and figure out where there are potential efficiencies, but we’ve got to give them the space to think in the first place.  

This is what this Copilot is creating – time to think.”

Augmenting human expertise 

As well as easing the general admin burden, narrower AI use cases show how this technology can boost human performance in extremely high-skill areas, such as breast cancer screening, a disease that remains hard to detect. Oncologists can look at around 5,000 breast scans per year on average, and view 100 in a single session, and an element of fatigue and potential distractions in the workplace are part of any human review process.  

NHS Grampian, which provides social and healthcare services to more than half a million people in the north-east of Scotland, carried out the first official prospective evaluation of Kheiron Medical Technologies’ “Mia” AI tool. Mia was piloted alongside NHS clinicians and analysed the mammograms of over 10,889 women. 

While most of these patients were cancer-free, Mia successfully flagged all of those with symptoms, as well as an extra 11 the doctors did not initially identify because the tumours were so small. This means Mia helped doctors find an additional 12% more cancers compared to routine practice.  

If deployed across the entire NHS, a 12% uplift in the detection of breast cancer could lead to better outcomes for thousands of women across the UK. The AI-augmented workflow also showed a decrease in women recalled unnecessarily for further assessment and modelled a significant reduction in workload. Learn more about how AI can reduce workload by up to 30%.

While it’s still early days in the public sector’s learning and experimentation with AI, especially generative AI, the promise and progress so far are hugely encouraging. Public and private collaboration, especially around responsible deployment, and a rigorous approach to measuring the ROI and social impact of projects will be crucially important for sustainable success.  

Find out more

Harnessing the Power of AI for the Public Sector presents comprehensive research with seven key recommendations for UK government

¹ Research commissioned by Microsoft in partnership with Dr Chris Brauer, Goldsmiths, University of London, in May 2024.

² Unlocking the UK’s AI Potential: Harnessing AI for Economic Growth, Microsoft, 2024.

About the author

Hugh Milward leads Corporate, External and Legal for Microsoft in the UK, with a seat on the UK leadership team. His focus includes work to help organisations overcome legal and regulatory hurdles to their technology adoption and transformation, managing some of the complex geo-political issues relating to tech, and working to ensure no one is left behind from the onward march of technology. Hugh’s background is in politics, corporate affairs and reputation management, working for some of the world’s most high-profile brands including Starbucks and McDonald’s. He is passionate about the interrelationship of society and technology. Hugh is a Board Director of the New West End Company, chairing its Public Affairs committee, and a member of the Board of Directors of British-American Business. Hugh sits on the SE Council of the CBI and on the Advisory Board of the Institute of Coding.

The post Tackling the public sector puzzle with AI   appeared first on Microsoft Industry Blogs - United Kingdom.

People say that the last part in a trilogy is the perfect way to close out a movie series. But what happens when the last movie was actually the prequel?

Microsoft has remastered existing guidance in “Entra ID vision” as a series of documents under the banner “Microsoft 365 guidance for UK Government”.  Following the release of the Information Protection guidance and the update to External Collaboration guidance, we have also remastered the one that kicked it off: Secure Configuration Blueprint.

Microsoft 365 Guidance for UK Government

The three-piece collection provides a common baseline which UK Government departments, and their partners, can use to enable secure use of Microsoft 365.

The goal of the Secure Configuration Blueprint is to create a secure foundation for a Microsoft 365 tenancy. It provides guidance using the “Good, Better, Best” approach targeted on feature availability by licence, offering policies and settings that protect your Microsoft 365 tenancy from the most common attacks.  It includes:

• Securing identities that access services, including privileged users.
• Protecting devices that your users use to access services.
• Configuration of services to require use of the above when accessing data.

The updated Secure Configuration Blueprint guidance is the base upon which the other pieces of guidance are built. But how have we got to where we are today?

Securing user devices

It all started as a result of understanding that device trust was key to protecting the data stored locally and in datacentres.

In 2004, on the back of some high-profile worm viruses, SQL Slammer (January 2003) and Blaster (August 2003), Microsoft worked closely with Communications-Electronics Security Group (CESG), now a part of the NCSC. This joint effort developed a set of security controls to take advantage of the security improvements in SP2 for Windows XP, including Windows Firewall on by default, Software Restriction Policies, and Automatic Updates enabled by default.

The outcome of this work was known as the “Government Assurance Pack” or GAP for short. GAP was revised and updated for Vista and Windows 7 and added BitLocker device encryption and AppLocker when those features were released.

Moving forward to 2014, and CESG moved to a model that evaluated all end-user devices, PC and mobile, against a common set of principles, the End User Device Security Principles. Windows 8 (8.1), Windows 10 and Windows 11 have all had End User Device (EUD) security guidance developed with CESG initially and then the NCSC when that was formed in October 2016.

By following the latest guidance provided by NCSC, organisations (including Government departments) can be confident that the devices used by their users to access and handle data are secure against common attacks.

Figure 1. Timeline leading to the updated Secure Configuration Blueprint guidance.

Securing cloud services

The UK Government introduced a “Cloud First” policy in 2013 for all technology decisions with the NCSC, publishing 14 Cloud Security Principles (originally in December 2013) to support Government as it started to adopt cloud services.

Historically, the focus of the guidance was on securing devices but, with the UK Government adopting a Cloud First policy, data was no longer being stored in on-premises datacentres and networks. Instead, it would increasingly be stored in Public Cloud services like Microsoft 365.

To address this, Microsoft worked with the NCSC to produce guidance for Microsoft Azure in October 2017, and in July 2019 we released the initial version of Office 365 Blueprint and a supporting document detailing how Office 365 met the NCSC 14 Cloud Security Principles.

As a result, in parallel to releasing Office 365 guidance, we also worked with NCSC to produce the first MDM (Mobile Device Management) End User Device (EUD) guidance for cloud-managed Windows 10 EUDs using Microsoft Intune. This guidance formed the base for Microsoft’s first cloud-based Privileged Access Workstation (PAW), allowing organisations to manage their risk in Microsoft 365 management. Microsoft recommends using a PAW for administrative access and managed EUDs for standard user access, both using Entra ID to secure access to cloud services – please refer to Protect Microsoft 365 and Securing Privileged Access.

Once the foundational guidance was released, and on the back of the challenges that the COVID-19 pandemic brought to UK Government departments, we worked with NCSC and Government Security Group and released the first iteration of our BYOD guidance in June 2020.

The rest is history, as they say. Working with Central Digital & Data Office (CDDO) and NCSC, the Cross-Government Collaboration guidance was released in 2021 and updated in 2023, along with the release of the Purview Information Protection guidance.

With that, UK Government departments have at their disposal guidance for how to securely configure their Entra ID and Microsoft 365 tenant, classify and protect their data, and use it to securely collaborate with not only other government departments but also industry partners.

But remember, if you don’t pay attention to the film, the sequels might be confusing. So, ensure that you implement the guidance in the Secure Configuration Blueprint before looking to adopt the External Collaboration or External Collaboration guidance.

Find out more

Read the Secure Configuration Blueprint

Guidance on protecting government data using Microsoft Purview

About the author

James has spent his entire IT career of 27 years specialising in the security arena, the last 22 of which have been for Microsoft. Based in the UK, he works in the key areas of security and identity in the public sector as a Security Technical Specialist. He is a regular contributor to Microsoft docs for Securing Privileged Access and was the lead architect for the Microsoft 365, External Collaboration, Information Protection, and BYOD guidance produced for Cabinet Office and NCSC.

