Many of a company’s most sensitive documents are in digital format. That information needs to be protected, whether it’s a corporate trade secret, client payment history, or any other type of protected data.

Beyond their own corporate governance and need to keep sensitive data from unauthorised access, businesses also have to comply with data privacy regulations, like the GDPR, which often come with stiff penalties for non-compliance.

There have been a total of €153,303,495 in GDPR fines levied for data privacy violations.

Firewalls, antivirus, and other advanced threat protection and IT security measures can help keep hackers out of your network to protect your data. But, how do you protect it from a file level?

How can you ensure that a spreadsheet containing client details isn’t accidentally shared outside your company by an employee? What protections can you put on endpoint devices to reduce the risk of a compliance violation?

These types of situations require a different type of security, one that is applied to and follows a document. Within Microsoft 365, this document-level security can be achieved through the use of three tools:

• Data Loss Prevention (DLP)
• Windows Information Protection (WIP)
• Azure Information Protection (AIP)

Simplify Data Compliance & Protection with Microsoft 365

The purpose of data loss prevention when it comes to security and compliance is to prevent data from falling into the wrong hands, either through accidental or malicious means.

For example, an employee not understanding the data security of a document may inadvertently share it with someone they shouldn’t. A rogue employee of a vendor with short-term access to your network, may try copying sensitive files to a USB drive.

Both of those types of incidents can be avoided when you use the tools in Microsoft 365 designed for data protection.

We’ll take a look at DLP first, which is a policy that you put into place in the Office 365 Security & Compliance Center. DLP can be used in conjunction with AIP and WIP to ensure a complete cloud security policy.

Using Data Loss Prevention (DLP) to Secure Your Documents

Complying with business standards and industry regulations means protecting sensitive information when it’s being collected, when at rest, and when it’s being shared or transmitted.

A data loss prevention policy allows you to automate the process of document protection by putting standards in place that can be picked up automatically by devices based upon content or assigned labels.

With DLP, you not only can tag sensitive documents, you can also:

• Identify
• Monitor
• Protect

In a data loss prevention policy, you have the ability to enact rules that can be based on a number of factors. These include:

• Locations: Decide which apps you want to protect content in, such as Teams, SharePoint Online, OneDrive, Exchange Online.
• Conditions: Set conditions for content you want to protect. For example, you might set a rule that any document containing payment card details can only be accessed by the accounting department.
• Actions: You decide what action to take based upon certain conditions. For example, you could set a rule that if any document labeled “classified” is being copied, to send an email to the compliance officer.

While it takes some time upfront to configure DLP in Microsoft 365, the benefits are many, not the least of which are tied to compliance and overall data security for your organisation. Other benefits include:

• Prevent accidental sharing of sensitive information
• Stop malicious copying or sharing of sensitive files
• Automatically identify sensitive information across multiple Office 365 apps
• Monitor and protect sensitive data across the Windows/Microsoft landscape
• Automate compliance to improve security without sacrificing productivity
• Gain valuable insights into data use and access through reporting

Windows Information Protection (WIP)

WIP is a built-in component of Windows 10. It’s designed to protect local data that is at rest on an endpoint device. This includes documents that have DLP in place that are in desktop versions of Excel, Word, and PowerPoint.

So, if a user is emailed a document that contains customer payment card details and that has a sensitivity label attached through DLP, Windows Information Protection will identify that label and keep those same policy protections in place as long as the document is on that Windows device.

Once data leaves the endpoint device, for example as an email attachment, it’s no longer under the protection of WIP.

Azure Information Protection (AIP)

Azure Information Protection expands your data loss prevention policy past a single end point device. It applies protections at the document level. So, it picks up where WIP leaves off.

AIP will stick with a file as it moves between cloud services and applications, because rather than applying polices to certain locations or devices, it is embedding them with the document itself.

Policies that you apply to a document using AIP can do things like:

• Implement message encryption
• Restrict document forwarding
• Classify documents
• Restrict document access
• Track documents across cloud platforms

Used together, DLP, WIP, and AIP can protect your sensitive files from the document to the device level to ensure data stays protected properly based upon its content.

Get Help Implementing Document Protection at Your Business

NMX IT Solutions can help your Thames Valley business to simplify your compliance and document security by setting up these helpful Microsoft 365 protections for you.

Contact us today to schedule a custom cloud consultation! Call 01628 232300 or reach out online.