There can quite often be a blurred line between information governance and information security but that needn’t be an issue if you get the right guidance, advice and training for those concerned. This means the professionals in both areas can jointly decide organisational policy using their expertise and then embed it in the Microsoft 365 platform. 

Did you know that there are a whole lot of tools in M365 to help you do this?  

I am not going to ‘bang on’ about the digital data explosion, that is a bit old hat now, we have been living in this ‘explosion’ for years, but have we got any better at controlling and protecting our digital data?  

Why do we need to protect information? 

Protecting information is essential to ensure trust across internal boundaries as well as external boundaries, it is also important for meeting compliance requirements whether statutory, regulatory or policy. 

How do we protect information? 

We need to make sure that we do not impact the people in our organisation with any changes we put in place to protect our data. We need to exploit our existing technologies wherever possible to provide intuitive, ‘resource light’ solutions that can be rolled out with minimal impact on our employees, teams and partners – we will always be working in times of constrained resources, and we need to just accept that. 

What tools do we need to protect information? 

Many of us are paying a great deal of money for Microsoft 365 licences. Do you feel your organisation is exploiting the technology provided by the platform? Do you feel you are using all the capabilities? Are you maximising the resource reduction powers that can be provided by the applications and administration centre tools such as Microsoft Purview, Microsoft Defender? Are you letting the technology do your hard work?  

Or are you using M365 like a file share and email tool?  

Gasp! 

If you are you are throwing good money after bad.   

In this continuing time of limited resources, you owe it to your financiers whether they be members of the public through tax, or through your shareholders in a private company to better use the tools you are paying for. 

Here’s a little quiz to identify if you need some help

1. Did you know that M365 can help with data privacy, privacy engineering and data leakage?
2. Did you know that the platform has embedded sensitive information types that can be used to help your organisation identify protect and control your sensitive data automatically? You don’t even need to create them!
3. Did you know you can invite guests to your tenancy to aid partner collaboration but without the overheads of managing their accounts?
4. and further that the access can be conditional and finely controlled at tenant level, application level or at specific guest user level?
5. Or more scarily that users in your organisation can invite guests and may be doing this without your knowledge if the permissions aren’t locked down?
6. Did you know you can configure your tenancy to tenancy or Business to Business (B2B) external sharing to make it safer to collaborate?

If you answered ‘no’ to the majority of these questions, you might want to consider reading up a bit more about it or up-skilling yourself with a training course in order to understand the capabilities of Microsoft 365.

Breaches and reputational damage 

Can you imagine the scenario if there was a data breach with customer, client, or partner information because you hadn’t got the correct protection in place? One of the greatest harms of a breach is reputational damage. This can not only harm partner relationships but can also harm the bottom line. Can you afford not to enhance your information protection? 

Here’s the Microsoft 365 tools you should be using to achieve ultimate data privacy and protection.

• The Sensitivity Label 
• Microsoft Defender for Cloud Apps 
• Data Loss Prevention (DLP) capabilities

The Sensitivity Label 

One of the most powerful tools to protect and control data is the Sensitivity Label in the Microsoft 365 platform.  

You may be aware that you can use them to embed a classification policy such as the Government Classification Scheme of ‘Official’, ‘Official Sensitive’ and ‘Secret’. But did you know that you can also associate capabilities such as marking and encryption? Or set access controls based on the label applied?  

Getting back to resource savings… many of the capabilities we are discussing here can be automatically applied, based on the content. No additional resource impacts after implementation. 

Microsoft Defender for Cloud Apps 

Getting more into the technical capabilities Microsoft Defender for Cloud Apps (previously Microsoft Cloud App security or MCAS) can help you to uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats automatically based on policies you define and set in advance.  

This allows the users to continue with their work while in the background the technology is monitoring the cloud traffic.   

You can use policies to define your users’ behaviour in the cloud and detect risky behaviour, violations, or suspicious data points and activities in your cloud environment.  

If needed, you can use policies to integrate remediation processes to achieve complete risk mitigation.

The system Automatically assesses Cloud applications for risks of use against following dimensions: General Use, Security, Compliance and Legal, and presents you with a risk score.  

You can even set up specific alerts so that you are notified when certain behaviour is detected by the user, an application, or a system. For example, it can look for impossible travel activities where a user is shown one minute to be working in Slough in the UK and the next in Singapore.  

Data Loss Prevention (DLP) capabilities 

Finally there are a range of Data Loss Prevention (DLP) capabilities; key areas for preventing data loss which include: 

• Classification by sensitivity and retention settings 
• Protection through visibility and sharing settings.  

All of which are underpinned by detection settings. 

Some examples of the policies that can be employed are shown here:

All of which can be set up to provide reports to your fingertips, saying what you need to know when you need to know it. 

Further Resources 

If you’d like to learn more about information privacy and protection in Microsoft 365, we at Leadership Through Data can help. 

Leadership Through Data specialise in short courses for information managers and privacy professionals. All courses are led by an instructor (an industry professional) and are held in small groups, so you can ask as many questions as you like to get the most out of your learning and development.  

Our Microsoft 365 Information Privacy & Protection training course (UK Course, ANZ Course, USA Course) would be the perfect fit if you found this article useful and are looking to learn more about the topics that were featured. 

Book online if it’s just for you, or if you have more than 6 people who would need training, get in touch as we can put something together that’s more cost effective. 

View all our training courses for:

• United Kingdom & Ireland
• Australia & New Zealand
• United States & Canada