security alert on laptop Getty Images

How an Architecture Firm Built a Strong Security Foundation

Sheehan Nagle Hartray Architects has taken steps to fortify its security foundation, focusing on both upgrading its security technology and attacking the problem culturally.

As a large architectural firm, Sheehan Nagle Hartray Architects would fit right in with the rest of the industry if it focused solely on developing innovative, sustainable structures. While the 100+ person firm definitely delivers on that front, it also takes its position as a 21stt century business seriously, and that means keeping on top of any security issue that could threaten the company.

To ensure it had a strong security foundation, one of the first issues SNHA's small IT team began tackling a few years ago was its password policy and practices. Over time, the company had noticed poor password practices, weak and reused passwords, and unacceptable password-sharing, noted IT Technician Tom Kowalkowski. For SNHA, the solution was implementing Dashlane’s password manager application, which generates secure unique passwords and passphrases, provides a way to securely share passwords and provides administrators with a dashboard to monitor use.

Initially, the company rolled Dashlane out to its IT and administrative team, but soon expanded it to the entire company. Within seven months, the IT team noticed a real difference, with a 20% increase in its password health score, as measured by Dashlane.

Upping the Security Blueprint

With password management successfully underway, SNHA decided to expand its focus on fortifying its security foundation, both technologically and culturally. With the goal to improve security across the business, the first step was adding additional security features. The firm wanted to put as much security technology under the Microsoft umbrella as possible because it has standardized on Microsoft technology.

The first step was replacing its existing antivirus solution with Microsoft Defender and its existing mobile device manager with Microsoft Intune. To complete the trifecta of hardening endpoint security, the team added conditional access, which restricts the ways users can access Microsoft Teams, Outlook and OneDrive.

“We wanted to be able to manage our users’ devices better by pushing down policies for conditional access, for example,” Kowalkowski said. In addition, the tools worked well with SNHA’s recent switch from an on-premises Active Directory environment to a hybrid environment that takes greater advantage of Microsoft Azure. With this new infrastructure, for example, the IT team can use Intune to manage and secure users’ workstations.

Another security upgrade involved adding Office 365 Data Loss Prevention (DLP), which wraps rules and policies around files based on whether they are confidential, critical or sensitive, and then protects them from being transmitted or shared. “For example, if someone tries to email a Word document containing a credit card number, we would be able to warn the user drafting that email and block the attachment of that file if necessary,” Kowalkowski explained.

The IT team also decided to tackle the problem of how to more securely share SharePoint files. The existing method allowed internal users to create a link to a SharePoint file, which would grant access to an external client for review and editing without signing into a Microsoft account. A newer process will add more security and authentication and eliminate the option of users sharing links.

Hardening the Network

At the same time, SNHA is working to further harden its network. The issue came to the fore at the start of the COVID-19 pandemic, when the company realized that its VPN could support only 50 concurrent users. That prompted further review of the firewall and network in general, which led to adding multifactor authentication everywhere possible, including the VPN.

In addition to upgrading security technology, SNHA also attacked the problem culturally and educationally. To gauge how well employees were resisting attacks, the IT team began sending out test phishing emails. Now that the company has a feel for what’s normal, it has begun requiring users who fail the test a few times to attend training.

Up next is standardizing and formalizing its core security policies and procedures. “We want to write down everything that we consider a policy but isn’t in writing,” Kowalkowski said. “We want to make sure it’s all written in stone so we could easily find it when needed.”

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish