Every day, BP manages the difficult business of finding, producing, marketing, and moving energy around the globe. Core to success is the modernization and digitization of the business, while being able to defend a vast digital perimeter against cyberattacks. That’s why BP is migrating its work environment to Microsoft 365 Enterprise E5 to take advantage of a platform approach.If you make security hard, people may work around it. With Microsoft 365, we get native capabilities, visibility into our operational environment, and simplicity for all employees. 

Simon Hodgkinson: Group Chief Information Security Officer

BP

High-priority defense

BP is a global energy leader with a vast international network that drives digital innovation across dozens of disciplines and hundreds of markets. This scale gives the oil and gas giant a large attack surface for threat actors and even insiders, well-meaning and otherwise.

“The digital landscape—and associated cyberthreats—will continue to grow rapidly,” says Simon Hodgkinson, Group Chief Information Security Officer at BP. “We need to keep BP cyber-resilient and continually improve our ability to protect, detect, respond, and recover in the event of a cyberattack. Everything we do has to be secure by design.” 

For BP, that means making security easy for all employees. “Ease of use is really important to us. We want to make sure our employees can do the right thing in their jobs every day and secure their data,” says Chris Eaton, Director, Security Strategy and Architecture at BP.

The Digital Infrastructure team at BP is leading initiatives to accelerate the company’s digital transformation, enhance compliance, and better protect against current and evolving cyberthreats.  

Tight integration, a clear roadmap, and a commitment to security

BP is transforming its network to maintain business agility and data security. This involves moving a significant portion of on-premises IT resources to the public cloud. 
 
Over time, BP accumulated many third-party security add-ins in its Windows 7 environment. This resulted in slow PCs, unnecessary complexity, and frustrated employees. After evaluating options, the company took a platform approach and chose to migrate its work environment to Microsoft 365 Enterprise E5, which includes Office 365, Windows 10, and Enterprise Mobility + Security.

Hodgkinson explains, “We chose Microsoft 365 because of its components’ tight integration, intuitive user experiences, and the strong Microsoft cloud roadmap and commitment to security. We also find it easy to attach best-of-breed security add-ins where we like. Perhaps most important, we use the native security capabilities in Microsoft 365 to reduce complexity and streamline processes.”

Better security posture with flexible, connected safeguards

BP has deployed Microsoft Azure Active Directory (Azure AD) and Microsoft Intune to help safeguard identities and access for its corporate users. “We consider cybersecurity one of BP’s high-priority group risks,” says Hodgkinson. “We have to make sure that we are managing information appropriately and applying the right controls around that to protect against loss or misuse.”
 
After implementing Microsoft Cloud App Security, the company used the solution’s native integration with Azure AD to identify risky authentications, such as impossible travel, that BP had limited visibility into before. “Using the combination of Cloud App Security and Azure AD helps us detect unusual patterns of behavior, expand more risk-based checks, and enforce user access, granting it only to devices and locations that we know are right,” says Eaton.

Now that BP has adopted Office 365, it can move data from employee devices to Microsoft OneDrive for Business Online, where employees store, share, and easily recover files on their own in a secure cloud environment. BP is now able to classify, protect, and discover, and where appropriate, automatically apply protection, so the company can control who has access to sensitive files, even when a file is shared externally. “We see Azure Information Protection as a really easy way for our employees to classify information at the point of creation. We just need to make sure security is intuitive and easy to use,” says Hodgkinson.

“For example, with the business-to-business collaboration features of Azure AD, we can now use Microsoft Teams to collaborate with third parties much more easily and give them access to the data that we want to share, knowing we’ve safeguarded our data,” adds Eaton.
 
BP uses the integrated threat protection products in Microsoft 365 and the Enterprise Mobility + Security E5 suite to gain valuable detection, protection, and response capabilities as part of the company’s multilayered defense.

“Given our strategy to digitally transform using native technologies underpinned by secure platforms, we recognized that we needed to take the best of all Microsoft products, which are combined in Microsoft 365 E5,” says Hodgkinson. These products work together to alert BP on potential threats and provide a comprehensive picture of an attack timeline across the company’s devices, applications, and users. “As an example, we use a combination of Azure AD with conditional access and Cloud App Security to block high-risk accesses,” Hodgkinson continues.

BP is also working closely with Microsoft to integrate Windows Defender Advanced Threat Protection into its security information and event management (SIEM) framework and generate deeper and earlier insights on cyberthreats to its estate—with no performance impact on employees.
 
“We use Microsoft 365 management tools to deploy and update capabilities with less need to touch individual endpoints. And we’ve been teaming up with Microsoft to help shape future enhancements, like consolidated configuration tools that make management even easier,” says Hodgkinson.

The power of an integrated framework 

BP employees use Office 365 solutions such as SharePoint Online, Exchange Online, Office 365 ProPlus, Microsoft Teams, and OneDrive for collaboration across time zones and borders without compromising security. They now have easy ways to analyze data and share their visualizations and insights with Power BI Pro for better business intelligence. Today, the IT team spends less time on PC deployment, management, security updates, and recovery.

“By implementing Microsoft 365, we’ve reduced our integration costs and complexity, and we’re using the time saved to do higher-order work,” says Hodgkinson. “If you make security hard, people may work around it. A single security platform provides a significant benefit. With Microsoft 365, we get native capabilities, visibility into our operational environment, and simplicity for all employees.” 
 
Hodgkinson admits that he and his team will never be done. Continued success for BP will rely in large part on their ability to address emerging and future threats in the digital landscape. “It’s an arms race,” he says. “We need to keep pace with increasingly sophisticated threats.” 
 
Find out more about BP on Twitter, Facebook, and LinkedIn.