A Guide to Document Security
in Microsoft 365

There is a heap of data being generated every day. If you like numbers, it’s around 2.5 quintillion bytes of data. So, we are here to talk about the challenge of protecting this vast expanse of information. We all know that data breaches have become both more frequent and more costly, but did you know that a data breach usually takes nearly a year to contain? We now live in a world that demands a strategy to shield your organisation from document security threats, and at the same time supports an environment where productivity thrives.

Microsoft 365 likes to take on this challenge of fostering collaboration, whilst maintaining security. But it’s important to know how you can get these two components humming along in your organisation. As specialists in the deployment and optimisation of Microsoft 365, we are acutely aware that success in the business environment dependent on getting technology to unite security and efficiency. Our philosophy goes well beyond the technology itself; it’s about weaving these solutions into your operations, ensuring they promote productivity without compromising security.

The integration of advanced security features within Microsoft 365 offers a path forward. These tools are designed to safeguard your most critical assets while streamlining workflows, ensuring that protection mechanisms enhance rather than obstruct your business processes. In this article, we will outline considerations for increasing security in M365, whilst maintaining the collaboration and productivity that we are all striving for.

Access and Permission Levels in SharePoint and Teams

SharePoint and Teams lie at the heart of collaboration within Microsoft 365, facilitating document sharing and communication. However, without proper management, their open nature can lead to security risks. By tailoring access and permission levels, you can ensure that sensitive information is securely managed while remaining accessible to authorised personnel.

SharePoint: Allows the setting of specific permissions for different users or groups, enabling you to control who can view, edit, or share documents. Implementing these controls not only enhances security but also streamlines workflows by ensuring that team members have the appropriate access levels to the resources they need. You can even create custom permission levels, for example, you could allow people to create new documents but not edit existing ones.
Teams: Provides a couple of options out of the box – members and owners. It is important to know you can change what can be done by members compared to owners. As an example, you can restrict the creation of channels to only owners of a Team. And more importantly, remember that Teams is a SharePoint site. Why is this important? Because whatever you can do with permissions in SharePoint you can do in Teams. You can create a Team with read only access to sensitive files, or one where people can edit items in a folder but not another. Just remember this can take some effort to administer, so if you need to repeat it, consider automating the process.

Secure External Sharing

Collaboration often extends beyond the confines of your organisation. Many businesses need to share documents with external partners, suppliers or clients. Microsoft 365’s external sharing features enable you to share documents securely with people outside your organisation while retaining control over who accesses your information. You can set expiration dates for shared links, require sign-in for access, and even restrict the ability to download documents. This method ensures that your data remains protected, even when it needs to be shared outside your immediate team.

External Sharing: There are two main controls for External Sharing, which are available in the Admin Centre of Microsoft 365. From here you can control what sharing controls people have across OneDrive and SharePoint. However, you can get even more granular than this. It is possible to block external sharing across your environment, restricting it to something only an admin can activate at the Site or Team level. This way you can easily control which sites can be shared externally without worrying about what employees may have done. You can also control who has the ability to share within a MS Teams Team or a SharePoint Site. By default, everyone can share, however with a simple change this can be restricted to the owners of the Site.

Sensitivity Labels

Sensitivity labels are a powerful tool for maintaining document security, ensuring that sensitive information is adequately protected regardless of where it resides or how it’s shared.

Sensitivity labels for Documents: Classify and protect the access to documents based on their content and the level of confidentiality required. These labels can be applied manually by users or automatically, based on predefined policies. Once applied, they help in enforcing security policies, such as encryption and content marking, across your documents.
Sensitivity Labels at Team and Site level: Theses are a great way to control access to your Teams and Sites. You can create policies that will restrict external sharing, accessing from personal or non-company devices, downloading of content and more.
Auto-applying File Level Policies: When it comes to file level policies, this is where it gets extremely powerful. As the labels are linked to Microsoft 365 you can restrict access to a file to only people who have an active account. As the file is encrypted, if the users account is deactivated, they won’t be able to open the file. You can also apply watermakers, headers and footers and even manage what can be done with email like restricting forwarding and printing. When creating Labels and Policies you have the option to create them for a Site / Team or a document. This is important, as both have very different abilities. We always recommend having separate policies for Documents and Sites, this makes it easier to communicate their usage, and when to use each one.

