Cyber Insurance: A Shield for Your Business in the Digital Age

Cyber Insurance: A Shield for Your Business in the Digital Age

In an increasingly interconnected world, where businesses rely heavily on technology, the risk of cyberattacks is ever-present.

As cybercriminals continue to evolve and become more sophisticated, the need for robust cybersecurity measures is greater than ever. Cyber insurance has emerged as a vital tool to protect your company from the financial and reputational fallout of a cyber incident.

In this article, we’ll explore why companies should consider taking out cyber insurance and how 365 Total Protection can make this process even more advantageous.

The Evolving Cyber Threat Landscape

The digital age has brought about a myriad of opportunities for businesses, but it has also given rise to new and constantly evolving risks. Cyberattacks, including data breaches, ransomware attacks, and phishing scams, are becoming more prevalent, targeting organizations of all sizes.

As a result, companies face the risk of financial loss, legal liability, and damage to their reputation.

The Case for Cyber Insurance

Here are compelling reasons why your company should strongly consider cyber insurance as part of its risk management strategy:

  1. Financial Protection: Cyber insurance covers the financial costs associated with a cyber incident, including expenses for investigating and mitigating the breach, notifying affected parties, and recovering lost data.
  2. Legal Liability: In the event of a data breach, your business may be liable to customers, suppliers, and partners due to data protection law violations. Cyber insurance can help cover legal expenses and compensation.
  3. Business Continuity: A cyber incident can disrupt your business operations, resulting in revenue loss. Cyber insurance can provide financial compensation to help your company maintain its stability during and after an attack.
  4. Assistance Services: Many cyber insurance policies offer assistance services, such as access to IT security experts, crisis PR specialists, and data protection lawyers. These professionals act as an extension of your team in navigating the complex aftermath of an attack.
  5. Data Protection: Cyber insurance can also cover the costs associated with the loss, misuse, or compromise of physical and electronic data, ensuring that your valuable information is safeguarded.

The Challenges of Cyber Insurance

While the benefits of cyber insurance are evident, it’s essential to acknowledge the challenges that come with it. To give some perspective: The global cyber insurance market reached $7.8 billion in 2020 and is expected to grow to $20 billion by 2025.

In recent years, the cyber insurance landscape has seen premiums rise globally by an average of 20% per year, driven by the increasing frequency and severity of cyberattacks. Insurers are also imposing higher minimum IT security requirements on policyholders. These changes can be particularly burdensome for small and medium-sized businesses.

The 365 Total Protection Advantage

To help our customers overcome these challenges and secure comprehensive cyber insurance on favorable terms, we’ve partnered with Hiscox, a leading cyber insurance company in Germany. This partnership offers special conditions exclusively for Hornetsecurity customers using 365 Total Protection or any of its components. The special conditions include:

  • Discount on Premiums: Enjoy a discounted insurance premium, ensuring cost-effective coverage for your business.
  • Reduced Deductible: Benefit from a lower deductible, making it more manageable in the event of a claim.
  • Higher Indemnity Limit: Receive a higher indemnity limit to cover potential losses during a business interruption.
  • Simplified Application Process: We’ve streamlined the application process for our customers. All you need is proof that you are using 365 Total Protection or just one of its included services, making the process hassle-free.

Conclusion

As the digital landscape continues to evolve, the importance of protecting your business from cyber threats cannot be overstated.

Cyber insurance is a critical tool that provides financial protection, legal assistance, and peace of mind in the face of cyber incidents.

With our partnership with Hiscox, 365 Total Protection customers can enjoy special conditions, making the process of obtaining cyber insurance more advantageous than ever before.

Don’t wait until a cyber incident threatens your business – take proactive steps to safeguard your digital assets and secure comprehensive cyber insurance.

Reach out to us today to learn more about the exclusive benefits of our cooperative agreement with Hiscox and how 365 Total Protection can help you protect your company in the digital age.

Learn more about 365 Total Protection and request a free trial: https://www.hornetsecurity.com/en/services/365-total-protection-compliance-and-awareness/

FAQ

What is cyber insurance, and why do businesses need it?

Cyber insurance is a type of insurance that helps protect businesses from financial losses resulting from cyberattacks and data breaches. It can cover costs associated with data recovery, legal fees, and reputation management. As cyber threats continue to evolve, businesses need this insurance to mitigate the financial impact of potential cyber incidents.

What types of cyber threats does cyber insurance typically cover?

Cyber insurance policies can vary, but they often cover a wide range of cyber threats, including data breaches, ransomware attacks, DDoS attacks, social engineering, and insider threats. Some policies, like Hiscox’s, may also cover third-party liability, such as claims from affected customers or partners.

What factors influence the cost of cyber insurance?

The cost of cyber insurance can vary based on several factors, including the size and industry of the business, its cybersecurity practices, the amount of coverage needed, and the location of the company. Companies with strong cybersecurity measures in place may pay lower premiums than those with weaker protections.