The post Updated Microsoft 365 security and compliance guidance for the UK public sector appeared first on Microsoft Industry Blogs - United Kingdom.

Microsoft is thrilled to stand alongside the Central Digital and Data Office (CDDO) and Government Technical Cloud Community in inspiring you to expand your horizons and validate your expertise through certification.

Certification isn’t just a badge; it’s a game-changer for you and your team. According to a recent study by Pearson VUE, 92 percent of participants reported boosted self-assurance after achieving certifications. In addition, 79 percent felt a surge of respect from their colleagues, and 74 percent gained greater autonomy in their work.

Managers, take note – certified candidates bring substantial advantages too. 81 percent deliver higher-quality output, 72 percent exhibit enhanced efficiency, and 82 percent excel in mentoring and supporting their peers. To discover more, download the Pearson VUE 2023 Value of IT Certification report.

Whether you’re a tech-savvy pro or a beginner, we offer a range of learning opportunities to propel you toward certification success. From self-study resources to interactive virtual classes led by expert instructors, our offerings cater to various learning styles. And we’ve teamed up with our valued learning partners to provide even more options.

Who can access these training resources?

Civil Servants with a gov.uk, gov.scot, gov.wales, nhs.uk, police.uk or sch.uk email domain are eligible to claim exam discounts, access ESI training and submit a claim for a certification prize. Additional training opportunities on this page, including Cloud Skills Challenges, Virtual Training Days and our Azure Connected Learning Experience, are open to all.

Learning resources on this page

Let’s start with AI

• AI skills challenges
• Cloud skills challenges*
• Azure Connected Learning Experience*

Exams and certifications

• Discounts
• Practice assessments and support*
• Certification prizes**

Live training sessions

• Virtual Training Days*

Additional support

• Microsoft Learn*
• Microsoft Learning Partners**
• Achieve more with Microsoft

*Open to all
**Eligible participants only

Getting started

There’s a world of learning available for you from Microsoft, but knowing where to start can be daunting. This page brings together some great resources to help you get certified in October.

Where to start will depend on what you want to learn, and how:

• Our Fundamentals certifications are great for IT pros looking to start their certification journey from the beginning – or for anybody else that wants to learn more about an area, or understand the art of the possible. These are broken down by area: certifications are available for Azure Fundamentals, AI Fundamentals, Data Fundamentals, Power Platform Fundamentals, Security Fundamentals and more.

• Prefer to learn through self-study?  Sign up for one of our free Cloud Skills Challenges that offer a curated collection of content that gives you the knowledge you need to pass the exam. These skills challenges run until the end of October and you can join as many as you like. Looking for more advanced content for self-study? Check out the content on Microsoft Learn or email us at OctCertHelp@microsoft.com and we’ll help you find what you need.

• Prefer video-based learning? Our Virtual Training Days are just for you. Offering a range of Fundamentals and non-certification content, these free classes are open to all. Look out for the non-certification classes if you’re looking for something more specific and technical.

• Need a little help with exam preparation? Our Azure Connection Learning Experience offers curated learning and exam preparation for a number of Microsoft certifications if you need extra help getting across the line.

• Check out the free sessions and other training from our valued learning partners. These links will take you to additional free classes that can support your learning. They include webinars, instructor-led classes, such as free Azure Administrator and Cybersecurity Architect training from Fast Lane.

When you feel ready, try one of our Practice Assessments to test your readiness before booking your exam. Don’t forget to utilise your ESI exam discount (50%) when booking. Make the exam free by claiming an additional discount and once you’re certified, complete the CCDO form for a chance to claim some great Microsoft swag.

Let’s start with AI

We’ve pulled together a wide array of learning opportunities, from foundational to more advanced role-based content. This includes some great study fundamentals on Azure, Data, AI, Power Platform and Security, together with some exciting content around Generative AI.  

AI skills challenges

There is a massive amount of interest in this area currently, and it’s worth hearing from Angie Heise, Corporate Vice President, Microsoft Worldwide Public Sector, on how Artificial Intelligence could support public sector organisations. Read this post from Angie Heise to understand some of the potential implications that advanced AI can have for the public sector, especially in areas such as citizen services, internal efficiencies, working with deep data and creative support.

To further expand your AI understanding and skills:

• Register for our Microsoft Build: AI Day at ExCeL London on October 19, 2023. This free one-day, in-person event helps developers discover new opportunities with AI and enhance their knowledge and skills to deliver more value using AI and Microsoft Azure. Join Microsoft product and engineering experts, and industry disrupters, to share ideas and unleash creativity with the power of AI.
  
• Register for our Career Essentials in Generative AI course and gain a Professional Certificate. This free course explains the core concepts of Artificial Intelligence and Generative AI functionality, preparing you to apply Generative AI in your own career.

• Register for our 1-day Master Class: OpenAI ChatGPT Capabilities, Use Cases and Integrations on October 27, 2023. This exclusive one-day (Fast Lane developed) course provides AI users and business decision-makers with a comprehensive introduction to the technology, key functionalities and pricing, an understanding of its capabilities and limitations, best practices, and the chance to find out how you can incorporate ChatGPT technology to support your business today.

Keen to find out more about AI and Azure? Check out these great resources to get you started:

If you’re looking for even more content on Generative AI, please check out this AI Learning Companion pathway.

Cloud skills challenges*

You can also invest in your learning by participating in our fun and friendly cloud skills challenges.

Compete Track your progress using the leaderboard as you navigate Microsoft’s digital learning platform Microsoft Learn.

Learn Sign up for one or more challenges and work through the content at a time that works for you.

Develop Skills Check out the practice assessment on the exam page to make sure you are exam-ready before taking advantage of exam discounts to get certified.

Choose your challenge:

Azure Connected Learning Experience*

Microsoft Azure Connected Learning Experience (CLX) is an experiential training programme that sets a path for you to become an Azure expert. The CLX programme offers a personalised journey that aims to optimise your learning experience while maximising your return on time invested. 

The four-step programme is designed to deliver exam readiness with a personalised learning journey that’s curated to meet your needs.  

• Register to receive recommendations on specific modules to study, elevate your understanding with practice tests and comprehensive Microsoft Learn study materials, and access on-demand hands-on labs and interactive guides to elevate your practical insights.  
• Join multiple instructor-led cram sessions hosted by world-class industry experts who will guide you to be ready for your first or next Azure certification exam.  
• Prepare at your own pace and crack your Azure Certification Exam efficiently. 

Register for the Microsoft Azure Connected Learning Experience

Exams and certifications

Discounts

If your organisation is enrolled in the Microsoft Enterprise Skills Initiative (ESI) you’ll have access to a 50 percent discount on a range of exams, making your certification journey even more accessible.

Our Claiming Your Exam Discount guide walks you through the steps to claim your discount and schedule your exam. We’ve even reserved a limited number of exam vouchers that stack on top of the ESI discount, reducing your exam cost to zero.

Don’t miss out – secure your spot by completing the Microsoft exam voucher application form.  

The additional vouchers are offered on a first-come, first-served basis. If you’ve missed the opportunity, you might be able to reclaim this balance payment from your Learning and Development (L&D) team, if the certification supports your current role. Please check with them first.  

If you have any questions about the programme or claiming your exam discount, please contact us at OctCertHelp@microsoft.com.  

