How Tanglin rescued a 50-staff New Zealand claims assessment firm from a dangerously misconfigured Microsoft 365 – where every employee logged in as the same user – and rebuilt it into a properly secured, governed and resilient environment.
The client is a New Zealand-based assessment firm with around 50 staff across New Zealand and an operation in Fiji. Their work depends on a steady flow of client communications and claim documentation – the kind of business where email and shared files are the operational heartbeat.
When they engaged Tanglin, they were using Microsoft 365 – but using it in a way that was quietly putting the whole business at risk. This case study has been anonymised at the client's request.
On paper, the firm had Microsoft 365. In practice, it was being used in a way that broke nearly every principle of secure, accountable IT.
Every single staff member logged into Microsoft 365 as the same user. One identity, shared by the whole company. All client communications flowed into that one account's inbox, so there was no way to tell who had read what, who was responsible for a given claim, or who had sent a reply. Accountability simply didn't exist.
Because everyone shared one identity, there was no meaningful security. Multi-factor authentication is useless when fifty people share a single password – and a single compromised login would have exposed every client communication the business held. To share documents, staff were passing files out of that one common user's OneDrive. SharePoint – the tool actually designed for shared company documents – wasn't being used at all. The client didn't know it existed.
It was, in short, a business running its entire client-facing operation through one unprotected front door – with the key left in the lock.
Tanglin reconstructed how the business operated inside Microsoft 365 – giving every person a secure identity, fixing the shared inbox properly, and locking down every device that touches company data.
Tanglin moved every staff member onto their own individual Microsoft 365 login. For the first time, every action – every email, every document – was tied to a named person, restoring accountability across the business.
With individual identities in place, MFA could finally be enforced. Each person's access is now protected by a second factor, so a stolen password alone can no longer open the door to the company's data.
The old common email account was converted into a true shared mailbox. Client emails still land in one place, but now the business controls – through delegated access – exactly who can see and respond to them, person by person.
Document sharing moved off one user's OneDrive and onto SharePoint, the tool built for the job. Company files now live in a structured, permissioned, properly governed home instead of a personal folder.
Tanglin secured the network edge with a FortiGate firewall, inspecting traffic in and out of the office and forming the perimeter layer of a defence-in-depth approach.
SentinelOne endpoint protection was deployed to every device – including the personal laptops and desktops used by contractors. If a device touches the firm's data, it gets protected. No exceptions.
One detail captures Tanglin's whole approach to this engagement. The firm used contractors who worked on their own personal laptops and desktops – devices Tanglin didn't supply and the company didn't own. It would have been easy to leave those out of scope.
Tanglin didn't. Every device that interacts with the client's data – company-owned or not – had SentinelOne deployed to it. A single unprotected machine handling company information is all it takes for ransomware or malware to find its way in. Security that covers most of the devices isn't security; it's a false sense of one. So the rule was simple: if it touches the data, it gets protected.
Staff each given their own secure, MFA-protected identity
From one shared login to individual, accountable accounts
Of devices protected by SentinelOne – including contractors' own
Email, OneDrive & SharePoint backed up and retained via N-able Cove
Continuous device health monitoring through the working day
New Zealand and Fiji operations brought under one managed standard
Fixing the identity model was only the beginning. Microsoft doesn't fully back up Microsoft 365 data by default, so Tanglin implemented N-able Cove Data Protection – backing up all email, OneDrive and SharePoint data with multiple backups a day, retained for seven years. The firm's information is now genuinely protected against loss, not just assumed to be.
Tanglin also standardised the firm's hardware, providing and configuring consistent laptops so every staff member has the same reliable experience, and keeping devices within a sensible warranty and lifecycle. Across both the New Zealand and Fiji operations, every PC and laptop is monitored continuously – with health checks each morning and every fifteen minutes during the day – so faults are caught early and downtime is kept to a minimum.
What began as a rescue became an ongoing partnership: a business that now runs on a secure, accountable, well-governed IT foundation, with Tanglin acting as its outsourced CIO.
Misconfigured Microsoft 365 is more common than most businesses realise – and you can't fix a risk you can't see. Let Tanglin review how your business is really set up, and what it would take to make it secure.
Book a Free IT Review