Microsoft 365 security best practices case study: Adept4 PLC

Download case study

Enhanced security offerings with a recurring revenue business model

For over a decade, Adept4 PLC has provided IT as a service to a wide range of customers, primarily in the UK. It’s a thriving company that has experienced consistent year-over-year growth and has a base of over 600 clients. 70 percent of their revenue comes from recurring agreements that vary in length from three to ten years and cover various products and service. In addition to managed services such as mail, backup, hosting, and virtual machines, Adept4’s security practice has been in place from the early days. They offer perimeter security, endpoint protection, web monitoring, and other offerings, and are very much aligned with the Microsoft stack.

Today they have a 24/7 security operations center, and run remediation, patch management, and other client management services. Paul Talbot, Chief Technology Officer of Adept4, explains that the security features of Microsoft 365 Enterprise work with their offerings to meet the needs of many different clients: “We offer security across all our services. With Microsoft 365 Enterprise, we can take our security offering to small and medium customers. It’s part of our strategic roadmap.”

Security remains reactive for many customers, but this is slowly changing

While security is a necessity, many customers don’t know how to get started. According to Talbot, “Everyone we talk to has security on their radar. Probably 10 percent of the audience is actually doing something about it actively. The rest would like to do something, but they feel pretty anxious and, in some ways, apprehensive about how they would actually approach it.”

There are a few standard drivers for a security conversation. The Adept4 team typically sees most demand from organizations that have experienced an attack, or those who need to meet compliance regulations. “Many of our customers are either going through a General Data Protection Regulation (GDPR) process, need to be Payment Card Industry (PCI) compliant, are in highly regulated industries, or their disaster recovery or business continuity plans dictate that they demonstrate a level of security and a level of compliance,” said Talbot.

Most engagements are typically with the Finance Director, CEO, or the CIO, although they increasingly find themselves working with a new role: Chief Information Security Officer.

Microsoft 365 Enterprise offers a unified security platform for a phased sales approach

Unlike point products that often create an expensive overhead, involve staff accreditation on multiple technologies, and necessitate change in the offering mid-course in case a solution no longer works, integrated solution offerings with Microsoft 365 Enterprise make it easier to take a phased approach, relying on interoperability between the available products.

Adept4 has found that it’s easiest to drive a complete solution by taking a stepping stone approach, rolling out needed capabilities over time. For example, they might work with a typical customer by:

• starting with Microsoft Entra ID Premium to manage identities
• adding multi-factor authentication for enhanced login security
• selling data classification
• adding additional protection functionality from Microsoft 365 Enterprise

As Talbot puts it: "You can put in a logical security policy and write it down as a document, but even with training and awareness campaigns, there is no guarantee every employee will follow it. We feel that Microsoft 365 Enterprise gives us the opportunity to say, 'Look, you can worry less about your end users memorizing every security policy because we're going to take parts of your security policy and translate that into physical and logical processes that are automatically enforced.'

"So, if they want to distribute a document that shouldn't go to a mobile device or they send it to the wrong audience it will actually stop them sending it through the data classification functionality. If they don't like physical passwords, we can give them visual identity with Windows Hello or PIN numbers or multi-factor authentication, making passwords less important."

Three customer journeys to a secure cloud solution

Since Microsoft 365 Enterprise combines Office 365, Windows 10, and Enterprise Mobility + Security, there are many avenues a partner can take to assist a customer, particularly when it comes to security. Key influencers in the customer journey include factors such as industry, security maturity level, and where they are with their cloud transformation.

In one customer example, Adept4 was asked by an online fashion retailer to provide Microsoft 365 Enterprise to an initial base of 55 users. Their goal was to move from an old, on-premises mainframe system to the cloud. They moved straight to Microsoft 365 Enterprise E5 because it supplied the most capabilities for them to grow into over time. While the initial implementation focused on Exchange and Skype for Business, they soon added Azure Information Protection and multi-factor authentication for enhanced security.

Another example highlights the role compliance plays in Microsoft 365 Enterprise deals. In this case, the customer, Baywater Healthcare, is a National Health Service (NHS) supplier of home health care devices supporting 12,000 clinicians that work in general practice surgeries and send in repeat orders for medical devices. The service levels Baywater Healthcare has to meet are quite stringent, and compliance is a top priority.

Until recently very cloud resistant, Baywater Healthcare enlisted Adept4 to move them to the cloud with Microsoft 365 Enterprise. This was facilitated by the ability to host data in England (data is required to remain in England due to NHS compliance). Baywater Healthcare is now committed to the cloud, and the internal rollout of Microsoft 365 Enterprise security features is key. Top priorities are securing mobile devices, email authentication, encryption, and data classification.

In a third example, Adept4 has an ongoing engagement assisting Boundless by CSMA (formerly the Civil Service Motoring Association) move to the cloud. Boundless offers insurance and other services to 250,000 civil servants, many of whom are in senior roles.

Security is of paramount importance: It's imperative that Boundless is PCI compliant and that their data is protected because sensitive personnel data is involved. Additionally, while Boundless doesn't have many mobile workers, the entire executive team carries Surface devices, with access to sensitive emailing lists and data that need to be protected.

As a Dynamics CRM customer, Adept4 has worked with them to overlay Microsoft 365 Enterprise on top of their existing environment. Recently, they've piloted the first 30 users with Microsoft 365 Enterprise, focusing on those features that help with data classification and protecting people on the move. Boundless now sees security as a differentiator for their own business in the marketplace.

Sales techniques that drive higher revenue per user

Like many other partners, Adept4 has found that in-person events can be powerful marketing tools. They host small events with no more than 20 select invitees, share a case study reference, then talk about the direction technology is headed. Microsoft team representation helps to establish their credibility with attendees. These types of events work well, driving 80 percent conversion.

When it comes to security, once a threat occurs or the need is business-critical, it's easier to sell a fully featured SKU such as Microsoft 365 Enterprise E5. Partners have to be in a trusted relationship to help with this transition. Because security has an established position as the foundation across all their services, customers have increased confidence in Adept4's overall offering.

That being said, Adept4's customer base is deep enough that their primary focus is on winning more business from existing customers through cross-sell and bundling of security and other services. For example, an average customer may take seven to ten products. By cross-selling additional services, Adept4 hopes to quadruple the size of the business they have today. In fact, with one customer, they're already averaging GBP300 per user per month.

At the end of the day, it comes down to protection. Talbot asks, “So what are we trying to do here? We're trying to protect access through identity. We are going to allow only approved users the ability to log on to devices and access intellectual property. We're then going to protect it by classifying it and setting policies that say it can't go where it shouldn't. We're also going to help protect you from those people that are trying to phish and break in or get to your data. It's all about getting the customers to come on the journey with you and being that trusted advisor.”

It's an approach that seems to be working just fine.