Organizations have much sensitive information that they need to control access to, use, and transmission.
These can include financial data, health records, credit card numbers, proprietary data, or Social Security numbers.
To protect them and reduce their risk of loss, inappropriate sharing, or unauthorized access, organizations need the support of dedicated data protection solutions.
This practice, and the tools and activities associated with it, is called data loss prevention (DLP).
This article shares the three types of data loss prevention in Microsoft 365 and a step-by-step process for setting up Microsoft 365's DLP.
Also called data leak prevention, data loss prevention combines processes, technologies, strategies, tools, and techniques to prevent unauthorized access to an organization's sensitive data.
This helps prevent staff from accessing or sending confidential data outside of an organization or into third-party storage like Google Drive.
DLP technologies provide data protection while at rest, in use, or in motion.
The three types of data loss prevention to consider in your DLP strategy are: network DLP, endpoint DLP, and cloud DLP.
Network DLP gives you visibility into the company's network, allowing monitoring and controlling information flow through the company's network, web, Internet service provider, Bluetooth, Wi-Fi, and/or email.
You can analyze the network traffic through network DLP and use network security policies to prevent data loss risks.
Network DLPs conduct certain preset network protection actions to protect the company from data loss.
These may include allowing, auditing, blocking, flagging, quarantining, or encrypting suspicious activities that violate the company's data or information security policies.
Endpoint DLP involves monitoring and protecting devices, such as phones, servers, desktops, printers, and laptops, used to access, move, or store a business's data and sensitive, personally identifiable information.
Research shows that 76% of U.S. staff gain inappropriate access to company-sensitive apps and data.
Endpoint DLP helps prevent sensitive data from being lost or misused by unauthorized persons.
Cloud DLP helps protect businesses' data and applications on the cloud from unauthorized access, leak, loss, or mishandling.
It does this by encrypting the sensitive data and ensuring that it's only accessible or sent to cloud-authorized applications.
Cloud DLP technologies can identify, classify, remove or modify confidential/sensitive data before sharing it to any cloud environment.
This helps protect the data from malicious insiders, cyber threats, and unsafe/accidental exposure.
Microsoft DLP is a component of the Microsoft 365 Compliance tools used to protect sensitive information at rest, in use, and in motion.
Microsoft 365 Compliance includes Microsoft Information Protection (MIP) tools and capabilities that help companies know their data, protect it, and prevent data loss.
Microsoft 365 DPL allows users/organizations to create rules and policies that categorize data types, such as sensitive, confidential, or critical.
You can customize Microsoft 365's integrated sensitive information types to protect specific company information.
By implementing the Microsoft 365 DLP policies, you can control what actions need to be taken on sensitive information.
For example, depending on your organization's defined policies, Microsoft 365 will block unauthorized access to sensitive data or send notifications when someone tries to access them or violate set rules.
This way, you can protect the data from accidental dissemination or malicious actors as you comply with industry regulations.
In general, Microsoft DLP controls allow companies/users to:
Office 365 DLP for SharePoint Online, Exchange Online, and OneDrive for Business is available for the following Microsoft 365 plans or licenses:
The availability also includes files shared through Teams because Teams uses OneDrive and SharePoint Online to share files.
Also, support for DLP protection in Teams Chat requires Office 365 E5.
Setting up DLP in Microsoft 365 is relatively simple, thanks to its built-in features and functionalities.
Follow the below steps:
Once you log in to the Microsoft 365 admin center, navigate to Security & Compliance Center. This is where all the DLP setup will take place.
In the Security and Compliance Center, click the Data Loss Prevention Tab > then click Policy.
When you click Policy, a new screen pops up.
In the new windows, click +Create a policy. A new window called New DLP policy will pop up.
You'll be presented with various templates/wizards to help you create different policies, including privacy, medical, financial, and customized situations.
Select from the list of predesigned policy templates to set up or choose to customize your own Policy.
For example, to create a HIPPA policy: Choose Medical & Health > U.S. Health Insurance Act > Click Next.
If you want to create financial data protection through one of the wizards, choose the specific template/standard/country relevant to your business and follow the guidelines.
Under Name Your Policy, you can give the Policy a name and description that matches your needs. Once you're done, click the Next button.
Choose the locations where the new Policy will be active or specify where you want that Policy to be enforced.
You can select all locations or a specific location "specify where you want that policy to be enforced."
Specific locations can be Exchange Online, OneDrive, or Sharepoint.
You can choose "Simple settings," which simply allows you to apply default/pre-existing Microsoft 365 rules.
Alternatively, you can select the "Advanced settings" icon to create a new rule(s) to apply stricter rules to your policies.
These rules include exceptions, user notifications, actions to take when conditions are met, user overrides, or incident reports.
You can get more granular with the settings in different aspects, such as content, actions, and staging.
Once you're done, you'll review the settings/rules you've created and click Create.
You can turn on your newly created Policy right away, test it first, or keep it turned off.
Once everything is done to your satisfaction, click Save to save your settings.
After creating the DLP policies and turning them on, you'll want to check and verify that they're working as intended.
Check the DLP reports to quickly view the total number of DLP policies and rule matches over time.
You'll also see the number of overrides and false positives.
Here, you can set up recurring reports for the account admin.
Microsoft 365's DLP is a great first step for businesses seeking to implement more robust data security.
With data loss prevention, a user cannot send sensitive information to an email address outside the company domain or to public cloud storage like Google Drive or Dropbox.
It blocks and logs any attempt — accidental or malicious — to access or send this information out of the network.
How prepared is your business for a cybersecurity incident such as data loss?
If you're not sure of your business's current security posture, download this free data security checklist to understand your strengths and weaknesses.