Is there a way to prevent people within your business from sharing sensitive data with others?
Well, if you’re a Microsoft 356 user, you’re in luck!
In this blog, I will be discussing with you Data Loss prevention and how you can implement it into your business.
Within your business, do you have any data that could be considered ‘sensitive’, ‘valuable’ or even ‘regulated’? This could be financial data, medical records or intellectual property.
So, what technology processes do you have to prevent people with access to sensitive data from sharing it?
It may seem like a difficult thing to be able to control with so many emails flying around and out of business as well as teams chats, phone calls and document sharing on OneDrive and SharePoint.
If you don’t think your business has any sensitive data or documents you need to regulate, think again. Although you might not be a Medical Business or Finance firm, any of your employee’s records, such as addresses and bank details, or data surrounding each staff member’s salary, these documents need to be protected. Measures must be taken to ensure that these documents and data cannot be leaked internally or externally.
As a business owner, it is your responsibility to protect all the data that comes in and out of your business. People can share information either purely on accident or maliciously.
With the emergence of cloud computing and remote working/working from home, this task has become much more complicated than when it was all server-based and in the office.
However, if your business used Microsoft 365, your life got much easier.
Within Data Loss Protection, you can create policies that make sure your important data is secured and not overshared.
DLP analyses content by looking for certain patterns and keywords. An excellent example of this is credit card information.
If you have ever sent or received Credit Or Debit card information via email (and believe me, it’s more people than you’d think), then you don’t need me to tell you that that was a terrible idea, especially if you didn’t encrypt the email. Please, never again.
But DLP will be able to pick up on the pattern of the four blocks of numbers for the card, expiry dates and the three-digit code and will block the message it found with the card details.
DLPs can also spot passport numbers, social security numbers and other details that can be blocked from being shared.
Setting Up Data Loss Protection
Microsoft 365 doesn’t offer DLP to all Microsoft licences. It is only available with Microsoft 365 Business Premium, which we always recommend to our customers. It is also available within the Enterprise plans.
Although it might be painstaking and tedious, the best thing to do is look at the data within your business and take note of all the data that needs to be protected, is private and what comes under regulation. Microsoft makes this a little bit easier by having lots of pre-built templates in place depending on which country you are in.
You must be logged in as Admin to access the compliance centre.
Scrolling down the admin menu, take a look at the options and find ‘compliance’. Selecting this will take you to the Microsoft Purview Compliance Portal.
From there, You will be able to find the ‘data loss prevention portal’ which is where we will be able to click on ‘policies’ on the horizontal menu as shown on the diagram below.
Once you have clicked on ‘Policies’ you’ll be able to see the option to create a policy.
As you can see in the diagram below, you are able to select Policies based off of which country you’re located in. This is because legislation within different countries varies and names/terms differ all over the world.
You can now see that there are lots of policies that have been pre-built within categories. This will help if you’ve never created a policy before however, you can also start from scratch.
Takin a look at the data protection act template, we can see what the policy will protect as well as read through a brief description of its role.
Selecting the template you wish to continue with, select next.
We are now asked to name/rename the policy and optionally add a description of our own to help identify the policy and its purpose.
The next step, as shown below, is to choose the location of the policy. This means deciding where the policy should apply and to whom it should apply.
Following on from the previous step, you are asked to review the settings of the policy. You’re given the option to use the default settings or customise advanced Data Loss protection Rules.
There are lots of settings and rules that you can edit along with it’s conditions, contents and adding a description.
You can add more sensitive information types to the rule. There are 212 types to read through and apply if you see fit.
Another edit that you can make is user notifications. This can be used to inform and educate your users on how to properly share sensitive data as well as which data is appropriate to share.
This is done by alerting the chosen users when someone attempts to share the data.
After you complete your policy settings, you’ll be asked if you would like to either test the policy, turn it on or keep the policy off the following completion of the policy.
We have selected to turn on the policy.
Now, before finishing the policy reviewing it is essential. ensuring your policy is fit for the intended purpose as well as checking the other details are correct.
Once the policy is completed, you will be able to see your policy as shown below.
We can test the policy that we have created by sending an email containing a fake National Insurance number, as shown below/above and using an internal business email account to send this to and external email account.
This policy test has evidently worked, as you can see by the below notification email that has been received by the email addresses involved in the transaction.
Data loss and data leakage could be the end of your business.
Please make sure you and your employee’s data is secure and safe from leaks hackers can save your business and save you and your employee’s plenty of money.