Engineering a new culture of data protection and governance for a world-leading professional services provider

They wanted to make the move from traditional IT provisioning to a secure digital environment that met the increasing demands of the business.

To achieve this, they enlisted specialist support from Kocho, not just around potential security solutions, but also with the end-user adoption of new technology.

This case study focuses on the introduction of Azure Information Protection document classification to the client’s global workforce to protect and govern sensitive information.

Results

Responding to the concerns of a growing digital document landscape

As part of the client’s day-to-day activities, colleagues regularly create more than 50,000 Office documents and PDFs per week, many of which contain information that is confidential in nature.

As the organisation digitally transformed, with document access and collaboration becoming more commonplace, the organisation was faced with a challenge around how it protected this sensitive information. It also needed to improve how it governed these documents and gain visibility of how information was being shared and stored.

The client recognised that to protect the information shared inside Office documents and PDFs, it needed to provide the ability for colleagues to label and classify documents uniformly and consistently. As well as provide the means to identify, report, and track where sensitive information was being created, stored, or distributed.

The client’s journey towards a more robust document classification approach started with the publication of a Document Classification and Labelling Policy and Procedure.

This policy was an important first step in ensuring a certification-aligned classification schema.

However, without an easy-to-use tool in place, the process was at risk of becoming too cumbersome, which would, in turn, impact user adoption.

A more important task was to ensure that colleagues understood how to classify documents appropriately, and how to manage, store, and share documents of differing levels of sensitivity.

Like many forward-thinking organisations undergoing a digital transformation, the client’s users had already experienced some significant changes to working behaviour in recent years.

As a result, the client was mindful of the impact further change and ‘change fatigue’ might have across its diverse workforce.

The challenge handed to Kocho was to: “Help assess the chosen solution to meet our business document classification needs, please our end-users, and help us to land it successfully.”

Moving into a modern world of digital document classification with Azure Information Protection

Our client had previously worked with Kocho on several technology solutions, and they valued the depth of technical expertise we brought to their projects.

On hearing that Kocho had developed a Business Transformation consultancy capability, alongside our technical consulting services, the document classification project proved a great opportunity to work with a partner to ensure successful adoption of the technology.

The client engaged Kocho to bring together the technical solution design AND take a people-focused approach to the implementation and adoption of the solution.

Kocho designed the document classification solution using Azure Information Protection (AIP), aligned to industry best practices. This provided a simple way to make document classification and protection available to users and could be configured to meet the client’s policy requirements.

With the AIP technical solution design in place, the next phase of the project revolved around successful implementation and user adoption. Kocho designed a three-phase implementation approach covering:

Phase 1: Voluntary labelling

Introduction of AIP classification on a voluntary basis for users. This provided an opportunity to introduce classification, track and report on classification behaviour, and amend both technical configuration and user guidance if required.

Phase 2: Mandatory labelling

Enforcing mandatory classification for users ensured that all Office 365 documents created and edited were classified, thus providing a rich reporting data set.

Phase 3: Protection and control

Securely monitoring, tracking, and preventing inappropriate distribution and sharing of sensitive documentation.

Upon agreement of the three-phase implementation approach, Kocho created a comprehensive business engagement, communications, and readiness approach that would meet the business’ needs, was easy for staff to use, and provided the reporting required for ongoing management.

This approach put end-user adoption and change management right at the heart of the AIP technology project and it included:

Significant early business engagement

To capture the needs of real users and identify where issues and resistance might arise.

A comprehensive communications plan

This minimised the use of email and focused on growing awareness of WHY the client is introducing classification and how easy the solution is to use.

A short video animation

This introduced the why, what, and when of document classification. It was the most-watched internal video for our client – watched by over 20% of their global workforce.

AdoptionSpace

Creation of a one-stop user-focused portal for everything related to document classification. This was designed to meet the specific needs of the client’s colleagues, to answer questions and provide information in a way that was easy to navigate and consume.

The use of AdoptionSpace removed the need for mandatory online training and provided an always accessible resource. Linked directly from AIP, it provided an evergreen solution for onboarding and training new users as well as educating the client’s workforce around new AIP updates and developments.

Piloting

The project included three pilots, with over 500 users from diverse business units and global offices. These ensured that the technology solution worked as expected and captured valuable user feedback that was then used to hone the roll-out comms, queries, adoption approach, and AdoptionSpace content.

Kocho completed phases 1 and 2 of the document labelling project, which introduced the solution and trained users, driving successful adoption and changed behaviours.

Phase 3, the final stage, ensuring the governance over information protection, is the next step in the project with Kocho continuing to support.

A modern system of digital document classification

The roll-out and adoption of document classification was one of the most successful IT projects undertaken by the client to date.

Despite changes to the AIP service mid-project, the project was completed in line with client expectations, agreed times and budget. It met all the required business objectives and by the end of the project, all the client’s staff were simply and easily classifying 50,000+ documents per week.

The project also had the lowest number of associated help desk requests of any of the client’s recent global IT projects, with only 12 tickets raised (8 of which were asking for early access to AIP!).

“This is testament to the simplicity of the solution and the quality and relevance of the guidance and support provided through AdoptionSpace.” – Client CISO

 Most importantly, the client’s Information Security team are more informed as to where sensitive documents are being created, stored, and distributed.

They feel better equipped to support the business in the final phase of the document classification project – ensuring the organisation has the information, knowledge, and tools in place to govern and control the use and sharing of sensitive information.

Following the success of this project, our client has adopted a similar people-focused approach for other cyber security projects and are continuing to engage Kocho to provide technical adoption and change support.

The first of these new projects is a conditional access and multi-factor authentication project, with Kocho providing security and adoption consultancy support to the client’s project team.

Shaping a secure future together

In collaboration with Kocho, our client achieved a successful cybersecurity transition, moving from traditional IT to a fortified digital landscape that aligns with growing business needs.

Implementing Azure Information Protection for document classification led to seamless weekly classification of 50,000+ documents and minimal help desk requests.

Enhanced visibility, stronger security, and a people-centric approach have fortified the organization’s digital ecosystem, setting a precedent for safeguarding sensitive data and paving the way for future achievements.