IT Security News, Microsoft Office 365 News 20 November 2019

What Data Loss Prevention Is & How the Tech Works in Office 365

What Data Loss Prevention Is & How the Tech Works in Office 365

Greg Judge, Infrastructure Engineer, Fabric

What is DLP?

Data Loss Prevention (DLP) is a powerful tool used to ensure sensitive data is not lost. Losing company data can be devastating, lessening trust with partners and clients. Even when data has been lost it’s not always realised after many months or even years! Regulation laws such as GDPR, legal action and fines can follow.

The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million – whichever is greater – for organisations that infringe its requirements. (IT Governance)

DLP can be best explained in three stages:

1 – Discover/Classify – Scan & detect what data sensitive information we want to protect

  • Financial – Credit/Debit Card Numbers, SWIFT Code etc…
  • Medical – National Health Service Number, National Insurance Number (NINO) etc…
  • Personal (privacy) data – Driver’s License Number, Passport Number etc…

 

2 – Protect – Apply actions to the classified data such as

  • Encryption – Ensure the data is encrypted (especially useful if data is emailed outside of the company)
  • Access Restrictions – Restrict people sharing the sensitive data
  • Guidance tip – A notice appears for the sensitive data. Tips can provide an override of the policy if needed

 

3 – Monitor – Reporting, Alerts and Remediation

 

Read more… Do you have Advanced Threat Protection? See the policies you can put in place to stay one step ahead.

Demo

In the following demo we will secure UK financial data from being shared outside of the company.

Sensitive Info

Sensitive info types in Office 365 let us define sensitive data we want to protect. Luckily there are many predefined templates

U.K. Financial Data template covers;

Credit Card Number

EU Debit Card Number

SWIFT Code

You may notice bank account is not listed, so let’s define this by adding a new Sensitive Info Type.

 

Add the name and description:

DLP setup - adding name and description

Choose what requirements are classed as a match
• Keywords – words that match the data
• Regular Expression – Simply put, regular expressions are used to define how the data is formatted. For example, an account number is 8 numerical digits, and a sort code 6.

DLP setup - adding requirements

Now we’ve defined what UK Bank Account data is, we can use it with our DLP policy!

Creating DLP Policy

Once the DLP policy has been named, in this case ‘U.K. Financial Data’, we will specify where the policy applies to. You can choose to add it to Exchange (email), SharePoint, OneDrive or Teams. You can then apply the policy to a specific location or to the whole organisation!

DLP setup - add location

Next, we add rules which are applied to the defined data.
Here, the action taken is to block when any of the U.K. Financial Data is shared or sent to anyone external to the company.

DLP setup - Policy Settings

Once complete, let’s test it!

 

Test

Here is a beautiful spreadsheet with some bank account details.

To test our DLP policy we have Excel spreadsheet with bank account details stored in SharePoint

You may notice the “Policy Tip: This item is protected by a policy in your organization” telling the user that a policy is attached (Policy tips can be customised).

DLP test - example of an excel document with sensitive data

When trying to share this spreadsheet, we are blocked. Success!

DLP test - sharing document

 

Read more… conquering business communication with Office 365.

Even if we copy and paste the sensitive information into an email, then try and send, a Policy Tip appears:

DLP test - policy tip

Try sending and this happens…

DLP test - send blocked

 

Crisis diverted #2019

Read more… Don’t let your business join our list of the most shocking data breaches in the 21st century.

Greg Judge, Infrastructure Engineer, Fabric

Get in touch Back to blog