Netsurit Security Case Studies
CASE STUDIES
Aurex Constructors CASE STUDY
Aurex Constructors safeguards systems and data with Microsoft 365 E5 and Defender for Endpoint – company can now prevent, detect, investigate, and respond to advanced threats.
Aurex Constructors is a key player in South Africa’s construction, turnaround, and maintenance industry, with more than 40 years of experience serving a blue-chip customer base in the oil and gas, mining and metallurgy, infrastructure, petrochemical, and clean power sectors.
Its two main service lines – construction and turnarounds, and maintenance – deliver structural, mechanical, electrical, instrumentation, piping, platework (SMEIPP), fabrication and management services for projects of all sizes and complexities. The company’s highly skilled workforce has a proven track record for delivering flexible, innovative project management solutions tailor-made to customer requirements.
The purchase drivers
At the start of 2021 Aurex Constructors split from a larger parent company and turned to Netsurit to migrate the business onto its own tenant with Microsoft 365 E3 licensing. The initial focus was on productivity solutions (email, Teams, and more) and basic security.
“The business was growing, and we had stabilized our core infrastructure in the initial period,” says Johan Claassen, IT Manager at Aurex Constructors. “We were ready to tighten up security and compliance in order to be more resilient against the growing number and range of cyber threats. What we wanted was a comprehensive security and compliance solution covering a broad range of risks and threats, with tight integration between all components, and effective single pane of glass visibility of the state of the environment.”
Claasen explains that the organization provides complex projects for major customers and deals with large amounts of confidential information. It is dependent on its IT systems to perform all core functions.
“If a security incident were to occur, we would face loss of productivity which would have a direct revenue impact and would also diminish the trust our customers have in the business,” he adds. “That’s why we needed to be able to demonstrate to our internal and external stakeholders that there were strong security controls in place to protect against likely risks.”
The solution
The company turned to Netsurit for the implementation of Microsoft 365 E5, which combines productivity apps with advanced security, compliance, voice, and analytical capabilities because of its demonstrated deep technical knowledge and insight into Microsoft security solutions.
The solution included:
- M365 E5 with Microsoft Defender for Endpoint, Office365, Identity and CloudApps
- Microsoft Sentinel SIEM collecting security events from M365 and other security relevant systems
- Custom automation and reporting
The Netsurit Security and Operations Centre (NSOC) provided all the necessary management capabilities and services that the Aurex Constructors needed, specifically its emphasis on proactive prevention, maintenance, and automation, which was aligned with the company’s approach to business.
“The NSOC provides a comprehensive managed security service ensuring that the Microsoft security stack was thoroughly implemented, with all available functionality enabled and integrated,” says Claasen. “The focus on the people and process aspects of the security solution ensures that the technical components of the solution are effectively managed and used. We like the focus on proactive maintenance to avoid risks, which is unlike the reactive approach of many security providers who instead focus on post-incident remediation.”
During the implementation, Netsurit used the Microsoft Commercial Incentives (MCI) programme to drive a series of Microsoft-sponsored workshops in which Aurex’s security state and requirements were evaluated and a solution planned and piloted. The workshops allowed the customer an opportunity to develop their thoughts on what they really needed from the security solution. The assessment, planning, and pilot implementation during the workshops ensured that the implementation was smooth, with minimal business impact and a rapid return on investment.
“Based on the outcome of these workshops, the plan for a phased implementation of Microsoft 365 E5 security workloads supported by a Microsoft Sentinel SIEM was executed,” says Dean Naidoo, Account Executive at Netsurit. “During the implementation training was provided to key Aurex employees to ensure that they were familiar with the technical capabilities of the solutions. The NSOC service was activated, customizing the Microsoft security solution to include automation and custom reporting.”
The benefits
Aurex Contractors is now confident that it can detect and protect the business against most of the security threats it is likely to encounter. There is a constant improvement program that reviews the state of security on a monthly basis and then implements improvements. Any identified risks are proactively managed to mitigate or remove the risk. Issues are rapidly detected and remediated.
“The custom reports and dashboards give our management and other stakeholders clear visibility of the state of our security, which gives us confidence that we are as well protected as is possible,” says Claassen. “The visibility also shows that we are receiving a return on investment from the solution. There isn’t a direct financial ROI, but the reporting included in the solution shows what security risks and incidents have been handled. This allows us to get a feel for the potential business disasters we have avoided.”
The future
Aurex would like to continue to use Netsurit to provide managed services based on the excellent service received. The company will continue to develop a roadmap for the long-term improvement of IT services and solutions which can be used to drive improvements in IT service delivery.
“Netsurit is our IT vendor of choice, and we would like to build a long-term relationship with the company,” Claassen says. “We consider Netsurit a strategic part of Aurex Constructors.”
– November 2021
Adviceworx CASE STUDY
Adviceworx gains visibility, manages data securely, and goes beyond compliance with Microsoft Purview from Netsurit
Financial services business Adviceworx has safeguarded all its data with Microsoft Purview’s comprehensive solutions for information protection, data governance, risk management, and compliance, a total solution implemented by Netsurit.
The purchase drivers
Adviceworx helps clients to grow and preserve their wealth. The business has a network of close to 120 advisory practices located in 50 offices nationally. Its financial planners execute independently but adhere to a common operating model. Adviceworx has the full operational infrastructure to operate as a Category I financial services provider.
As a small investment advisory firm, Adviceworx required strong regulatory compliance and information protection due to the nature of its work and the customers of the business services.