Practice assessments and support*

You can gear up for success with our range of free practice assessments. These invaluable tools allow you to fine-tune your skills before the big exam day. Check out the exam page for each assessment to access these practice resources – or follow the links below for some of our most popular ones:

Need help or advice on what content you should start with, or what is most relevant to your role? Perhaps you have a technical question or want to discuss your project with a Microsoft SME. We’re only an email away at OctCertHelp@microsoft.com. Alternatively, why not join one of our many drop-in sessions running through October:

Certification prizes**

We believe in celebrating your achievements, so we’re also delighted to let you know about our certification prizes. Simply complete the certification prizes claim form provided by CDDO, who will then share your details with us. The first 200 to correctly provide the requested proof of a certification achieved in October 2023 will receive a special Microsoft swag voucher in their inbox.

Please note that prize claims are subject to the following terms and conditions:

• Claims will only be accepted from customers of a participating government department. Personal email addresses won’t be considered.
• By completing and submitting the CDDO form, you agree to us validating your certification and contacting you about your claim.
• Certificate prizes are limited to the first 200 submissions and will be sent to UK postal addresses only.
• One prize per customer, regardless of the number of exams passed during the event.
• Claims must be submitted by Friday, November 10, 2023, 12:00 p.m. (GMT+1). Claims received after this date won’t be considered.
• Prizes are non-negotiable, non-transferable and non-refundable. No cash alternative is available.

For any questions, please contact OctCertHelp@microsoft.com.

Live training sessions

Virtual Training Days*

Microsoft Virtual Training Days are free, in-depth virtual training events covering foundational concepts, terms, and capabilities. A great alternative (or complement) to self-study to get you ready to earn your Fundamentals certification.

Additional support

Microsoft Learn*

Microsoft Learn. Spark possibility.

Build skills that open doors. See all you can do with documentation, hands-on training and certifications to help you get the most from Microsoft products. Access a range of self-study resources at Microsoft Learn. For a collection of Microsoft resources aligned to role and certain products, please also see www.aka.ms/pathways.

Microsoft Learning Partners**

Microsoft Learning Partners can help you get the most out of your organisation’s technology investment, building knowledge and new skills in Microsoft technologies through classroom training or Microsoft Official Courses On-Demand. Our learning partners are proud to support this skills initiative – please check their details below.

Fastlane

Fast Lane is uniquely positioned among a select few globally, having achieved all six Microsoft solution designations. Fast Lane’s approach is not just about education; it’s about practical, hands-on skilling that tackles the intricate realms of Cloud, Data, AI, and Security. With a highly targeted and tailored approach, Fast Lane doesn’t just teach – it solves real-world challenges. Through precise alignment with and a deep understanding of Microsoft’s ecosystem, Fast Lane empowers individuals and organisations with the skills needed to thrive in today’s complex technological landscape.

Find out more about Fast Lane’s support for this skills initiative and also register for its free ChatGPT 1-day webinar and free virtual instructor-led classes on Azure Administrator (AZ-104) and Cybersecurity Architect (SC-100).

Firebrand

Firebrand is proud to be a Microsoft Cloud Partner. It is one of a number of companies in the world to have received this badge through proven expertise in delivering quality solutions across six specialist business areas: Business Applications (Dynamics 365 and Power Platform), Data & AI, Infrastructure, Digital & App Innovation, Modern Work and Security.

Find out more about Firebrand

QA

QA is one of the largest Microsoft Learning Partners in the UK, and one of the only Microsoft Learning Partners to be recognised as a Microsoft Solutions Partner for Microsoft Cloud. QA offers a broad range of training in Microsoft technologies and applications, including cloud technical skills (from Azure to Office 365) and office apps (from Excel to Power BI).

Find out more about QA

Skillsoft

(Coming soon.)

Achieve more with Microsoft

We’re genuinely excited for you to seize this opportunity to embark on a transformative learning journey. As you equip yourself to learn and take on new career challenges, you may soon be ready to distinguish yourself as a public sector change agent.

If you have any questions or need guidance on where to start, our dedicated team is here to help. Please reach out to us at OctCertHelp@microsoft.com, and we’ll be delighted to help you on your path to success.

Let’s elevate your skills and make your mark together!

*Open to all
**Eligible participants only

About the author

Paul is the Microsoft UK Public Sector Skills Lead with over 20 years of experience in the IT industry. He is passionate about cloud computing, and how learning can power digital innovation and transform careers. Paul is currently leading the development of training programmes for Microsoft’s public sector customers across Central Government, Local Government and Policing, helping individuals and organisations realize the benefits of their investment in Microsoft solutions.

The post Introducing a world of opportunities: advance your skills with Microsoft appeared first on Microsoft Industry Blogs - United Kingdom.

For those looking for the full history behind the first release, please see the Cross Government Collaboration Blueprint – History Refresher content at bottom of this blog.

The story so far…

In June 2021, we partnered with the Central Digital and Data Office and the National Cyber Security Centre (NCSC) and set out to improve the collaboration experience for UK government organisations by creating a Cross-Government Collaboration Blueprint. The blueprint was created by focussing on key scenarios developed in consultation with several government organisations. It is designed to be used in conjunction with the other guidance we have published, which focuses on Secure Configuration, BYOD, and Information Protection (more on that later). Please be sure to check out those too, so you have the full ‘box set’.

Fast forward to today, we’ve given that ‘box set’ a new name that makes it clear how the guidance fits together, seen in this illustration:

We also updated the guidance based on real-world feedback and product evolution to include the following:

• Addition of Shared Channels guidance
• Updates that clarify Calendar Availability guidance
• Azure AD B2B updates
• Brand and naming updates to align with changes to Microsoft technology
• Teams 2.0 Release
• A statement in the Strategy regarding Google Federation

A notable recent development is the update to the Government Security Classification Policy (GSCP). Microsoft has partnered with Government Security Group, the Central Digital and Data Office and the National Cyber Security Centre (NCSC) to provide configuration guidance for those wishing to implement the OFFICIAL tier of the GSCP using Microsoft Purview Information Protection (MPIP), available as part of Microsoft 365. The guidance assists those wishing to classify and protect files, control who can access them, and allow greater control when sharing information between departments, partner organisations, and customers. You can read about the Microsoft 365 Guidance for UK Government: Information Protection in another blog post.

Download the documents

About the authors

James has spent his entire IT career of 25 years specialising in the security arena, the last 20 of which have been for Microsoft. Based in the UK, he works in the key areas of security and identity in the public sector as a Cyber Cloud Solutions Architect. He is a regular contributor to Microsoft docs for Securing Privileged Access and was the lead architect for the Office 365 and BYOD guidance produced for Cabinet Office and NCSC.

Steve is an experienced IT Professional with over 20 years’ experience, working with clients across the world in multiple industries to help them achieve their goals in digital transformation. Recently Steve has been aligned to public sector clients, leading them to get the most out of their investment in the Microsoft cloud.

Cross Government Collaboration Blueprint – history refresher

We started this work in 2021 by consulting a broad group of end users from across government, and we found that there was an inconsistent user experience when working with colleagues from other organisations due to differences in configuration. The guidance helps to address this, and it is important to keep up with the recent developments of Microsoft 365, which is why we have updated the guidance.

We determined that a baseline configuration for government organisations would enable a more consistent and secure approach to collaboration. The recommended configuration we’ve produced focuses on these key areas:

• Keeping control of documents and allowing real-time co-authoring by sharing links rather than sending documents as email attachments.
• Making it easier to arrange meetings by allowing people to share their calendar availability across government.
• Allowing people to work more effectively as a team by enabling instant messaging and other features of Microsoft Teams.

Crucially, we’ve recommended an open approach to collaboration by default, giving users the freedom to choose who they collaborate with. This is a move away from a more restrictive ‘allow list’ approach which can create barriers to collaboration.