Does cyber insurance cover the full cost of a cyberattack?

Cyber insurance policies typically do not cover the full cost of a cyberattack. They provide coverage up to the policy limit, and there may be deductibles or waiting periods before coverage kicks in. It’s essential for businesses to carefully review their policy terms and limits to ensure they have adequate coverage.

Can small businesses benefit from cyber insurance?

Yes, cyber insurance is not limited to large corporations. Small businesses are often more vulnerable to cyber threats due to limited resources for cybersecurity. Cyber insurance can help them recover from the financial impact of an attack and provide peace of mind. Many insurance providers offer policies tailored to the specific needs of small businesses.

Protecting Your Business: The Importance of Cyber Insurance

Protecting Your Business: The Importance of Cyber Insurance

In today’s digital age, the threat of cyberattacks looms larger than ever, and businesses are increasingly becoming targets of sophisticated cybercriminals. In this landscape, safeguarding your company against potential risks is paramount.

One crucial aspect of this protection strategy is investing in comprehensive cyber insurance. But simply having cyber insurance isn’t enough; it’s equally essential to ensure that you meet the stringent requirements set by insurers to secure favorable terms.

One way to achieve this is by employing an all-encompassing IT security solution like 365 Total Protection. In this article, we’ll explore the reasons why your company should consider cyber insurance and how 365 Total Protection can help you obtain favorable terms on your policy.

The Rising Cyber Threat Landscape

Cyberattacks have surged in frequency and sophistication over recent years. Hackers are targeting businesses of all sizes, seeking to exploit vulnerabilities in digital infrastructure, steal sensitive data, disrupt operations, and cause financial and reputational damage.

As a result, companies are exposed to a growing array of risks, including data breaches, financial loss, legal liability, and reputational damage.

According to the Hiscox Cyber Readiness Report 2023, the median cost of a cyber-attack has reached in Germany 16.000 Euro, down 32.4% from 2021. Although this is a welcome development for Germany, the average cost of a cyber-attack to a company is still considerable. And who can guarantee that it will be just one attack?

For other countries in the Western Hemisphere, things don’t look quite so favorable. In the UK, the average cost of a cyberattack was 24,200 euros in 2023, and 20,000 euros in the US.

The Importance of Cyber Insurance

To mitigate these risks effectively, businesses should consider investing in cyber insurance. A robust cyber insurance policy can offer comprehensive protection against the financial and legal ramifications of a cyberattack. Here’s why purchasing cyber insurance is a wise decision:

  1. Coverage for Incurred Damages: Cyber insurance typically covers the costs associated with defending against a cyberattack, restoring data and systems, and mitigating the impact of the attack on your business.
  2. Liability Protection: In the event of a data breach or cyber incident, your company may be liable to customers, suppliers, and partners due to data protection law violations. Cyber insurance can help cover the costs associated with legal liability and compensation.
  3. Business Interruption Support: Cyber insurance may provide financial compensation in case of a business interruption resulting from a cyberattack, helping your business maintain stability during challenging times.
  4. Assistance Services: A good cyber insurance policy includes assistance services such as IT security experts, crisis PR specialists, and data protection lawyers. These professionals act as an outsourced cyber crisis department to help you navigate the aftermath of an attack effectively.
  5. Data Protection: Cyber insurance can also offer protection for both physical and electronic data, including laptops, smartphones, and paper files. If data is lost, compromised, or misused, your policy can provide coverage.

The Challenges of Cyber Insurance

However, there’s a catch. As the frequency and severity of cyberattacks continue to rise, insurers are adapting to the changing landscape. They are striving to make their cyber insurance products profitable again. This translates to increasing deductibles, higher premiums, and more stringent minimum IT security requirements for policyholders.

According to the World Economic Forum, cyber insurance premiums have increased globally by an average of 20% per year over the past five years. For small and medium-sized businesses, these rising premiums and stricter security requirements can become a substantial financial burden.

How 365 Total Protection Can Help

This is where 365 Total Protection comes into play. 365 Total Protection is a comprehensive IT security solution that offers a multitude of benefits, including:

Email Security: Protect your business from email-based cyber threats, including phishing, malware, and spam. 365 Total Protection ensures that your communication remains secure; and thanks to a self-learning AI-based service, it ensures that email recipients are validated so that even outgoing emails don’t fall into the wrong hands.

Backup & Recovery: In the unfortunate event of a cyberattack, 365 Total Protection provides a robust backup and recovery system, ensuring that your data is safe and can be quickly restored.

Compliance for Permission Management: 365 Total Protection helps your organization comply with data protection laws, ensures that you effectively protect sensitive data in Microsoft 365 thanks to clear permissions management, and reduces the risk of data loss and legal liability.

Security Awareness Training & Phishing Attack Simulation: Educate your employees about the importance of cybersecurity. Well-informed staff can be your first line of defense against cyber threats.

