Data loss prevention in Office 365 protects your sensitive information from rogues and nerf herders
If the Empire had been a bit more careful with their intellectual property information, they may have been able to take control of the galaxy much faster. Instead, absence of effective data loss prevention resulted in the destruction of the Death Star. Twice.
But seriously, more than ever before, business organizations must be vigilant in guarding sensitive and confidential information. And as more companies are moving cloud-based productivity applications and data storage, the risk of falling victim to a catastrophic data breach increases.
What is data loss prevention and what kind of sensitive and confidential information are we talking about? Basically, businesses have access to two kinds of important information: personally identifiable information (or PII) and sensitive company information (which we’ll shorten to SCI). PII includes important info like a person’s social security number, date of birth, corporate passwords, etc. On the other hand, SCI could include intellectual property, financial reports, and drafts of press releases.
For a variety of reasons, it is important for business organizations to protect such data from criminals, competitors, or others that don’t have a right of access. While data loss prevention incorporates a broad spectrum of company information handling—from building security to hardware protection to firewalls to cloud security and everything in between—we’re going to take a closer look at how to secure your company’s Office 365 environment to prevent data loss.
Data Loss Prevention for Office 365
Microsoft Office 365 is among the most popular suites for business applications. If your company is using Office 365 for emailing, file sharing and/or storing information, it is important to understand how to effectively implement a data loss prevention, and how it’s different from securing on-premise Microsoft software.
In the traditional software product, IT system admins can monitor and review breaches of company policy without too much hassle. However, when an organization moves to a cloud-based (and therefore off-premise) solution like 365, IT loses sight of how sensitive files are being accessed, stored, and shared. This means that they’ve also lost some of their ability to defend against malware, phishing, and other cyber attacks in the cloud.
Doesn’t Office 365 Come With Data Loss Prevention Capabilities?
The short answer is: Yes and no. As with just about everything related to Microsoft, it gets a little complicated.
The level of data loss prevention capabilities depends on your subscription level. IT leaders in small to mid-sized companies, as well as those in education and government, will usually purchase the lower subscriptions due to budget. Many then realize that the visibility they had with Office on-premise is either gone, or will cost three times more per user per month to get.
Organizations that are able (and willing) to pay for Level 3 and above Office 365 licensing can access Microsoft’s native data loss prevention capabilities. This will include features such as:
- Identify sensitive information in Exchange, SharePoint, and OneDrive
- Remediate accidental sharing of sensitive information
- User compliance notifications, tips, and education
- Data loss prevention policy matching & false positive reports
- Customizable data loss prevention rules & policies
- Data loss prevention rules & policies templates
- Incident reporting
- Grouping & logical operators
- Rule prioritization
Are There Other Options for Securing Office 365 Data?
Microsoft has created a great data loss prevention tool for their customers. If you work for a large enterprise that can afford adding it to your environment, that great! However, 3rd party tools are available that provide a lot more value, often at a more affordable price. Some advantages to choosing a 3rd party data loss prevention solution over native Office 365 data loss prevention include:
- Ease of use. We all know and love Office, but let’s face it: it isn’t always super intuitive. Particularly when it comes to more technical, back-end products like data loss prevention. They’ve definitely spent more time developing the user interface of their far more popular products like Word, Outlook, etc. Creating rules and policies, identifying red flags and getting to the cause quickly, and pulling reports can all be made much easier and more efficient using a 3rd party data loss prevention tool.
- Application Diversity. Using the native Office 365 data loss prevention solution only allows you to manage Microsoft-based cloud applications. So, if you have some team members using G Suite or Slack, for example, those applications will not be secured. You will either have to pretend like they just don’t exist (definitely NOT recommended) or you’ll have to get another data loss prevention solution to cover them anyway!
- Cost. It’s been mentioned already, but it’s worth saying it again. Upgrading to a license level that includes data loss prevention for Office 365 is expensive, and simply unattainable for most SMBs, school districts, and nonprofits. The right 3rd party data loss prevention and cloud security solution can give these organizations the security they need at a price they can afford—while also saving system admins a ton of time.
How To Set Up Data Loss Prevention for Office 365
Whether you’re going to set up Microsoft’s native Office 365 data loss prevention tool or use a 3rd party solution, there are going to be 4 steps to take to make sure you’re securing your data properly.
Step 1: Map out your data loss prevention rules
While most solutions available will have policy templates built into the platform, it’s a good idea to sit down and document your data loss prevention rules before you get too deep into setting them up. Taking this step will help you clarify the type of information you have, where it is located, and what remediation policies to put in place in case the rules are broken. It’ll also help you clarify your thinking so you don’t leave out something important.
Step 2: Step up policies in your data loss prevention tool
You’ll need to first “train” your solution to let it know what constitutes sensitive information and what to do with it. Many solutions will have predictive technology and/or policy templates for you to use to get started.
Since you’ve already mapped out the basics in step 1, step 2 is simply a matter of configuring the platform to do what you want. You’ll likely have some details to iron out in there as well. For example, you may need to set up exemptions for certain user groups and customize policy violation notifications.
Step 3: Run a Test
Most data loss prevention tools have a “sandbox” type environment where you can test out your new policy. Make sure you run several tests to make sure it is working the way you want it to. This simple step will save you hours of time dealing with false positives or negatives in the long run.
Step 4: Activate Office 365 Data Loss Prevention!
Once you’ve thoroughly tested your new policy, you’re ready to activate! Set it live and move on with you day.
Choosing A Data Loss Prevention Solution For Office 365 That Works For You
Choosing a data loss prevention solution for Office 365 and your other cloud applications is a critical step in securing your organization’s financial future. You don’t need to be an evil organization with an intent on subjugating a galaxy to fall victim to data breaches. Disgruntled employees and rebellious cyber criminals wreak havoc every day, causing millions of dollars in damages.
At ManagedMethods, we offer cloud application security and data loss prevention solutions that are easy to use, affordable, and (most importantly!) effective. Keep your sensitive data out of the wrong hands and avoid an explosively bad outcome. Sign up for a free 30-day trial today!