Does this approach make it less secure? No. Here’s what the NCSC have said:

“By following the Secure Configuration Alignment and applying the cross-government collaboration guidance on top, it is the NCSC’s view that Microsoft 365 can be appropriately configured to protect an organisation’s data against the threat profile for the OFFICIAL classification when collaborating and sharing information between government departments. The NCSC expects that guidance related to collaboration and security is implemented in its entirety to avoid gaps and weaknesses leading to increased risk of a data breach.

“The NCSC believes that modern cross-organisation collaboration services that share access to information via its originating system will be more secure than traditional methods such as sending copies as email attachments to external organisations. By using modern collaboration practices, such as those described in this guidance, organisations have greater auditing and visibility of how their data is being handled and more options for owning who and where their information is handled.”

National Cyber Security Centre

The Blueprint is intended to be a baseline upon which individual organisations can build. For example, if an organisation identifies specific needs that aren’t met by the Blueprint, there is flexibility for them to go further and implement even tighter controls, while being mindful that this could impact on people’s collaboration experience.

Find out more

Visit the Microsoft for Government website

Guidance on protecting government data using Microsoft Purview

Explore Microsoft UK Industry blogs: Government

The post Microsoft 365 Guidance for UK Government: External Collaboration appeared first on Microsoft Industry Blogs - United Kingdom.

The guidance assists those wishing to classify and protect files, control who can access them, and allow greater control when sharing information between departments, partner organisations, and customers.

A spokesman from the Government Security Group said: ”The Government Security Classifications policy (GSCP) sets out the administrative system used by HM Government (HMG) and our partners to appropriately protect information and data assets against prevalent threat actors. The GSCP was updated in 2023.

“This gave us a significant opportunity in UK government to modernise and standardise how organisations apply technical controls in line with security classifications. Microsoft 365 is widely used across UK government, so we partnered directly with Microsoft to define a standard approach to applying sensitivity labels and data loss prevention features of Microsoft 365 in line with the GSCP.

“The resulting technical guidance provides a baseline from which organisations can select the most relevant elements and tailor them for their specific use cases. Our objective is that this will be an enabler for the GSCP and that it will also create a better user experience for civil servants and our partners.”

Building on the Government’s Secure Configuration Blueprint

This guidance builds upon the Microsoft 365 Guidance for UK Government: Secure Configuration Blueprint for the UK Public Sector, which outlines how to configure a Microsoft 365 tenant for use at OFFICIAL (which includes OFFICIAL-SENSITIVE), and sits alongside the Cross Government Collaboration guidance and the Bring Your Own Device guidance.

Figure 1. Relationship with other NCSC and Microsoft guidance.

The guidance draws on experience gained working right across UK government and the public sector industry and incorporates existing best practice that has previously been published by Microsoft.

We determined that a baseline configuration for government organisations would enable a more consistent and secure approach to configuring classification and protection policies by providing a starting point for technology and compliance professionals alike. The recommended configuration we’ve produced focuses on these key areas:

• Increasing visibility of where data is located to data governance teams.
• Providing protection that follows documents as they are accessed internally or when shared externally by assigning the relevant GSCP label.
• Providing visual labels that indicate how a document should be handled.
• Providing visual labels for Microsoft Teams and SharePoint to control whether external users are allowed access to content stored within them.
• Complementing the Cross Government Collaboration Blueprint to mark and protect documents as they are shared and co-authored between Government departments and partners.

Important note about this guidance

This guidance has been written as a starting point and organisations should consider how they may wish to supplement it with additional controls, as appropriate for the environment and risk appetite.

The blueprint guidance has been structured to follow a Microsoft-recommended three-phase approach for implementation: ‘Crawl, Walk, and Run’.

Figure 2. Microsoft’s recommended three-phase approach to implementation.

With the ‘Crawl, Walk, Run’ approach, changes can be introduced in phases across your organisation, focusing on small sets of users first and then expanding to broader audiences. This will allow you to deploy quickly whilst minimising disruption and help you establish a baseline of user behaviour before introducing tighter restrictions. It will also help you identify early potential conflicts or compatibility issues between different tools, so you can address them before they have further impact.

Using the visual indication provided with sensitivity labels is a small, but important benefit of the capability that sensitivity labels can provide. The guidance is based on an outcomes-based approach which aims to reduce the likelihood of accidental data loss or oversharing.

The guidance looks to provide ‘outcomes-based’ controls that use the features available in Microsoft Purview Information Protection to restrict access to content based on the label selected.  The sensitivity labels are broken down into two distinct areas: content labels and container labels.

Content labels

Content labelling applies the label directly to documents and emails. This stamps the data with label metadata, which is maintained wherever the data resides.

Figure 3. How content labelling relates to data, controls and policy.

Content labels are used to provide visual indicators for the scope where the document or email should be accessed.

Figure 4. Access areas that may be denoted by content labels.

Container labels

Container labels apply to a workload (e.g. SharePoint, Teams or M365 group) where content is stored.  The labels are used to define whether External Guest users are allowed to access the container and collaborate with internal member users.

Figure 5. Container labels define access permissions for External Guest users.

Container labelling applies the sensitivity label at the container. Container labels are named differently from the data labels as they serve a different function – namely to control access to the containers. These labels provide a visual representation of the Privacy level, Public or Private, and whether external guest users are allowed to be members of the Team or SharePoint site, Internal or External.

Find out more

Microsoft for critical infrastructure

Microsoft 365 Guidance for UK Government: External Collaboration

UK OFFICIAL and UK NHS Regulatory Compliance built-in initiative

About the author

James has spent his entire IT career of 27 years specialising in the security arena, the last 22 of which have been for Microsoft. Based in the UK, he works in the key areas of security and identity in the public sector as a Security Technical Specialist. He is a regular contributor to Microsoft docs for Securing Privileged Access and was the lead architect for the Microsoft 365, Cross Government Collaboration and BYOD guidance produced for Cabinet Office and NCSC.

The post Guidance on protecting government data using Microsoft Purview appeared first on Microsoft Industry Blogs - United Kingdom.

In 2022, only 4% of people were employed in digital roles throughout the public sector, highlighting the need to embrace technology, upskill internally and produce better outcomes for everyone. The way to do it is by employing public sector employees as ‘change agents’.

Usually recruited from within the organisation, change agents help to manage the relationship between the organisation and the individual for a smooth digital transformation. The best change agents have extensive experience in department processes and technology and can offer moral support to those cautious of change.

Full-time change agents can be expensive and may divert some of the best and most productive people from a team. So organisations should make smart decisions about how a change agent programme is staffed, managed and supported.

As part of Microsoft’s Innovate Together programme, the Change Agent programme aims to train at least one person in every public sector service to be a catalyst for change. Delivered through expert training sessions and an online community of UK public sector change agents, the programme will provide a platform for the rapid exchange of ideas and solutions to maximise your journey to digital transformation.

This article offers insights into the powerful role of the change agent and allows you to register for the next Change Agent training programme in June 2023, open to those from Local Government organisations.

Delivering transformation benefits on the ground with a change agent

A change agent supports strategic transformations to deliver benefits locally on the ground. They also act as transformation conduits from a technology and a culture perspective. On one hand, they need to supply the central team with regular progress reports and flag up potential issues. On the other hand, they need to win over colleagues and support them in embracing new technologies and ways of working that may be unfamiliar to many.

Using technology to overcome complexity

Given the right training, change agents can match an organisation’s needs with the technology that it already has and advise on other opportunities. The Change Agent programme provides training on a whole host of transformational technologies such as AI and Power Automate, along with insights into how to leverage the tech you are likely already using day to day, from Microsoft Teams to SharePoint.

