When Sisk, one of Ireland’s premier construction and property businesses, was in the process of updating its IT systems, security came to the fore. The goal was to not just tighten the perimeter, as would have been done in the past, but to take a whole new approach to IT security.
“We were looking to improve the speed of response,” said Stephen Parsons, Sisk’s head of information security. “We had an immediate need to secure our high-risk users and administrators.”
After a thorough consultation process, the company decided to go with Microsoft, a decision that makes sense given that Sisk is a heavy user of Microsoft products.
However, Sisk also recognised that Microsoft is now one of the largest IT security companies in the world. A key consideration was to get systems in place that recognise that hacking attacks have changed.
“Phishing has been a massive threat for everybody. We’re blocking millions of emails a month, it is our main threat vector, as it is for most organisations,” said Parsons.
Sisk’s mantra is to try to make user credentials useless to hackers. As a result, multi-factor authentication (MFA) will be made standard across the business and Short Message Service (SMS) as the second factor was ruled out.
“Being able to implement multi-factor authentication token-based second factors was really important. We rejected SMS as a second factor as it has proven to be hackable,” Parsons said.
The system now implemented uses a token generated by an app that can only be installed on a corporate device. This means the second factor offers a deeper level of security.
“The Microsoft system has mobile device management, a six-digit pin code, biometrics and comes with the ability to remotely wipe devices,” said Parsons.
The staff response has largely been positive, in part because Sisk made the effort to strike a balance. The company also trained staff by testing them with simulated attacks.
“Our job in info security is to balance security and usability,” Parsons said. “Some people complain about MFA, but we have products to simulate attacks which show older measures, like passwords, can fail so we can get buy-in that way. We also started with a pilot group before rolling this out through the wider company,” he said.
Naturally, there is a generation gap in the workforce, and this needs to be addressed as an issue of company culture and training.
“The younger people coming in through the door just know this stuff. They have it for their banking and cannot imagine life without it.
“People who’ve been here 40 years might find it more challenging, and getting that cultural change right can be difficult.”
In addition, Sisk is taking advantage of privileged access management and data loss prevention tools. Parsons said the implementation of these new technologies followed a recognition that the rapidly changing threat landscape requires an entirely new approach.
“Previously, we were largely doing perimeter-based security, but we had a particular need to roll-out encryption which we were already researching,” he said.
Consolidation was also a goal, with the sense that less complexity means better security. “We wanted to reduce the number of vendors, not add to them,” said Parsons.
Going with Microsoft also means that Sisk can take advantage of the latest technologies on the commercial market, not least artificial intelligence (AI) and machine learning (ML).
All kinds of user behaviours can be monitored by a machine and when something out of the ordinary happens, IT security staff are notified.
One such use is to drive notifications of people logging-in from non-corporate IP addresses.
“We’re on it straight away, beginning with user behaviour analytics. This represents a major benefit and has transformed our security approach,” said Parsons.
“It’s easier for our security team, as it pulls all the various strands together. We don’t have to dig in, run scripts and so on. While it is complex in the background, the result, both for users and security team, is that it has made things much easier as well as much more secure,” said Parsons. “In addition, that equals a lower cost for us, because it is quicker.”