Diary of an IT Manager

Purview and Compliance in a Small Business

Using Purview with Microsoft 365 Business Premium can be a struggle. When your company isn’t big enough for E5 or additional licencing, managing compliance in the Microsoft stack can be difficult. Below is a quick overview of how I manage it, make sure that the company stays complaint with UK GDPR, PCI DSS, DPA, and for my sins, the NIS requirements.

To overview the above is quite simple, and a small company following NIS guidelines makes us an outlier. UK GDPR is currently quite close to the EU’s GDPR requirements. They are currently the same, although will likely begin to diverge in the near future. PCI DSS, the payment industries requirements, are also rather simple. Just make sure you abide by the requirements set by your payment providers. The Data Protection Act is also something that as an IT or Compliance Manager you are going to be familiar with in the UK.

The difficulty for us is making sure we follow NIS. This often gets confused by our vendors with NIST, the American National Institute of Standards privacy framework, but it couldn’t be more different.

NIS, or Network and Information Systems Directive, which was added to UK law as The Network and Information Systems Regulations 2018, are the requirements related to energy providers within the UK.

As Wunda Group owns WundaSmart, a smart heating control and monitoring system, we voluntarily abide by these guidelines, to ensure that our customers are fully protected from cyber threats, giving them piece of mind when it comes to the security of our system.

The good news with NIS is that, much like PCI DSS, they are designed to make sure you are working toward them, not making sure you absolutely meet every requirement.

Every company should have an improvement plan for their cyber security. If you think you are done you will one day be attacked as you are standing still.

The essential part to remember is, if you aren’t moving forwards you’re standing still.

Everyone who has a knowledge of cyber security knows that the threats are always evolving, you must do the same.

Without naming vendors, we make sure that the company is running the latest definitions, be it on our firewalls or individual devices. These are both serious threat vectors which the company can have attacked.

We also ensure that our staff are constantly being educated about threats. The important thing about education is not to judge your users. If they are unsure, give them an explainer! Improving their knowledge is key to keeping your business secure.

The hard part is BYOD (bring your own device). Many companies will allow employees to use their phones and/or computers to access work resources. To counteract this, conditional access policies are key. In a smaller company you will have many employees who want to access work resources from their personal devices. If they are not connected to your MDM (Mobile Device Management) platform, do not let this happen.

If you cannot control a device, it is insecure. Do not trust it.

We hear a lot about zero trust, and this is more true than ever. Just because an employee thinks they understand computers, does not mean that they understand IT and security. These are two different fields and the sooner people understand this the better.

BYOD iOS devices should be fully configured with your company standards, Android devices should use a work profile at a minimum, and personal Windows devices should be seriously limited if they are not MDM joined.

Unfortunately, my knowledge of Linux desktops and MacOS is not enough to give a recommendation on these, but if your users are using them, make sure your knowledge is good on how they could threaten your business.

The key, do not trust an employee. Linus is known for his “Trust Me Bro” warranties. This cannot, and should never apply to your companies security. Do not trust anyone. You must have control of the security, if you don’t, ban it!

Back to the original subject, without the full discovery capabilities of E5 Purview, you may struggle to know what to do.

Initially, configure the default settings appropriate to your region. In the UK Microsoft provide a good selection of policies to help with Data Loss Prevention. Alongside this, build yourself a list of appropriate search terms that you can go back to for e-discovery. Spending the time now will be a godsend in the future.

You will have to manage the systems that are not joined into Purview, and, if you have the budget, look to replace any systems that are not directly integrated into Purview or any other compliance platform you are using.

Make sure that you periodically conduct inspections on your call recordings, managers will not always out their staff’s mistakes and being able to spot these and take action will prevent the fines that may come in the future.

Also make sure that the slightest infraction is dealt with. It is better to have staff not like what you are doing than have to explain to your board why they are facing a massive fine. Remember, if you are responsible for compliance, the buck stops with you and you will have to answer for employee screwups!

The above may read as a very negative take, and why to stay away from compliance. But keep this in mind, if you care about your employer, then make sure you don’t leave yourself in an untenable situation! The employees of your company are your biggest threat, and making sure that they will report anything suspicious to you is a key part of your job. People skills are as vital in IT/compliance as they are in sales or support, make sure you use them.


Leave a Reply

Your email address will not be published. Required fields are marked *