The training also equips participants with an understanding of the principles of change, how to lead and support change, different learning styles and meeting accessibility requirements through technology; providing attendees with the confidence, theory and practical examples to embrace and lead change within their own organisations.

Confidence in these ‘softer skills’ is crucial in enabling change within a complex industry, which is why one day in the five-day Change Agent programme option is dedicated to providing attendees with the skills to enable change. This content is delivered by industry experts; supporting colleagues to adopt digital tools requires empathy and an understanding of human psychology as well as knowledge of the products being used.

The programme also offers a bespoke version for managers within local government, providing them with sessions on how to support their teams with change, as well as technology specific sessions. This is imperative to fostering a culture of change through a top-down approach.

What really brings the training to life is the real-world examples of how other public sector organisations have leveraged these technologies as the catalyst for change within their own teams. After completing the sessions, the change agents are invited to join a digital community of alumni to further share best practice, providing access to a wider support network at anytime, anywhere.

Even where organisations across the public sector provide completely different services, most have shared common problems and therefore benefit from understanding what technologies others have implemented to resolve these issues. For example, many have a similar approach to technology-enabled time and task management, automation of document ingestion, and reporting. Collaboration between change agents should therefore be encouraged, even if that means overcoming competitive instincts.

How change agents enable transformations that differ in scale

Whilst all public sector transformations differ in scale and scope, the success of a change agent depends on a close understanding of how people respond to – and eventually accept – the introduction of technology into their working life. Leaning on a community of change agents continues to be an invaluable resource to previous alumni.

Large scale transformations could include the introduction of a new HR system. For a smaller transformation, a change agent might help a local council save time on admin by enabling the adoption of some simple digital tools. The Change Agent training programme looks at a wide range of common problem statements and the technologies that help to address some of those issues, with digital breakout rooms to discuss and collaborate.

The first key to achieving measurable benefits from change lies in finding opportunities for efficiencies that might start small or incrementally but can then scale across an entire organisation. The second key is to persuade colleagues to collaborate with the transformation programme and embrace technologies that empower them to do more with less. This usually begins by showing them that change is possible, even on a small scale. This is why change agents benefit from training in technology acceptance strategies throughout the course.

Acquiring change-agent skills

Change agents can be full-time professionals who are qualified to optimise a large-scale programme, or enthusiastic volunteers who work within their teams to deliver measurable results on the ground.

Giving these proactive individuals a forum to update their skills and coordinate their efforts adds value to any organisation’s transformation effort by enhancing its collective intelligence. In other words, a coalition of change agents is greater than the sum of its parts.

Change agents can benefit from learning new skills and putting them into practice at the same time. This is often more efficient than attempting to accelerate onboarding with an intense training schedule at the outset. Enabling new recruits to gradually build their confidence through practice lessens the risk of overwhelming them with too much information. Not all change agents are volunteers; some are nominated by their manager to gather insights on the transformation programme, or to develop their career.

The Microsoft Change Agent programme

This free programme is a national initiative designed to support local and regional government (LRG) in its digital transformation efforts. It is open to Microsoft customers, and offers a five-day version aimed at the ‘change agents’ within an LRG organisation, and a two-day version for managers.

The training employs industry experts from Microsoft and Socitm, and experienced local authority staff to help prepare delegates in theories of change, using a wide variety of Microsoft technologies to address common industry problem statements. Delegates will have the opportunity to learn and engage with others in similar roles across LRG. The programme also provides an opportunity for participants to join a collaborative network of Change Agent alumni practitioners, while learning about digital transformation technologies such as Power Platform, Power Automate, and Power BI.

Read more about our Change Agent programme and partnership with Socitm in the Financial Times – Equip the public sector with digital skills for better government.

Find out more

Microsoft Learn for government
Microsoft Adoption Score
Microsoft Enterprise Skills Initiative
Digital Skills Hub

About the author

I am an Account Technology Strategist (ATS) at Microsoft, with an MSc in managing and leading IT systems change. I help customers understand how Microsoft products can solve business problems, and I lead the Change Agent programme within the Innovate Together programme. I’m passionate about technology acceptance and supporting scalable, sustainable change across public services.

The post Digital public services: How to drive transformation with change agents appeared first on Microsoft Industry Blogs - United Kingdom.

Using hard data as a starting point, we explore the changing world of hybrid work. Guided by our own experiences of neurodivergence and disability, we debate how a more collaborative and accessible approach can drive efficiency across the public sector. In most cases we find that it can be done using technology that governments already possess.  

As a former policy advisor with hands-on experience of shaping equality legislation, these issues are all very close to my heart. 

Aligning leaders and teams to make hybrid work, work

The first episode of the Public Sector Podcast Series, season four, is The Future of Work – Facing the Hybrid Challenge. In it, Microsoft’s Henry Rex, industry advisor, and Rakhi Sachdeva, modern workplace specialist, discuss findings from the latest Work Trends Index report. The numbers reveal a significant disconnect between managers and teams around attitudes to remote working. 87 percent of remote employees reported feeling confident in their productivity at work, while only 12 percent of managers felt the same way about the performance of their remote teams.  

Managers can benefit from investing more trust in their teams and using soft skills to ensure that everyone gets access to the vision and culture of the organisation, which is key to productivity. Helping staff learn new skills ‘on the go’ improves both retention and productivity. We also discuss how a more flexible approach to work can empower individuals who have differing needs to be more effective. Building trust between management and staff enables everyone to align around the public service mission; as Henry Rex points out, people often join an organisation for the money, but stay there for the culture.

Neurodivergence and the innovation challenge

In episode two, Innovate Together, Microsoft account technology strategist, Andrew Boxall, talks about managing change in government and how it can enable staff to embrace more productive and collaborative ways of working. Along the way we discuss our shared experiences of being neurodiverse in the workplace, which provides insights into the challenges of data-driven innovation. 

Addressing bias and differing learning styles enables public servants to collaborate better across organisations. The Innovate Together initiative, supported by Microsoft, aims to accelerate innovation and best practice sharing across the public sector. Trailblazers like Norfolk County Council provide an inspirational example of how advanced techniques such as robotic process automation can drive efficiency.  

Success depends on leaders who set an example and have the initiative to share their learnings. All our guests agreed that making better use of existing tools is a great way to achieve incremental efficiency gains in government, and start building confidence. 

Extending accessibility and inclusion to drive productivity 

In episode three, Accessibility, Equality, Diversity, and Inclusion, I speak to Maria Grazia Zedda, senior EDI manager at HS2, who is severely deaf. Maria Grazia speaks movingly about overcoming the challenges of disability and hardship when she arrived in London as a young woman. London is also where she found support on her career path and discovered her vocation, improving accessibility in the workplace for everyone. These uplifting experiences are captured in her first novel which is to be published in her native Italy. 

Maria Grazia welcomes the adoption of new technologies that enhance accessibility and inclusion, such as minicoms and auto-captions (Live Captions in Microsoft Teams), the use of which was accelerated by remote working. The momentum now needs to be maintained so that inclusion becomes a fundamental principle of the workplace and the built environment. 

Explore episodes from our previous series 

Our previous three podcast series provide fascinating insights into how efficiency in the public sector could be improved with fresh thinking.  

Public Sector Podcast Series – Season One

In Public Sector Podcast Series – Season 1, guests discuss how citizen services can be enhanced using new digital technologies. Further episodes explore the challenges of managing security across government in a digital world, and overcoming the barriers to legacy estate reduction. Hindsight is also explored as a means of understanding past mistakes and improving government performance in the future.

