Industry: Charity
Location: Norfolk, Suffolk, Cambridgeshire and Bedfordshire
ABOUT
East Anglian Air Ambulance (EAAA) exists to save lives by delivering highly skilled doctors and critical care paramedics by air or car to seriously ill or injured people in the region. Operating out of two bases, EAAA covers the region 24 hours a day, 7 days a week by air and road. Their highly skilled crews, consisting of two pilots, a doctor, and a critical care paramedic are tasked an average of eight times a day.
EAAA are a life-saving charity that is only kept airborne thanks to their incredible supporters.
CLIENT STORY
We worked with East Anglian Air Ambulance to rollout multi-factor authentication and additional security measures such as Cyber Essentials. Read all about it below.
Installing 2Factor Authentication alongside our upgrade to Office 365 has been an extremely critical part of EAAA’s commitment to data security. The project itself was challenging (for both EAAA and BWIT) and took longer to complete than initially expected. This was partly due to being the first client of Breakwater’s to adopt 2 factor; which meant that their team were learning about the intricacies at the same time as us, however, I would have no doubt in recommending the team for their support, enthusiasm, patience and commitment to data security.
Challenge
EAAA offers a vital service to its patients, both through on-scene emergency care but also quick transfer to the appropriate hospital, delivery of first aid training and dedicated aftercare.
All this crucial support relies on donations from the general public to keep it running.
A huge amount of data is required to be stored within the charity, including sensitive information such as the personal details of both patients and supporters. EAAA are committed to ensuring the ongoing security of all of their stakeholder’s data, not only to protect their supporters but also to protect their future.
Strengthening security
The charity utilises email and online security software including Mimecast and Webroot. These solutions deliver increased protection against cyberattacks, with continuity during, and automated recovery following a breach. However, the focus of EAAA is to show increased cyber resilience and the ability to adapt and respond to all threats. A primary challenge is to improve email security, including phishing and spear-phishing – 94% of organisations have now experienced phishing attacks*.
Email attacks are on the rise, specifically impersonation or business email compromise (BEC). Attackers are looking to gain access to funds, sensitive data or login details. The consequences of a breach are far-reaching and can be irreversible, including heavy fines, prosecution and reputational damage. For EAAA, a breach would mean a loss of confidence from its valued supporters, perhaps even bringing to an end the crucial funding the charity relies on to carry out its life-saving work.
EAAA’s employees, as with any organisation, present one of the charity’s biggest cyber risks. Human error is now a contributing factor in more than 90% of breaches.* The challenge is to mitigate this threat, securing data and helping users detect and side-step email attacks.
*Statistics from Mimecast, The State of Email Security Report 2019.
Solution
Breakwater IT worked with EAAA to identify and implement security improvements to prevent breaches as a result of attacks on emails.
Solutions included:
• Two Factor Authentication (2FA)
• Attainment of Cyber Essentials Plus
• Employee engagement and training
• Improving existing hardware to provide further encryption and security
With a large employee base, including charity and clinician teams and volunteers, all based across 4 counties and a mobile workforce that comprises 50% of personnel; it was necessary to fully involve and inform all users as to why and how these new solutions were being introduced.
Two Factor Authentication
The project started with a testing stage, with 5 users measuring the impact 2FA had on their day to day work as well as understanding the benefits of Office 365 and training needs for all their users.
Once the testing was complete, 2FA was rolled-out against each user’s Office 365 account. EAAA and Breakwater decided that it would be more beneficial to carry out the 2FA authentication at the same time as the new Office 365 installs. This gave the EAAA facilities team time to spend with each team member going through the process (following staff meetings). Some of the installation could be carried out remotely by Breakwater, meaning minimal disruption to users’ workloads.
Authenticator App
Breakwater also attended a clinician training day, enabling 2FA to be activated to a larger number of users in one sitting. When users log into their Office 365 account they are now required to approve their sign-in request using the Microsoft Authenticator app.
Authenticator provides an extra layer of security in addition to a PIN. It is a quick and easy way of signing into a personal Microsoft account, preventing unwanted identities from breaching data.
This method of approval also shows details of compromised accounts, EAAA are able to get in contact with Breakwater if there is ever a sign-in request when they are not knowingly trying to sign into an Office 365 app.
Cyber Essentials Plus
Breakwater supported EAAA through their Cyber Essentials Plus certification, providing reassurance across the charity that cyber security is taken seriously and the right controls and protection is in place. Cyber Essentials gives protection against a wide variety of the most common cyberattacks and shows a commitment to:
• Securing internet connection
• Securing devices & software
• Controlling access to data and services
• Protecting from viruses and other malware
• Keeping devices and software up to date.
Engagement & Training
Ongoing employee training is one of the most effective ways to combat users clicking on phishing emails and inadvertently causing a data breach.
EAAA recognise the important of user engagement and prior to the launch of 2FA, they presented on the benefits it would deliver, the nature of cyber threats and how to avoid an attack.
*Statistics from Mimecast, The State of Email Security Report 2019.
Result
EAAA are now in a position to be able to continue to develop the support their charity offers and receives, safe in the knowledge that they have implemented significant security improvements, making it almost impossible for a breach to occur via a phishing email.