Imagine you wake up one morning to multiple missed calls and panicked emails. You soon learn that a significant data breach has happened at your organisation. Files containing sensitive data have been sent out to the wrong recipients and now the media is asking questions. Perhaps most embarrassing of all, the data breach was not even malicious – one of your employees sent the files by mistake.

These kinds of data breaches and leaks are becoming an increasingly common risk to businesses – and can cost millions in legal fees, not to mention reputational damage. It is therefore important to have effective policies for classifying and securing sensitive data to minimise the chances of this happening.

If your organisation uses Microsoft 365, you already have access to numerous powerful security and data classification tools. But, just as important as the security features themselves, you also need to develop a data management strategy tailored to your business.

What data classification and security features are available in Microsoft 365?

Microsoft 365 provides multiple security features to keep your data protected. These include:

  • Labels

Microsoft lets you apply labels to your data according to its level of sensitivity. You can apply labels manually, but Microsoft also allows you to automate the application of labels. You can, for instance, search for data such as credit card numbers and automatically apply a confidentially label to thousands of files containing this sort of data.


  • Control data on the move

Using the cloud makes it very easy to access data from anywhere. To avoid theft, Microsoft has created several features which allow you to control who sees data and what happens to it. You can, for instance, set controls which prevent email recipients outside your organisation from forwarding messages on.

Free security eBook: What is your Microsoft 365 Secure Score?


  • Automatic data management

You can also apply rules to data which ensure that it is managed in a specific way. For example, you can ensure that tax records are deleted after a specific time period.

These features are very powerful, yet the way they are configured is just as important.

You need a strategy for classifying and securing Microsoft 365 data

Security is about much more than simply applying labels to sensitive information. Instead you need a comprehensive strategy for classifying and securing that data. What would this look like?

  • Consider how regulations affect you

Which data management regulations apply to your business? If you ever treat personal information regarding customers in Europe you will almost certainly need to ensure your data is GDPR compliant. There are several similar laws around the world.

  •  Consider your threat level with a risk assessment

Different kinds of organisations face different risks when it comes to data management. It is important to consider the kinds of threats facing you and how damaging a breach would be. This will help inform which kinds of files you treat as top secret, sensitive or low risk.

Conducting a risk assessment will identify where you are most likely to be hit by a data breach – be that from an unintentional sharing of information by email or an insider threat. This can help you define your controls.


  • Create a data management hierarchy

Right within Microsoft 365 there are several off the shelf categories you can use for data classification and security. That said, you may want to define your own classification categories based on the specifics of your organisation and information you hold.


  • Conduct a pilot

There are often unintended consequences when you begin classifying documents and applying sensitivity labels. Sometimes end users find classification too onerous and frustrating. Other times, labels are confusing or not strict enough.

Conducting a short pilot with one department at the business can help you assess the effectiveness of your data classification and security policy before rolling it out.


  • Begin labelling high priority data first then move down

To start with you should begin applying your categories to the most high-risk data you hold. From then on in start applying labels to all content.


  • Train employees to apply labels and be aware of controls

Data classification and security policy will not work without the participation of employees. They need to be trained to understand the labelling process and occasionally receive training to refresh them too. You also need to ensure that all new starters get training on information labelling during the onboarding process.

More Microsoft security: Understand Advanced Threat Protection Licences


Learn more at FITTS’ next Microsoft 365 security event

In November, James Haworth will be delving into Microsoft 365 security and data classification in more detail. If you would like to attend the new security webinar series and learn how your organisation can label and control cloud data most effectively, click on the relevant link to register.

Security Series 101 – Identity is the new Security

Security Series 102 – User security in Microsoft 365

Security Series 103 – Company security in Microsoft 365