Public Sector Podcast Series – Season Two

Public Sector Podcast Series – Season 2 builds on these themes, looking at how citizen identity in government can be managed simply and securely. The challenges of hybrid work, and the uses of geospatial data science in the context of the government’s levelling-up agenda, are also up for discussion. A highlight from series two is the episode that draws lessons from the Environment Agency’s experience of digital transformation. Cross-government data sharing also comes under scrutiny.

Public Sector Podcast Series – Season Three

Public Sector Podcast Series – Season 3 digs deeper into data sharing and how citizens engage with government. We assess the government’s Green agenda and the challenge of data literacy in driving innovation across the public sector. And what, we ask, do young people think about entering public service? We devote an episode to figuring out the changing face of apprenticeship in a hybrid world.

Find out more

Successful trial of the Microsoft and Socitm Change Agent programme

Our innovation – Norfolk County Council

Microsoft 365 Collaboration Blueprint for UK Government – Microsoft Industry Blogs – United Kingdom

How the public sector can streamline operations and innovate with intelligent automation – Microsoft Industry Blogs – United Kingdom

About the author

Aaron has worked at Microsoft as an industry advisor for central government for the last four years. Before that he spent twenty-five years in the public sector across a number of departments, in both central and local government, leading on technology policy and strategy. Most notably, he worked on the creation of the Equality Acts (2006 and 2010), the Public Sector Equality Duty and the translation of the EU Accessibility Regulations over to the UK. Outside of his day job, Aaron lectures on accessibility, inclusion and neurodiversity at local institutions and across the wider tech sector.

The post How to make government more effective in a hybrid world: podcast series appeared first on Microsoft Industry Blogs - United Kingdom.

The National Cyber Security Centre (NCSC) has some great guidance. We thought we would seek some to provide some clarification as well as explain how best to approach that guidance with the tools we have available. We’ve put this together into one place so you can have it as an easy reference.

Tip 1: Make regular backups

The key action to take to mitigate the damage of ransomware is to ensure that you have up-to-date backups of important files. If so, you will be able to recover your data without having to pay a ransom.

Ensure your backups are kept separate from your network or in a cloud service designed for this purpose. Also, don’t rely on just one back up.

The NCSC suggest to stick to the 3-2-1 rule for backups – at least three copies, on two devices, and one offsite. This allows you to scale effectively, while giving you confidence your data is safe from localised incidents.

To help interpret its guidance, the NCSC has suggested a few extra options if you already have data in the cloud:

Software as a Service (SaaS) apps: Some fully-managed services include the ability to retain historic versions of files and recover recently deleted files. Built-in record retention can also give you access to archived data. It’s important to remember these protections may not stop a Global or Super Administer account from being compromised. You should only use those when absolutely necessary and from trusted devices.

Cloud storage: Data associated with Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) is normally stored in the provider’s ‘blob storage’. Configure an automated or backup task to copy data into long-term ‘blob’ storage and configure that data to make it undeletable for a set period. It also allows you to maintain data immutability, and set policies for deleting or modifying data.

Third party software: Workloads and data hosted in IaaS in the cloud usually work well with on-premise backup solutions. To defend against ransomware effectively, your strategy will need the ability to copy the backup and set policies for modifying or deleting the data, include removing the ability to modify the data for a period of time. They also offer services and software that backup data stored in SaaS apps and your cloud storage – something you should consider if you don’t have the built-in capabilities of your cloud service.

Infrastructure as code: Recovering from a ransomware incident usually requires a combination of restoring data and rebuilding underlying services. The NCSC recommends building and configuring services in the cloud, using Infrastructure as a Code. This will help you rebuild new and clean versions more quickly if you find yourself in a disaster recovery scenario.

No matter what method you use, both we and the NCSC recommend regularly testing your backups are working as normal. This includes checking that backups can’t be changed or deleted and making sure you can recover data successfully.

How we can help

We build with security in mind to make it easy for you to store, backup, and access your data securely and quickly.

Azure has built-in, one-click offsite backup of cloud workloads and hybrid data. It uses write-once-read-many blob storage across all tiers, which allows you to store data in the most cost-optimised tier. You can create your own policies while maintaining data immutability.

OneDrive for Business is included in SharePoint Online on Microsoft 365. To prevent the loss of SharePoint data, backups are performed every 12 hours and retained for 14 days.

You can store documents in OneDrive for Business and gain versioning control. By default, OneDrive for Business stores 10 copies of previous versions of a document. This means if ransomware overwrites your document you can recover a previously saved version. You can also restore the entire OneDrive for Business to a previous point in time within the last 30 days.

OneDrive Known Folder Protection automatically backs up workstation desktops and document folders and keeps 1,000 revisions of files offsite in Azure. OneDrive Personal Vault also adds a second layer of authentication to further protect your most sensitive files.

Microsoft 365 customers have multiple copies of data automatically backed up in off-premises two data centres as part of the default configuration.

In Windows 10, the Ransomware Protection feature controls access to data held in commonly used folders such as documents, pictures, videos, music, and favourites. You can enable Ransomware Data Recovery in the Update and Security section of your Windows Security app to automatically synchronise with your OneDrive for Business account and back up your data.

If you have implemented File History in Windows and have stored documents on an external offline drive, you can restore a previous version easily with File History Backup and Restore.

Tip 2: Prevent malware from being delivered to devices

Ransomware infections usually start with email, through a malicious URL or attachment. You can reduce this with network services by:

• Mail and spam filtering to block malicious emails and remove executable attachments.
• Intercepting proxies and safe browsing lists within browsers to block known malicious websites
• Internet security gateways, which can inspect content in certain protocols (including some encrypted protocols) for known malware.

Some ransomware attacks gain access to networks through remote access software like Remote Desktop Protocol. By using multi-factor authentication and ensuring users have first connected via a secure VPN, you can prevent these brute-force attacks.

How we can help

Microsoft 365 can perform real-time scans of files as they are downloaded, opened, or executed, and can be configured to periodically scan the file system as frequently as required.

If you’re a Microsoft 365 customer with mailboxes in Exchange Online or a standalone Exchange Online Protection (EOP) customer without Exchange Online mailboxes, your email messages are automatically protected against spam and malware with Exchange Online Protection.

You can further protect your organisation by implementing Office 365 ATP. This enables protections against unsafe attachments and links and extends the capability to real time detections and automated response.

Depending on your tenancy, you need to configure your anti-spam policies appropriately. We’d recommend government customers follow the NCSC guidance on SPF, DMARC, and DKIM in their anti-spoofing post on email security.

Smartscreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files on Windows 10 and Edge.

You should enable multi-factor authentication for all users, preferably supported with a Windows Hello gesture to maximise protection rather than utilising a password for authentication.

The NCSC guidance for Windows 10 shows how you can configure the native VPN to meet the needs of the government.

You can also prevent untrusted apps from making changes to folders in Windows 10 or Server 2019 by implementing Controlled Folder Access. It also alerts you when such activity is taking place, meaning you can respond quickly.

In addition, we would recommend that you stay current with your security updates.

Tip 3: Prevent malicious code from running on devices

Take a zero trust approach. This is where you assume that malware will reach your organisations devices. The NCSC suggests you take steps to prevent malware from running at device-level by implementing security features. Centrally managing enterprise devices ensures you only permit apps your organisation trusts, or only allow apps from trusted app stores or locations.

If you think enterprise antivirus or anti-malware products are necessary, ensure the software (and its definition files) are kept up to date.

