ELEXON plays a vital role at the heart of the wholesale electricity market. The company compares how much electricity generators and suppliers said they would produce or consume with how much electricity they actually generated and supplied. After calculating these volumes, ELEXON works out a price for the imbalances and charges organisations accordingly. This involves taking 1.2 million meter readings every day and handling over £1.5 billion of their customers’ funds each year. Keeping their customers’ data secure is of paramount importance.
A recent study by Cambridge University’s Centre for Risk Studies identified the energy sector as a significant target for hackers. With 15% of all cyberattacks in the UK being directed at this sector, it is second only to the financial services industry as the most at-risk sector. Verizon’s Data Breach Investigations Report found that 81% of hacking-related breaches leveraged stolen and/or weak passwords, and analysis of 1600 cyber security incidents and 800 breaches found that phishing was involved in 90% of successful attacks.
To address this risk within ELEXON, Anthony French, IT & Information Security Manager and Stuart Toner, Senior Information Security Analyst, spearheaded an Identity & Access Management (IAM) initiative. Stuart successfully delivered the Identity as a Service (IDaaS) rollout using My1Login’s Single Sign-On for web and Windows desktop applications, replacing the incumbent solution, Imprivata, which did not integrate with all ELEXON apps.
Requirements
Solve Cyber Security & Password Risks
The security team at ELEXON recognised that the organisation faced cyber security risks due to the password practices in use. Stuart Toner, Senior Information Security Analyst, explained that “staff were using weak passwords and re-using the same passwords for critical business applications. Our existing password policy was inadequate and difficult to enforce.” Stuart added: “I was cognisant that user identities, which protected access to critical applications, were potentially creating a cyber security risk.”
Solve Incompatibility of Incumbent IAM Solution
ELEXON’s incumbent IAM solution had solved the challenges faced back when it was first implemented, but did not integrate with the various new applications deployed as ELEXON grew. This created the problem of users adopting their own methods and systems to manage passwords for applications, leading to a potential vulnerability. It also created password fatigue for users, with employees finding it difficult to ensure passwords were strong – and they found it challenging to manage the sheer volume of passwords necessary to access their day-to-day applications.
Single Sign-On was Required for Windows Desktop Applications
ELEXON has a number of critical Windows desktop applications which were not compatible with the incumbent IAM solution. This created a security risk of compromised user identities and led to password fatigue for the end users, who had to manually manage access. As these applications were incompatible with the existing IAM solution, there was a lack of centralised audit and governance around the identities used to access these apps.
Solution
ELEXON chose My1Login’s IAM as the solution to password-related cyber risks and the password fatigue that was impacting users’ productivity and morale. Stuart explained: “My1Login worked with us at the outset to fully understand our requirements as an organisation. We wanted to deliver true Single Sign-On, enabling us to manage access to all application types in our business. My1Login achieved this, working with 100% of our apps.” Stuart added: “A key feature of My1Login was its ability to provide user access to applications, but hide the password. Passwords could then be automatically updated and not disclosed to the user.” Stuart continued: “This provided the user with the seamless experience they craved, but crucially, provided the business with the security that passwords were strong, unique and mitigated against the risk of phishing.”
Terry John-Baptiste, ELEXON’s IT Technical Specialist, worked with the My1Login team to deploy the IAM solution. Terry explained: “My1Login was easy to install and our first user was up and running in less than an hour. The support provided by the My1Login implementation team was excellent, they understood our environment.” Terry continued: “Having My1Login and their technical expertise on-site during implementation was invaluable.”
Stuart Toner explained: “Feedback from users was positive. Our users found My1Login easy to get to grips with and, in fact, we didn’t need to provide any training – it was that intuitive. The My1Login IAM solution integrated within our environment without any impact on existing operations.”
Results
Anthony French, IT & Information Security Manager, said: “My1Login enabled us to resolve a number of password-related security risks, resulting in improved security across the organisation. The identities that protect our cloud and Windows desktop applications are now unique and strong, protecting these critical apps from unauthorised access. We recognise that the energy sector is a key target and implementing My1Login has enabled us to mitigate this significant risk.”
Stuart Toner added: “With My1Login’s IAM solution rolled out within ELEXON, we have put the business back in control of who has access to applications and data, whilst increasing authentication security for all applications. We also now have the ability to quickly provision and deprovision access. It has improved our governance, audit controls and security around web and desktop application access, mitigating numerous cyber security risks.” Stuart continued: “Employees no longer suffer from the password fatigue caused by having to manage passwords and we have seen productivity benefits as a result. We are also now more secure, so I am happy.”
Why My1Login?
Stuart Toner said: “We chose My1Login for two key reasons. Firstly, the client-side encryption architecture of My1Login gave us confidence in the security of the solution, ensuring only ELEXON would have access to the encryption keys and our data. Our data and our customers’ data is of paramount importance and My1Login’s more secure approach of using client-side encryption was a major consideration in selecting their IAM solution.”
“Secondly, we needed a new solution that would work for all of our applications including Windows desktop applications. My1Login’s solution addressed this, as it provided Single Sign-On for 100% of our applications, including Windows desktop apps.”
Stuart added: “My1Login has enabled ELEXON to deliver true Single Sign-On for its users, eliminating password fatigue and putting the organisation back in control of user identities. I’m very satisfied with the solution we now have in place. From an admin and user perspective, My1Login is a very easy product to use, enabling us to rapidly achieve the desired business outcomes.”
Industry
Utilities
Size
200 Users
Challenge
- Solve cyber-security risk created by weak employee password practices
- Solve incompatibility of incumbent IAM Solution
- Single Sign-On required for Windows desktop applications
- Resolve password fatigue
My1Login IAM Products
Results
- Elimination of password-related cyber security risks
- Business now in control of application access and identities
- Employees more productive
Customer Team
Anthony French
IT & Infosec Manager,
ELEXON
Stuart Toner
Senior Information Security Analyst,
ELEXON
Terry John-Baptiste
IT Technical Specialist,
ELEXON