Data Loss Prevention

Data Loss Prevention (DLP) policies within Microsoft 365’s Purview suite are sophisticated tools designed to detect and protect sensitive information across Microsoft 365 services, such as SharePoint, Teams, and Exchange. These policies are vital in preventing the accidental or intentional sharing of sensitive data, thereby ensuring compliance with regulatory requirements and safeguarding against data breaches. To offer a nuanced approach to data protection, DLP policies utilise various types of checks and controls, including Content Location, Pattern Matching in files, User behaviours and Trainable Classifiers.

Content Location: Content Location policies in DLP are about identifying where sensitive information resides within your organisation. Microsoft 365 allows you to define DLP policies that are specific to certain locations, such as particular SharePoint sites or Exchange email accounts. This specificity ensures that protection measures are appropriately targeted. For example, a DLP policy could be set to monitor only the documents stored in a SharePoint site containing financial reports, thereby applying stringent rules to a location where sensitive information is known to exist. This targeted approach helps in efficiently utilising DLP resources without overwhelming the system with false positives.
Pattern Matching: Pattern Matching is a critical feature in DLP policies that helps in identifying sensitive information based on specific patterns. For financial data, this could include patterns matching credit card numbers, bank account details, or tax identification numbers. Microsoft 365 uses regular expressions (regex) and other pattern recognition techniques to detect these types of data. Once a pattern is identified as sensitive, the DLP policy can take predetermined actions, such as blocking the transmission of the information, alerting administrators, or requiring additional authentication to access the data. This capability is particularly important for organisations in finance, healthcare, and any sector where sensitive information is regularly handled.
Trainable Classifiers: Trainable Classifiers represent a more advanced and dynamic approach to identifying sensitive information. Unlike static pattern matching, trainable classifiers use machine learning to understand the context and nuances of the data being analysed. This means they can be trained to recognise sensitive information even when it doesn’t fit a predefined pattern. For instance, a trainable classifier might learn to identify documents that contain proprietary research and development information, even if the specific data varies widely from one document to another. Trainable classifiers are particularly useful for managing complex data protection needs, adapting over time as they are exposed to more data and scenarios.

By leveraging these types of DLP policies, organisations can create robust policies for protecting sensitive information across their digital environments. Implementing DLP with considerations for Content Location, Pattern Matching, and Trainable Classifiers ensures a comprehensive and adaptive approach to data security. This not only helps in maintaining compliance with industry regulations but also significantly reduces the risk of data breaches, safeguarding the organisation’s reputation and the trust of its clients and stakeholders.

Using a Strategic Approach to Protecting your Data

The complexities of document security can be daunting when everything seems to be so accessable. Yet, the strategic implementation of Microsoft 365’s security options demonstrates not only a commitment to safeguarding sensitive information but also facilitating innovation and collaboration. By capitalising on built in features such as Access and Permission Levels, Secure External Sharing, Sensitivity Labels, and Data Loss Prevention, organisations can create a secure yet flexible digital workspace that aligns with their operational needs and strategic goals.

Establish and Maintain Data Security

For those looking to increase their document security in Microsoft 365, remember that the journey is ongoing. The digital workplace will continue to evolve, and so will the threats. But with a solid understanding of Microsoft 365’s security capabilities, and a proactive approach to implementing them, you can stay ahead of the curve. Your commitment to security reflects your dedication to your organisation’s future, its stakeholders, and the trust they place in you.

As experts in navigating the intricate web of security and collaboration, we understand the challenges and opportunities that come with the territory. Our approach is grounded in a deep understanding of the tools at our disposal, which can be tailored to meet the unique needs of each organisation that we partner with.

In securing your documents within Microsoft 365, you’re taking a critical step towards a more trustworthy, efficient, and collaborative workplace. Let this guide be the starting point of a journey towards enhanced digital security and preventing a costly and time-consuming incident.

A Guide to Document Security in Microsoft 365