T
The Company
Brisbane-based Alchemy Recruitment Consulting (Alchemy) is a tier one specialist provider and partner of choice that delivers key services to the mining, resources, energy, heavy industry, and government sectors. Alchemy supports workplace equality via their inclusivity and diversity strategies, plus they are partners of Top 100 Women (Construction).
The Challenge
Globally, security threats are constantly shifting the goal posts and are evolving at an alarming rate. To ensure our businesses are kept safe and secure, it is imperative that we continue adapting and evolving to meet these threats head-on.
Alchemy’s clientele are top-tier companies and governmental departments who demand stringent security compliance from their service providers. Exxa was tasked to not only ensure Alchemy meets these demands by enhancing Alchemy’s security posture, but to improve efficiency and usability of systems and programmes across the organisation.
The Details
Through a series of meetings both on and offsite we worked with the directors and managers of Alchemy to create a full and complete IT audit of the current business environment. During this process, we identified the desired outcomes, as well as established the objectives and schedule.
Desired Outcomes
• Migrate the current on-premises file share to SharePoint to leverage Microsoft’s security, flexibility, and productivity, thereby allowing access on any device.
• Improve document and task processes so replication is effective and efficient.
• Enhance security protocols throughout.
• Establish education procedures and measures.
• Improve IT policies and procedures.
Objectives
• A stringent set of IT policies, of which employees were to be made aware, acknowledge, and sign off on. This is an essential part of the process so that all employees know their responsibilities.
• Cyber security awareness training for all stakeholders.
• Data classification policies and software to enforce the security to protect and dramatically minimise threats to sensitive data.
• An offsite point-in-time backup policy to protect Alchemy’s data against loss and ransomware.
• An assessment of the company’s security posture through penetration and vulnerability testing.
• An enhancement of security throughout the business with the implementation of a password policy and Multi Factor Authentication (MFA), where possible.
“Knowing that the team at Exxa is in our corner gives me great confidence in our ICT systems and data privacy matters.”
Forrest Briggs: Principal Consultant and Director
The Process
IT Policies:
• Access control policy
• Incident response policy
• A comprehensive information security policy
This policy details staff responsibilities in all aspects of IT security, including password complexity, data retention and disposal, data classification and security, network, computer, and physical security, amongst others.
Cyber Security Awareness Training:
With staff up-to-date regarding their responsibilities, we implemented cyber security awareness training and simulated phishing attacks to educate users in protecting themselves online. This was rolled out with due dates for course completion, and it was enforced by management. Reports were written to ensure compliance by all staff.
Data Classification and Protection:
Azure Information Protection was used to classify the sensitivity of company documents according to the information security policy and to enforce the protection of sensitive information. Based on LP (Least Privilege)/RBAC (Role Based Access Control), the software protects sensitive documents by restricting printing, copying, forwarding, and saving by viewers—this is considered best practice.
Offsite Backup:
Alchemy uses Microsoft 365 for communication, and part of EXXA’s remit was to transition their file share to SharePoint/OneDrive. Therefore, a point-in-time backup for their email and files is essential. This helps to protect against data loss as well as ransomware, which has become increasingly common in today’s threat landscape. implementation of Spinbackup for all users, SharePoint sites, and teams. Backups were completed automatically via AWS Sydney data centres three times per day, indefinitely.
Penetration Testing/Vulnerability Assessment:
A comprehensive assessment of Alchemy’s infrastructure was performed and remediated, and reports were provided to management using Qualys Security assessment software.
Increased Security:
Multi Factor Authentication (MFA)was rolled out in all areas possible. Password complexity and length increased, and a number of global administrators decreased to adhere to Least Privilege best practice. This was with minimal impact to staff to ensure consistent productivity.
SharePoint Sites:
One of the desired outcomes for Alchemy was to implement SharePoint sites companywide, migrating from shared on-premises infrastructure. Our team worked with key management personnel to create three (3) sites based on business function, plus locked down access permission to least privilege using Microsoft 365 Groups. The sites were synced with users’ desktops for ultimate flexibility.
Documentation:
There were IT knowledge gaps at Alchemy, so documentation was created to address this in the following areas:
• SharePoint Administration
• Azure Information Protection
• Microsoft 365 processes for ex-employees to maximise data retention and minimise cost.
Outcomes
• Alchemy staff can access their data from any device at any time, increasing their productivity and efficiency.
• Staff have been educated in the importance of cyber security and their responsibilities, helping to minimise risk.
• Security has been increased company-wide to diminish attack vectors.
• Secure online backups are available and are stored in Australian data centres indefinitely. This ensures data redundancy and facilitates Business Continuity Planning.
• Alchemy’s customers are reassured that their sensitive data is in good hands.