Attackers often use malicious macros to obfuscate ransomware. You can help stop this by disabling or constraining macros in productivity suites (e.g. scripting environments), disabling autorun for mounted media, and protecting your systems from malicious Office macros.

In addition, attackers can force their code to execute by exploiting device vulnerabilities. Prevent this by keeping devices well-configured and up to date. The NCSC suggests you:

• Install security updates as soon as they become available in order to fix exploitable bugs in your products. The NCSC has produced guidance on how to manage vulnerabilities within your organisation.
• Enable automatic updates for operating systems, applications, and firmware.
• Use the latest versions of operating systems and applications.
• Configure host-based and network firewalls, disallowing inbound connections by default.

The NCSC’s End User Devices Security Guidance and newer Mobile Device Guidance gives advice on how to achieve this across a variety of platforms.

Provide security education and awareness training to your people, for example NCSC’s top tips for staff.

How we can help

Moving to a modern OS and applications will improve the overall security posture of your organisation and will lessen your attack surface. Both Windows 10 (Defender, Secure Boot) and Microsoft 365, including client software, have several protection mechanisms that mitigate against common malware threats.  Staying current, patched, and up to date will reduce your vulnerability to malware. Tools like Microsoft Windows Applocker and Defender ATP leverages the cloud to protect your enterprise from ransomware attacks.

Strongly consider if you need macros across your estate. If not, disable them for those users who do not need to run them. You can also only allow digitally signed macros to run. This, as well as moving to the Open XML document formats, will significantly improve your security posture.

Updates for Windows 10 as part of Windows as a service, and Microsoft Pro Plus are automatic if left on their default settings. This significantly improves your security posture by ensuring the latest security features and updates are protecting your users.

Microsoft Azure Sentinel automates responses to threats in your environment on-premise and in the cloud. This enables you take mitigation action more rapidly than a human-led response.

Tip 4: Limit the impact of infection and enable rapid response

The quicker you can prevent ransomware spreading through your network, the easier it is to recover. The NCSC advises you to never pay a ransom, as there’s no guarantee you’ll get access to your device or your data back. However, if you put in mitigations in place, your incident responders can help your organisation to recover quickly.

• Follow the NCSC guidance on preventing lateral movement. Once in your network, attackers aim to move across machines. This might include targeting authentication credentials or perhaps abusing built-in tools.
• Use two-factor or multi-factor authentication so that if malware steals credentials they can’t be reused.

• Ensure obsolete platforms (OS and apps) are properly segregated from the rest of the network (refer to NCSC guidance on obsolete platforms for further details).
• Regularly review and remove user permissions that are no longer required, to limit malware’s ability to spread.
• System administrators should avoid using their administrator accounts for email and web browsing, to avoid malware being able to run with their high levels of system privilege.
• Architect your network so that management interfaces are minimally exposed. The NCSC blog post on protecting management interfaces may help.
• Practice good asset management, including keeping track of which versions of software are installed on your devices so that you can target security updates quickly if you need to.
• Keep your infrastructure patched, just as you keep your devices patched, and prioritise devices performing a security-related function on your network (such as firewalls), and anything on your network boundary.
• Develop an incident response plan and exercise it.

How we can help

To help you respond rapidly to threats, Microsoft ATA and Azure ATP detects lateral movement and alerts you to these.

Multi-factor authentication stops 99.9 percent of attacks, so it’s important to enable that for all users. Additionally, a Windows Hello gesture will help maximise protection, as it minimises the ability for malware to steal credentials as it doesn’t utilise a password for verification.

For the best protection against all malware, make sure you’re using the latest available version of an operating system or application. Utilise tools like InTune to ensure all users are up to date.

And use the least privilege for all operations on-premises or in the cloud with Azure PIM. Tools like Conditional Access can also be used to evaluate user and machine health at the point of access to services.

Defence in depth

These are a few things you can do to have a healthy security plan. Remember to check, test, and update your security plan regularly as well as keeping employees educated and aware. You can use Azure Advanced Threat Protection and its Intelligent Security Graph to help detect and prevent malware running on devices and entering into your organisation.

For more in-depth resources, take a look at:

• Microsoft Defender ATP
• Microsoft Advanced Threat Analytics
• Office 365 Advanced Threat Protection

Finally, the Microsoft Azure Sentinel will help improve your organisation’s situational awareness. This enables you collect data and detect, investigate, and respond rapidly to threats.

Find out more

A holistic approach to security and compliance

How to create a security culture: 5 steps to success 

About the authors

Stuart has been with Microsoft in the UK since 1998 and is the National Security Officer for Microsoft in the UK. Prior to that, he has worked as strategy consultant to a variety of UK Government customers, mostly within the defence arena, and run a number of Government Programs with the UK including the Government Security Program, the Security Co-Operation Program, and the Welsh Language Program. He still continues to run the UK GSP program today. Prior to joining Microsoft, Stuart worked as a consultant for ICL in their Power of 4 Consultancy, mostly focused in the defence and government spaces. Before ICL, he worked for Barclays Bank in a number of application development and IT infrastructure roles. He has been actively involved in computer security-related activities since the early 1980’s.

Lesley is an experienced security incident responder with a demonstrated history of working on investigations into cases of hacking, compromise, and breach. She is skilled in Security Incident Response, Computer Security, Forensic Investigations, Crisis and Program Management. Strong information technology professional with a Master of Science (MSc) focused in Forensic Computing from Cranfield University. She is passionate about sharing her knowledge by speaking at events and training industry and law enforcement.

The post 4 ways to protect your organisation and mitigate the threat of ransomware appeared first on Microsoft Industry Blogs - United Kingdom.

Moving to the cloud means organisations can take advantage of new technology such as AI, intelligent security, and improve resilience and scalability. The UK Government has taken a public cloud first policy and has recently reaffirmed this approach in its new Cloud Guide for PS.

In order to keep providing great experiences for citizens, empowering employees with real-time information, and optimise and streamline services and operations, the public sector needs to adopt hyper-scale public cloud capabilities. Azure has been used to help police tackle crimes, support NHS Trusts with AI, and support social care.

Improving access to cloud capabilities

We want the public sector to have access to these capabilities in Azure. This is why we’ve worked closely with the Crown Commercial Service to agree a new non-binding Azure Pricing Arrangement (APA). It builds on the recently announced One Government Cloud Strategy and Cloud Guide for PS. It also ensures better value for money, by providing discounted pricing and beneficial terms for eligible public sector organisations when using Azure.

Doing this opens up the opportunity for public sector customers to address three important things. These are:

• Create a hybrid cloud journey – Protect existing investments by providing tools to support and manage hybrid cloud and multi-cloud capabilities, both technically and commercially.
• Turbocharge data insights and application development – Leverage tools such as Power Platform (PowerApps, PowerAutomate, Power Virtual Agents and Power BI) and Azure AI to rapidly develop solutions that offer users insights from vast quantities of data. Azure GitHub also provides the largest world-class platform for sharing code and ensuring the public sector family can take advantage of collaboration and sharing.
• Microsoft’s commitment to sustainability – Microsoft is working to become carbon negative by 2030. By using Azure, the public sector can be sure it is working with a supplier that is having a positive, constructive, and tangible impact on climate change.

The Azure Pricing Arrangement will also help public sector customers accelerate their digital transformation journey and address some important points from the Cloud Guide for PS.

Be more innovative

It’s hard to be innovative when you have to stick to budgets, but the APA gives you an opportunity to re-imagine and redesign citizen services, as well as improve and make operations more resilient and scalable.

