About the company
PODA a.s. is an Internet Service Provider in most major cities in the Czech Republic, and with mobile coverage all over the country.
As an ISP, the company handles a lot of data and has to adhere to standards such as GDPR. Data security is of utmost importance to the company, which is why PODA decided to carry out a security audit of its Google Workspace ecosystem.
Challenge
Before the pandemic, PODA employees worked in the office, but in the time of pandemic lockdown, the company went through transformation. Now, about half of the company’s employees work in the office, while the other half work from home.
Our employees got used to working from home and now we have a flexible working model: whenever an employee needs to stay at home and work remotely, they can do so if it’s feasible in their job position.
Also, as an ISP, the company works with a lot of sensitive information, both its own and its customers. As a European company, the GDPR directive is of vital importance.
We are highly concerned with data security. We need to make sure none of the sensitive data, like e.g. contracts, we handle falls into the hands of unauthorized people.
Solution
To aid with internal communication, the company now extensively uses all Google Workspace tools: Docs, Sheets, Chat etc.
We’ve been using Google Workspace for about 14 months. We used to host email services on our own mail servers and we wanted groupware services. We chose Google with all services because most of our employees already used Google as the team working platform.
To address security issues, PODA focuses on making their employees aware of cyberthreats, like the social engineering ones, which can pose a threat to any business.
The company realized that there is room for improvement in security. For instance, in handling rights and permissions and allowing employees access to specific data. If some employees don’t need specific types of data in their daily work, they don’t have access to this data.
PODA solicited FOTC’s help to perform a Google Workspace security audit.
We have training courses when we onboard new employees to tell them how to work with data and how to follow data security rules. We continuously educate our employees about potential threats, through training courses and workshops. FOTC already has access to our Google Workspace instance so the audit was easy to set up. So when FOTC offered to verify our configuration, we took the offer.
Results
Upon completing the security audit, FOTC delivered a detailed report itemizing all potential system vulnerabilities. These risk points arise from the configuration with instructions and recommendations on how to address them.
The instructions in the report were clear, some of the advanced options contained a link to relevant Google documentation. This allowed for a deeper understanding of why a certain configuration change is recommended.
I was quite surprised how many different vulnerabilities were pointed out in the report. From FOTC, I received a very detailed list of 120 items that need addressing and I’m still in the process of implementing them. I wasn’t aware that many of these settings even exist. I need to understand what the base of the problem is and then I decide if I want to change the settings.
Proper security configuration
The company realized that leaving most settings in the default configuration is not enough to ensure the highest security standard.
Workspace administration is much more complex and detailed than I thought. In order to go through them all, I would have to spend weeks in the admin console. The audit was very useful because it pointed out which areas are the most critical for the company and which need to be addressed first.
Throughout the cooperation, FOTC tech support specialists have always been available to respond to any issue the client reported and asked about.
I have no complaints about our cooperation with FOTC. They have always been helpful and quick in responding. They always try to resolve my problems, and if they couldn’t do it themselves, they contacted Google on our behalf and fixed the problem.