Data Loss Prevention in Microsoft 365

Data loss prevention is paramount for every organization. That means keeping sensitive data from malicious actors and also preventing the accidental dissemination of this data. What you or your company considers sensitive data may vary based on your industry, but some examples of sensitive data include:

  • Personally identifiable information (PII)
  • Financial information like checking account or credit card numbers
  • Personal electronic health records

Failing to keep this type of data secure has the potential to be catastrophic to your business. It can lead to loss of consumer trust, loss of business, fines, penalties, or other legal actions. Simply put, there’s no shortage of ways that being careless with your data can impact you negatively. That means your organization will need to have a system in place that can keep you and your customers’ data secure. You’ll need to have a plan to safeguard your data as well as a platform that empowers you to execute that plan with the right tools you need.

Microsoft Office 365’s Security and Compliance Center has a comprehensive data loss prevention (DLP) policy in place that gives you more control over how you keep your data safe. It enables you to see where your data is located, how to keep track of it, and protect sensitive data all across the enclave. Then, you’ll be able to rest easier knowing your precious data is in good hands with an easy-to-use, comprehensive security system.

So how does it work? Let’s take a closer look at how Office 365’s DLP system will keep your company’s data secure.

What Are Microsoft Office 365’s Data Loss Prevention Features?

Office 365’s suite of features to facilitate data loss prevention is impressive. Below are the various features they have in place:

  • Office 365 has the ability to locate and alert you to where your sensitive data is included across the platform. That means it can tell you when it’s included as part of applications like SharePoint, OneDrive, Exchange, or Teams.
  • It also can stop users from inadvertently sharing sensitive data.
  • You can monitor sensitive data in other desktop applications in the Office Suite including PowerPoint, Word, and Excel.
  • There are measures to aid your team members in educating themselves on maintaining compliance. This is set up so as not to interfere with their workflow.
  • Finally, Office 365 has the capability to generate reports that align with your company’s custom-made DLP protocols. This is invaluable as you attempt to keep tabs on your company’s larger DLP efforts.

With Office 365, you have resources in place to make data loss prevention much easier on your entire organization. That’s half the battle — if you have a set of intuitive tools, it empowers your team to maintain awareness of your data with guidance on how to keep it safe. It also assists your organization in enforcing your DLP policy. Of course, it’s on you to define that policy before you can enact it.

Developing a DLP Policy

Your DLP policy is how your company manages its data and prevents it from being lost or exposed. It’s the processes and procedures your team has in place to prevent data loss. Here’s what goes into your DLP policy:

  • You’ll need to know where your data is located. To protect your data, you’ll need to understand which applications it’s housed on. These will be a variety of locations across Microsoft Office 365. Some possible locations for data include SharePoint Online, Exchange Online, OneDrive for Business, and communication channels like Teams’ chat.
  • You’ll also need to identify the rules needed to help you monitor your data. When and how do you need to protect your data? First, you’ll need to define the specific conditions that the data must meet before the DLP policy is triggered. This involves rule configuration within Office 365. One example is to set up a rule that filters for data containing Social Security numbers. You’ll also set up automated actions you’ll want to occur when a rule is in effect. An example here would be restricting access to a specific document accompanying emails notifying the appropriate users when access is attempted.

You’ll design your DLP policy to best fit your organization and its needs. What Office 365 can do is give you the tools and rules you need to come up with the policy that serves you best.

What Information Does DLP Protect?

There are two key questions to consider when determining what kind of information DLP keeps safe: 1) what are the different data types your company has within its various applications? 2) How are those different data types defined?

The answer to the first question is straightforward. Sensitive data usually consists of information that can identify individuals or be used to compromise them in some way. Some examples include:

  • Tax ID numbers
  • Driver’s license numbers
  • Passport numbers
  • Social security numbers

It goes without saying why this information falling into the wrong hands could prove problematic. But how is this information defined across your various applications? There are a few different ways:

  • Specific keywords that alert the system what to look for
  • Internal functions
  • Regular expression evaluation

How Does DLP Protect?

Once you’ve identified the DLP within your organization you want to protect, you’ll then need to define the actions you want to take when your data matches the conditions you’ve previously set. Your conditions will vary depending on who is looking for access. For example, you may want to restrict access to some data. You have the ability to restrict it to different groups. Plus, you can restrict content access for all users attempting to access. You can restrict access strictly for external users who aren’t a part of your company. Or you could limit access to anyone who possesses the link given to them by someone within the organization.

Again, this will depend on the structure of your organization as well as how the different components of it need to access or manage sensitive data. But you’ll have the capability to set these conditions as needed.

Why You’ll Need to Send Notifications

What happens when you need to restrict access from a user? You’ll likely want a safeguard in place to explain to them why they’re unable to access the restricted area. This will cut down on follow-up questions from the user attempting to gain access. To assist with this, you can send notifications to users.

Notifications are valuable for explaining to users why they aren’t able to access the area holding the sensitive data. In some cases, if they have a valid reason to access the data, you can send a notification that provides them the opportunity to give a business reason for access. They can then provide the reason, have it vetted by a trusted member of your organization, and receive temporary access.

When to Send Incident Reports

You also have the capability of generating incident reports. When a rule is matched within your organization, the incident report can go to the appropriate people within your organization (an IT administrator or compliance officer) with information about what happened. The incident report will provide a comprehensive readout of what rule was matched, the content matching the rule, and the individual who accessed the content in question.

What Licenses Will You Need for Information Protection?

Data Loss Prevention in Microsoft 365 Microsoft offers a variety of licensing types for information protection. It varies depending on the sensitivity labels needed. For manual sensitivity labeling, Microsoft offers the following:

  • Microsoft 365 E5, A5, G5. E3, A3. G3, F1. F3, Business Premium
  • Enterprise Mobility + Security F3, E3, E5
  • Office 365 E5, A5, E3, A3, F3

For automatic sensitivity labeling, Microsoft offers these solutions:

  • Microsoft 365 E5, A5, G5
  • Microsoft 365 E5, A5, G5 Compliance
  • Compliance Office 365 E5
  • Office 365 Advanced Compliance
  • Enterprise Mobility + Security E5 and AIP Plan 2
  • Microsoft 365 Information Protection, and Governance

Microsoft also offers the following sensitivity labels in Power BI, as well as to secure information when being transferred between Power BI to either PowerPoint, Excel, or PDF:

  • AIP Plan 1
  • AIP Plan 2
  • Microsoft 365 E5, A5, G5, E3, A3, G3, F1, F3, Business Premium
  • Enterprise Mobility + Security F3, E3, E5
  • AIP Plan 1
  • AIP Plan 2

For more on licensing, Microsoft had made available an in-depth licensing comparison online.

The Bottom Line: Office 365 Gives You the Tools Needed for Comprehensive Data Loss Prevention

Your company’s data is its lifeblood. Not only does it help your company operate, but protecting it is critical to the health of your business. When you’re managing that data, it’s vital to have the right IT solution in place to keep it as secure as possible while also offering resources to help your team do that conveniently and efficiently. Office 365’s data loss prevention suite of tools is second to none and will assist you on your path to maintaining top-of-the-line DLP practices.

In order to get the most out of the features listed above, the best strategy is to partner with a trusted provider of IT services who understands common issues related to data loss and how to protect it most effectively. Agile IT is that partner. We have experience as experts in data loss prevention and working with companies using Office 365 as an IT business solution. For more on how we can help you protect your data, contact us today!

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?


Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon

Don’t want to wait for us to get back to you?