Take advantage of analytics, AI, and machine learning to quickly analyse large government datasets. Azure services such as Azure Cognitive Services brings AI within reach of every developer – without requiring machine learning expertise. Azure Synapse Analytics is a service that brings together enterprise data warehousing and Big Data analytics. Azure Blockchain Service offers the opportunity to quickly build, govern and expand blockchain networks at scale, providing new ways to track and secure important data in distributed citizen processes.

Azure Digital Twins can create comprehensive models of physical environments using spatial intelligence graphs to model the relationships and interactions between people, places, and devices. This helps discover opportunities to improve customer experiences, create new efficiencies, and improve spaces in which people live and work.

Futureproofing your employees

Empower your employee’s up-skill and re-skill. Microsoft Learn has free, on-demand modules and learning paths to help learner’s up-skill. They can also gain industry-recognised Microsoft Certifications, including Azure Data Scientist and AI Engineers. This not only ensures your employees have the skills to get the best out of Azure and its capabilities, but its futureproofing their careers.

Supporting a hybrid and multi-cloud journey

Some organisations use multiple cloud providers, or have a hybrid model with some data stored on their own servers and some in the public cloud. The new public sector APA will enable discounts for Azure services and products that build on existing investments and support the journey to cloud. Azure Arc allows management of complex and distributed environments across on-premises, edge, and multi-cloud scenarios, and offers features such as cloud billing for existing on-premises workloads which can help optimise costs. Azure Stack is a unique hybrid cloud solution that expands the Azure cloud and lets customers run Microsoft Azure Services on-premises from their own data centre. Azure Stack shares a standardised architecture, including the same portal, unified application model, and common DevOps tools.

Intelligent security

Security is a critical component for the public sector, especially as they hold large amounts of sensitive and personal data. Azure provides the opportunity to build next-generation security operations using the cloud and AI, while ensuring organisations meet compliance and regulatory standards. Azure Sentinel uses advanced AI and security analytics to help detect, hunt, prevent, and respond to threats across the organisation. Azure Security Center helps strengthen the security posture of data centres, and provides advanced threat protection across cloud and on-premise workloads.

Helping you achieve more

The new APA has been agreed as an addendum to the existing Digital Transformation Arrangement (DTA) MoU between Microsoft and the Crown Commercial Service, which runs until April 2021. The DTA featured packages and tools to help with GDPR compliance and governance, as well as Microsoft 365, Enterprise Security, Microsoft Teams, and Windows 10 Enterprise capabilities.

Get guidance and support

In order to help the public sector on their Azure journey, we’ve launched some programmes to provide guidance, learning, and help accelerate projects. Take a look at FastTrack for Azure and the Azure Migration Programme. The new public sector APA has also launched some special offers for Azure Support.

The Azure Pricing Arrangement for eligible public sector customer will also be available until April 2021. To unlock the opportunity from this deal please talk to your Microsoft Account Manager or Microsoft certified reseller for more details on the options available.

The post How Azure can help the public sector to innovate and stay resilient appeared first on Microsoft Industry Blogs - United Kingdom.

As a Digital Advisor for the UK Public Sector, I often meet customers who are already getting weary of the term digital transformation. So much has already changed in the way people work in such a short time. It is remarkable to reflect on this. But whilst the technology change has been relentless, I sometimes think we have forgotten about another key element to this transformation – our people and their ability to make the best out of the technology they are being asked to use and adopt. Let’s consider some key areas where we need to improve our employee experience:

1. Don’t expect everyone to be the same

Many people in charge of change management make assumptions around the people who will use the technology being rolled out. Assumptions around attitude, skills, ability, and desire. Not every employee is an ‘early adopter’ of digital and willingly wanting to try our new shiny stuff. So digital change projects need to consider this diversity and  have different methods for different scenarios.

2. Explain the TLAs (three letter acronyms)

Not everyone understands the acronyms and terms that have become commonplace in technology and sometimes people feel reluctant to say so. Make sure you explain things clearly – MFA, VPN, WAN… !

3. Think about the end-to-end employee experience, not just the middle bit

A common problem in getting acceptance and adoption of new digital tools is often that the full employee experience has not been considered. Instead, focus is put on the main application.

Stories of unused devices are not a reflection of an employee rejecting new technology. It’s a reflection of complex and clunky processes. For example, a device is less likely to be used when you have to grapple with complex passwords aligned to clunky service desk mechanisms or being in physical environments where the device is unworkable.

4. Consider the appropriateness of digital

Just because you can it doesn’t mean you should. Sometimes digital devices are rejected due to the circumstances where they are being used. A simple example is the use of devices within meetings – and the feeling of distraction they can cause. More specific Public Sector examples include police forces being issued with smartphones, but then being perceived by the public as sitting in their car playing games rather than working.

5. Create inclusion of all workers

An interesting ratio that I look for in an organisation is how many people do not have digital access at all. You might think in today’s workplace that this is unusual. But there are many examples of workers – usually frontline workers – who do not.

This can be large percentages of staff depending on the organisation – e.g. in local government this can include care workers, refuse/street cleaning, and parks/gardening staff. These frontline workers can often stay offline. This means they either must rely on higher levels of overhead or management to keep them informed around topics such as communication, collaboration, tasking, or reporting.

The biggest risk is that they can become disconnected to the rest of the organisation as they are not picking up as much communication and information. The irony is that these are the people who are highly likely to have a large amount of interaction with customers.

6. Put a welcome mat outside the helpdesk

When things go wrong with digital tools many workers become rapidly unproductive. Business continuity planning is often looked at by organisations against major systems. However, personal productivity is often overlooked.

A device being unavailable due to updates and patching, or an item of hardware not working can mean that worker is unable to perform their role, has pressure to recover, and can often be put under stress, creating a poor employee experience.

Support also seems to be the poor cousin – consider fixing the worker, not the technology. Have ready-to-go spares for quick use. Automate as many functions as possible and enable catalogues. Make support welcoming and train staff with customer service techniques as well as technical support knowledge.

7. Gain wider input, test it, and keep on getting feedback

Shoot then aim. Sounds silly but so often done. Technology implementation teams can become insular and assumptive.

Use wide pools of people to test approaches, to check on needs, and to pilot or trial new technology. It’s a wise approach. Often there is push-back due to the time, or the effort involved. But, it actually saves time and money in the long-term.

This approach means the upfront investment is tiny compared to the mop up that’s involved in recovering a project that hasn’t followed this approach. Also, we see major projects being stood up and implementation getting the attention and focus. As it runs its course the feedback loops, training, and value measurement drop off and the value weakens. Consider the full lifecycle of these digital opportunities before implementing them.

These topics are obvious when you read them back, but our experience is that they are often overlooked. Microsoft has developed significant experience, and driven innovation over the years for its technology and digital solutions. But, less well known is our focus on the customer in their adoption and usage of our solutions.

Through business focused Digital Advisory services, and complimentary services such as adoption and change management we have significant capability in supporting our customers to get value from their digital transformation journeys.

Find out more

5 change management tips to motivate any team

Discover how to deliver a great employee experience

Download the eBook: Creating a culture of digital transformation

About the author

Neil is a Digital Advisor working in the UK and focused on the public sector. His team help organisations get value from their digital investments and drive innovation through the implementation of digital transformation opportunities. Neil has been with Microsoft for 2 years and his particular areas of focus are within digital adoption, business change management, and transformation delivery.

The post The importance of the digital employee experience appeared first on Microsoft Industry Blogs - United Kingdom.