NEBDN’s cloud migration and cyber security transformation

The National Examining Board for Dental Nurses (NEBDN) is a leading provider of qualifications for dental nurses across the United Kingdom. As a registered charity, NEBDN’s mission is to support the development of a skilled dental workforce. Their offerings include both pre-registration and post-registration qualifications, catering to those aspiring to build or advance a career in dentistry. Based in Preston, NEBDN had traditionally operated with on-site servers, but the onset of the COVID-19 pandemic necessitated a shift to remote working, prompting a complete cloud migration.

NEBDN faced a significant challenge in moving away from their traditional on-premises server environment. The limitations of being office-bound restricted their recruitment capabilities and the diversity of their team. The transition to a cloud-based, serverless environment was the first step in overcoming these constraints.

However, this transition coincided with the pandemic, during which the organisation, like many others, rapidly adapted by sharing information and seeking new ways to communicate with staff. This increased digital activity raised concerns about potential cyber-attacks and data breaches, especially as NEBDN activities and regulation require security to be paramount. A Cyber Security Assessment Tool (CSAT) was employed, revealing vulnerabilities such as staff inviting external users to the team, insecure shared links, and files being moved from SharePoint into Teams chats.

The CSAT also assessed the current device estate, including PCs and laptops, followed by an examination of the cloud environment. The assessment highlighted several weaknesses that needed to be addressed to ensure the security of NEBDN’s operations and data.

Based on the CSAT findings, a comprehensive strategy was developed to enhance NEBDN’s security and operational efficiency. This strategy included the following key elements:

• Security Enhancements: Following the CSAT report, we implemented policies and procedures to establish better resilience against security threats and connected compliance risks, thereby increasing NEBDN’s maturity level on the CIS benchmark. Multi-Factor Authentication (MFA) was introduced, licences were adjusted, and antivirus software was replaced with Microsoft Defender. Additionally, a Bring Your Own Device (BYOD) policy is due to be implemented to secure devices used by staff.
• Risk Management: A proactive risk management approach was recommended, involving the establishment of policies and procedures to protect, detect, and respond to security threats. This strategy included executive leadership participation as key stakeholders, ensuring that the security strategy evolved in line with changes in the threat landscape. The adoption of a mandatory security training programme for all employees was also recommended to address the most common threats, such as phishing and social engineering.
• Training and Workshops: We conducted a series of workshops and training sessions to build staff awareness and knowledge of cybersecurity best practices. These sessions were delivered both remotely and in person, covering topics such as phishing awareness, secure data handling, and the importance of maintaining high-security standards.
• Data Unification: To ensure a comprehensive overview of all relevant activities, we recommended creating a unified dashboard that centralises and measures all security-related data. This “single pane of glass” approach would enable NEBDN to respond more effectively to potential cybersecurity events, improving their overall security posture.
• Policy and Licence Adjustments: We restricted the creation of new Teams groups, auto-archived chat histories, encrypted emails, and limited file-sharing capabilities within Teams to prevent unauthorised access. Integration work was also carried out with NEBDN’s app provider to reduce the number of users created solely for app logins.

The deployment phase focused on implementing the insights gained from the CSAT and subsequent workshops. We deployed policies that allowed us to resolve identified issues, including removing unnecessary external access and restricting file-sharing permissions. The deployment also ensured that Copilot, Microsoft’s AI-powered tool, operated in a secure environment where it did not have access to unsafe files.

As a result of these efforts, NEBDN has significantly improved its security posture, reducing the risk of data breaches and enhancing productivity. The organisation is now better equipped to manage cybersecurity threats proactively, with a clear risk management strategy in place and a more knowledgeable workforce.

The transition to a cloud-based environment has also paved the way for future innovations, such as the seamless adoption of Copilot, Microsoft’s AI-powered tool. Additionally, the integration of third-party applications has enabled NEBDN to access real-time data, improving decision-making processes and saving time.

Looking ahead, NEBDN is well-positioned to pursue further advancements in cybersecurity, including the potential attainment of Cyber Essentials Plus certification. Continued focus on integrating security with business growth will ensure that NEBDN remains at the forefront of dental education while maintaining a secure and efficient operational environment.