How Struto Secures our Client, Employee and Business Data Centrally
TL;DR: Our partners at ITHQ recently helped us deploy JumpCloud to secure our client, employee and business data centrally. Not only has JumpCloud improved our security, but it has also improved our employee experience, optimised our password management processes, saving us time and making our business more efficient.
Scott: Hi everyone, welcome to our case study call. This case study call is with Craig Wiltshire, the CEO and founder of Struto, here in West Sussex in the UK. Hi Craig.
Craig: Hi Scotty! How are you doing?
Scott: All good. For full disclosure, Craig and I have worked together for many, many years.
Craig: True that.
00:28 Scott: Practically family now. Craig came to us earlier this year, around lock-down time with a couple of concerns around security, customer experience, password management internally, saving time, making his business more efficient. Yeah, I think that sums it up in a nutshell, don't you think Craig?
00:51 Craig: Yeah, I think so.
05:52 Scott: I think one of the first things you raised was around securing your client data, so maybe you could touch on that for me, give us some background on that.
01:03 Craig: Yeah, Scotty, as you said, the first piece that was the driver for this was around the customer experience. And for me, there are two kinds of customer experience. There's the one your actual customers see from you and then there's the ones that you deliver back to your staff internally. So there's two aspects to that. And if you're thinking about customer experience from the client perspective, one of the things we have to do from a legal perspective is obviously secure their data in line with GDPR, these types of things. And as a small business, many of the guidance around this is a bit vague. And as such, it was never clear to me the actual levels of security we should have in place. It's one of the things you guys have helped us with, was understand what we could do, what the art of the possible was, and utilise that technology to better secure our customer data for our own customers and then obviously our own data for ourselves.
02:08 Scott: In doing so, we obviously uncovered quite a few things, particularly around, I'll talk about Jumpcloud first and password management and MFA. You guys were using the Office365 built-in MFA and password policies, which works well enough but provides frustration at the same time. Maybe you could expand on that... without swearing?
02:34 Craig: I'll try! We like to keep our password management fairly strict internally. So we have the need for regular password updates. Unfortunately, the password update process in Office365 is definitely going to take 5 to 10 minutes out of my day every time that password needs to be updated. Then it will have some kind of knock-on effects where I will go fire up my apps and have to go put in the new password into every single different application within the MS 365 suite that I need to actually engage with to do my job. So from a 5 to 10 minutes password change becomes a half an hour exercise in password updating across all the different pieces of Office365. Very frustrating, but not only that, we then use 40 other applications in order to deliver the services that we do, which all have regular password updates required as well. So password updates became part of the job.
03:39 Scott: Sure, and it's very time-consuming and as you grow, so your business has been growing and you're at like 20 staff now. If everyone is spending half an hour a month doing that, as an example, that's 600 minutes, that's 10 hours, so call that a work day. A day every month, that's 12 days of lost productivity a year and you guys could build that out instead of changing passwords.
04:04 Craig: Exactly, that's £1000's of in opportunities lost.
04:08 Scott: Yeah, and we've felt that too. And obviously MS has done the right thing by trying to encourage people to change passwords regularly and getting that cadence in place, but when you multiply that out, multiple people, multiple devices, multiple updates, like you say it's not just changing the password, it's on every device that prompts you to put in the new password.
04:27 Craig: Sorry, I forgot about my mobile, my iPad, my watch.
04:32 Scott: And then, remote working, there was some challenges in the business around access to different things. Some people didn't seem to be using their Microsoft credentials on their specific endpoints. So there was some issues highlighted with user app access and permissions, consistency of MFA across the business. Maybe you can expand on that a bit.
04:57 Craig: I guess one of the challenges you have when running a business that is base din the UK and in another country, is that you can't always see what's happening in all places and you have to rely on user feedback when it comes to user adoption of technology. Unfortunately, user feedback doesn't necessarily reflect what users are actually doing. So, where they say they are logging onto their Office365 suite - they are logging on, using their personal Microsoft license or their personal Microsoft account and not the company credentials, for instance. You know, these kinds of things. You can't be in every single place at once. Today we're working more and more remotely. That remote work model that we're so very used, as a company, is becoming quite ubiquitous, it's the norm. You can't be everywhere, you're going to have to control some of the stuff. We needed a solution that could kind of have our backs for us, so that we could could kind of just forget about the problem and knew that it was being taken care of.
06:02 Scott: And that central management and knowing what people have access to, being able to enable them, disable them centrally, provision apps through a shared, self-service portal, that sort of thing. It really does make quite a big difference, doesn't it?
06:18 Craig: Well, I mean, as I said, we not only use the Office365 Suite and all that that entails, but then there's 40 other applications, as well. And there's access to software and client software that needs to be managed on top of that. So, you know, if you have change in the business, you have someone come in or leave, the overhead in enabling all of those different licenses and passwords and individual access for each one of those different pieces of software is onerous. Grant, the Ops Director, has got better things to do, than spend hours setting up accounts for people and making sure they've got the right access that they need and so on.
07:00 Scott: Absolutely, and it's a big bug of mine, as you know, I've pushed a few of our common software platforms that we use to provide SAML style authentication or OAuth authentication as part of their basic packages as opposed to, say, Enterprise, where they put them at the moment. Because my view is that security is for everyone. It's not just for the enterprise. And being able to do things like centrally push out apps for your staff, is a new requirement, if you like. It's part of the new normal, as everyone is calling it, in terms of pandemic living, lockdowns etc. Being able to provision apps through a web portal for your users is extremely powerful and gives remote users a common experience. And as you said, that internal customer experience. If your users are having a good time using their systems, that's going to knock on in their productivity, in their morale, in the way that they deal with clients, etc. So it actually has a lot more value than people necessarily first perceive.
08:16 Craig: So there are a couple of things there that I think you have touched on that are coming back to that user experience piece. As we said, there is client-based user experience, but there is also our team, or staff members and the people that work with us that have a user experience. And the user experience through Office365 was definitely of lower value, prior to JumpCloud being deployed, than now. It goes without saying that they would go "Argh, this bloody Microsoft again!" every time they would have to do a password update two minutes before a specific call they need to be on. And you just don't have time for that. So I reiterate your point. I was on a call just before this call with "you know who" - talking about you HubSpot! - around that security issue again. Where really the frustration for me now is that we have a bunch of our tech on JumpCloud, and it has been centralised, but there is certain technology that we haven't been able to pull in. And that's frustrating for me now. That security piece is a basic right as far as I'm concerned. Everyone should have access to it. It shouldn't be about license fees in order to push people to a more expensive license, to be secure. I think you will find that security is a requirement in something like GDPR, which we have to secure what we're doing. And, you know, not all of us can afford the more exorbitant end of the licensing fees that give you access to the kind of level of security. That should just be a right.