Raising the Bar: Achieving Cyber Essentials Plus with Microsoft 365 for a Software Development House

A software development company, with a team exceeding 20 employees, embarked on a mission to secure their Cyber Essentials Plus certification. They recognized their Microsoft 365 production environment and mobile device management practices did not meet the certification's rigorous standards, prompting the need for specialized consultancy.

The company was poised for growth but faced significant cybersecurity challenges that could hinder their progress. Their existing setup lacked the robust security measures required to protect against evolving cyber threats, putting critical data and compliance at risk.

Our consultancy began with a comprehensive evaluation of the current Microsoft 365 configuration, identifying key areas for improvement. To harden Azure Active Directory (AAD) and enhance mobile device management, we implemented strategic changes including:

Conditional Access Policies: To ensure only authorized devices and users could access sensitive data.

Multi-Factor Authentication (MFA): To add an extra layer of security for user sign-ins and transactions.

Disk Encryption: To protect data on devices, ensuring that if a device were lost or stolen, its data would remain inaccessible.

Security Baselines, App Protection, Windows LAPS: To establish a secure foundation for devices and applications, mitigating potential vulnerabilities.

Device Compliance and Configuration: To maintain and enforce security standards across all devices.

The implementation of Microsoft Intune marked a pivotal shift from a hybrid to a fully managed cloud environment, bringing all devices into compliance with Cyber Essentials Plus standards. This transformation not only secured the certification but also significantly elevated the company's security framework, setting a new benchmark for cybersecurity in software development.

The company plans to continue leveraging Microsoft 365's comprehensive security features, with a commitment to regular security assessments and updates. This proactive approach ensures they remain ahead of cybersecurity threats, safeguarding their future growth and innovation.