External stakeholders required regular reports to prove Adviceworx’s compliance status and progress on improving regulatory compliance and information protection. The company’s business prospects would become limited were it not able to demonstrate a strong commitment to, and an actively managed roadmap towards regulatory compliance and information protection.
“Netsurit has been a managed services provider to Adviceworx for several years,” says Daniel van der Merwe, Head of Regulatory Operations at Adviceworx. “We contacted Netsurit to investigate compliance solutions. The challenge was that we had limited visibility of what sensitive information was being sent out of the organization, as well as limited ability to protect confidential communications to internal and external recipients.
“In addition, we did not have strong controls integrated into Exchange Online and other Microsoft 365 workloads to detect and prevent leakage of confidential information. Initially, we were interested in deploying Compliance 365. After researching the General Data Protection Regulation (GDPR), and how Microsoft was helping companies to ensure compliance, we contacted Netsurit and the rest is history.”
Business objectives
The South African Protection of Private Information Act (POPIA) came into effect in July 2021. This legislation, among other things, promotes the protection of personal information processed by public and private bodies, introduces minimum requirements for the processing of personal information, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law.
POPIA specifies wide-reaching legal requirements for the protection of private information that a company may hold regarding customers, staff, suppliers, and other stakeholders. It is similar in scope and impact to the European Union’s GDPR. All organizations in South Africa are required to be POPIA compliant and to have a compliance plan in place.
In addition, there are several regulations other than POPIA that impact how information is held and managed by organizations in South Africa, including the Consumer Protection Act (CPA), the Electronic Communications and Transactions Act (ECT), and others. As a financial services provider, Adviceworx is also subject to a number of specific regulations that apply to this sector.
Like other financial services providers in South Africa, Adviceworx has a heavy regulatory burden to comply with. As a small company, it is challenging to be subjected to the same regulations and requirements as much larger organizations. However, Adviceworx is required to be compliant in order to avoid penalties and retain the trust of its stakeholders.
Specifically, some of the larger investment organizations in South Africa with which Adviceworx have long standing business relationships have stated the requirement that business partners need to explicitly show their compliance status and provide a roadmap for ongoing improvement in information protection, governance, and regulatory compliance before they will continue to do business with them.
The solution
Microsoft Purview, a new set of solutions designed to help organizations govern, protect, and manage their entire data estates, offered a comprehensive set of features to enable management of information protection, compliance, and governance for Adviceworx.
Netsurit upgraded Adviceworx’s licensing to include the Microsoft 365 Compliance add-on SKU and supplement the existing Microsoft 365 E3 + Microsoft 365 E5 Security add-on. The following Microsoft Purview compliance solution components were included:
- Compliance Manager
- Information Protection
- Data Loss Prevention (DLP)
- Endpoint DLP
- E-Discovery
The Purview solution components were tightly integrated with the Microsoft 365 Defender security stack and the Office 365 productivity services, both of which Adviceworx was already using for much of its internal IT service provisioning.
Because Netsurit has been a managed services provider to Adviceworx for several years, the Netsurit Security and Operations Centre (NSOC) was already providing a managed security service to Adviceworx and also offered the capability to perform ongoing management of the Microsoft Purview compliance solution. This was important as Adviceworx does not have sufficient capacity to perform much of the ongoing compliance management task in-house.
Netsurit’s compliance solutions expertise
Netsurit has developed a structured approach for the implementation of compliance solutions with a series of predefined steps.
“We first held workshops with Adviceworx during which the compliance requirements were evaluated and prioritized, after which an implementation plan was developed,” says Dean Naidoo
Account Executive at Netsurit. “The existing data repositories were scanned to identify potentially sensitive information. The sensitive information types were defined for the evaluation of information. Sensitivity labels were applied where relevant. Policies were created for various Purview compliance services, such as Information Protection and Data Loss Prevention (DLP).
“Throughout, the implementation team worked closely with business stakeholders to ensure that the technical solution aligned with business requirements and constraints. Training was also provided to internal stakeholders to ensure that they understood how to use the Microsoft Purview compliance solution components to meet the organizational compliance requirements.”
Challenges overcome
The requirement for POPIA compliance was not well defined at initiation of the project. This required Netsurit and Adviceworx to collaborate and define a workable set of compliance policies and controls to meet the immediate requirements.
Business benefits
Microsoft Purview can be effectively implemented even in relatively small organizations that have the same regulatory and internal and compliance requirements as large players.
Adviceworx now has improved business processes that give the company control of data classification and communications compliance controls. The organization is more compliant with internal and external requirements. In addition, the reports generated allow Adviceworx to easily demonstrate status and progress with regulatory compliance and information protection to internal and external stakeholders. The improved visibility of its compliance status is of great benefit to the business.
Because regulatory compliance is now a key condition for legally doing business in South Africa, being POPIA compliant avoids massive potential penalties and ensures that business partners are willing to work with Adviceworx because of the enormous progress it has made in managing information protection and compliance. Adviceworx would quite possibly not stay in business had it not met these requirements. Although there is no direct financial ROI, the value of the solution should be measured in terms of penalties avoided and external business relationships preserved.
The future
With legislation forever changing and evolving, the company will be required to keep its systems updated and in line with new developments. “We hope that Netsurit will continue with us on this journey,” says Van der Merwe. “The Netsurit team has been extremely helpful and professional and the systems that have been put in place are working as intended. We are most happy with the outcome.”
– March, 2022