Imagine you wake up one morning to multiple missed calls and panicked emails. You soon learn that a significant data breach has happened at your organisation. Files containing sensitive data have been sent out to the wrong recipients and now the media is asking questions. Perhaps most embarrassing of all, the data breach was not even malicious – one of your employees sent the files by mistake.
These kinds of data breaches and leaks are becoming an increasingly common risk to businesses – and can cost millions in legal fees, not to mention reputational damage. It is therefore important to have effective policies for classifying and securing sensitive data to minimise the chances of this happening.
If your organisation uses Microsoft 365, you already have access to numerous powerful security and data classification tools. But, just as important as the security features themselves, you also need to develop a data management strategy tailored to your business.
What data classification and security features are available in Microsoft 365?
Microsoft 365 provides multiple security features to keep your data protected. These include:
- Labels
Microsoft lets you apply labels to your data according to its level of sensitivity. You can apply labels manually, but Microsoft also allows you to automate the application of labels. You can, for instance, search for data such as credit card numbers and automatically apply a confidentially label to thousands of files containing this sort of data.
- Control data on the move
Using the cloud makes it very easy to access data from anywhere. To avoid theft, Microsoft has created several features which allow you to control who sees data and what happens to it. You can, for instance, set controls which prevent email recipients outside your organisation from forwarding messages on.
Free security eBook: What is your Microsoft 365 Secure Score?
- Automatic data management
You can also apply rules to data which ensure that it is managed in a specific way. For example, you can ensure that tax records are deleted after a specific time period.
These features are very powerful, yet the way they are configured is just as important.
You need a strategy for classifying and securing Microsoft 365 data
Security is about much more than simply applying labels to sensitive information. Instead you need a comprehensive strategy for classifying and securing that data. What would this look like?
- Consider how regulations affect you
Which data management regulations apply to your business? If you ever treat personal information regarding customers in Europe you will almost certainly need to ensure your data is GDPR compliant. There are several similar laws around the world.
- Consider your threat level with a risk assessment
Different kinds of organisations face different risks when it comes to data management. It is important to consider the kinds of threats facing you and how damaging a breach would be. This will help inform which kinds of files you treat as top secret, sensitive or low risk.
Conducting a risk assessment will identify where you are most likely to be hit by a data breach – be that from an unintentional sharing of information by email or an insider threat. This can help you define your controls.
- Create a data management hierarchy
Right within Microsoft 365 there are several off the shelf categories you can use for data classification and security. That said, you may want to define your own classification categories based on the specifics of your organisation and information you hold.
- Conduct a pilot
There are often unintended consequences when you begin classifying documents and applying sensitivity labels. Sometimes end users find classification too onerous and frustrating. Other times, labels are confusing or not strict enough.
Conducting a short pilot with one department at the business can help you assess the effectiveness of your data classification and security policy before rolling it out.
- Begin labelling high priority data first then move down
To start with you should begin applying your categories to the most high-risk data you hold. From then on in start applying labels to all content.
- Train employees to apply labels and be aware of controls
Data classification and security policy will not work without the participation of employees. They need to be trained to understand the labelling process and occasionally receive training to refresh them too. You also need to ensure that all new starters get training on information labelling during the onboarding process.
More Microsoft security: Understand Advanced Threat Protection Licences
Learn more at FITTS’ next Microsoft 365 security event
In November, James Haworth will be delving into Microsoft 365 security and data classification in more detail. If you would like to attend the new security webinar series and learn how your organisation can label and control cloud data most effectively, click on the relevant link to register.
Security Series 101 – Identity is the new Security