With the Security Awareness Service included in 365 Total Protection, you can train your employees at the touch of a button to recognize and report even advanced spear phishing attacks and learn safe behaviors to build a sustainable security culture. The Security Awareness Service runs continuously and fully automatically.

It includes advanced spear phishing simulation to continuously measure the security behavior of all employees, and then automatically manages the right level of training for each employee.

By implementing 365 Total Protection, your company can substantially enhance its cybersecurity posture, which, in turn, can lead to more favorable terms when purchasing cyber insurance. When insurers see that your organization has taken significant proactive measures to protect against cyber threats, they may be more inclined to offer competitive rates.

In Conclusion

In an era when cyberattacks are becoming increasingly prevalent and severe, cyber insurance is an essential component of your business risk and continuity management strategy. To secure favorable terms on your cyber insurance policy, invest in an all-encompassing IT security solution like 365 Total Protection.

By taking proactive steps to protect your digital infrastructure and educate your employees, you can demonstrate to insurers that your company is a responsible and secure entity, potentially leading to more cost-effective coverage.

Don’t wait until it’s too late – protect your business today with a combination of robust cyber insurance and 365 Total Protection’s comprehensive IT security offerings.

Learn more about 365 Total Protection and request a free trial: https://www.hornetsecurity.com/en/services/365-total-protection-compliance-and-awareness/

FAQ

What are the benefits of having cyber insurance?

Cyber insurance can help businesses to:

  • Recover from a cyberattack more quickly and efficiently
  • Protect their reputation
  • Avoid financial losses
  • Comply with regulatory requirements

How much does cyber insurance cost?

The cost of cyber insurance varies depending on the size of the business, the industry it is in, and the level of coverage it needs. Other factors included in the insurance premium are:

  • Risk assessment and deductibles
  • Type of information and data a company stores and processes
  • The type and quality of security measures implemented, such as security awareness training for employees
  • The company’s cyber history
  • Any global presence the company may have. Companies with a global presence typically pay higher premiums for cyber insurance because they are exposed to a broader range of risks.

What can businesses do to lower their cyber insurance costs?

Businesses can lower their cyber insurance costs by:

  • Implementing strong cybersecurity controls
  • Conducting regular risk assessments
  • Training employees on cybersecurity best practices
  • Having a comprehensive incident response plan in place
Protecting your data in M365 with Information Protection

Protecting your data in M365 with Information Protection

A few years ago, the expression was “data is the new oil,” and that might be true, but when it comes to your organization’s documents stored in the cloud, I think a more apt description would be “data is radioactive.” Yes, you can do good things with it (generate electricity), but it’s dangerous stuff, and you shouldn’t keep it around for longer than you need to. For most IT pros, data security is NTFS, share permissions, and SharePoint access levels. Turns out that doesn’t work so well anymore. Even when documents are stored in OneDrive for Business, SharePoint, and Exchange Online, they don’t stay there. They’re shared via Teams, third-party collaboration, and cloud storage services, via email, and even stored on USB sticks now and then. And when everyone is working from home or anywhere, you quickly lose what little control you used to have over where these documents are and who has access to them. This is a serious problem for businesses, both big and small, and I think it is going to come much more into focus over the next few years. But there are actually technical solutions to this that you may already have paid to license for but are not using today, in the form of Microsoft Information Protection, sometimes called Azure Information Protection. This article will show you how it works, how to start using it, how to ensure the business is onboard, and what you can do at the different licensing levels.

The Basics

Before discussing protection, let’s talk about labeling, the foundation of M365 Information Protection. A document is labeled with a classification, such as “Sensitive” or “Highly Confidential,” and this label follows it wherever it goes. Then you apply policies that say that “Public” documents aren’t protected at all, but “Highly Confidential” ones have a watermark applied on each page (or a footer or a header) and are encrypted and that a user has to designate the specific internal or external users that should have access to it.  The labeling names are up to you; with some suggestions, you can have different labels scoped to different groups and have nested labels such as “Highly Confidential/All employees” and “Highly Confidential/Executives.” Again, the protection follows the document, and the recipient must prove who they are at the time of access and either give a few days grace period after the initial authorization to access the document offline or have to authenticate every single time.  Access can be time-limited, and specific permissions can be assigned, such as read-only, or you can’t print it, etc. For emails, you can apply “Do not forward,” “no printing,” etc. Many file types are supported out of the box, including the Office ones and PDF, with third-party add-ins on offer to protect CAD engineering files for instance. Microsoft 365 E3 and Business Premium offer manual labeling of documents, relying on staff training (more below) and judgment, whereas Microsoft 365 E5 can automatically identify sensitive information and label documents for you. Rather than relying on where a document is stored (file share, cloud storage, USB stick, etc.) and trying to control access there, M365 Information Protection embeds the protection in the document itself. This means that if you try to open a protected/encrypted document in a third-party application instead of Microsoft Office or a compatible PDF reader (Adobe Reader works), it won’t open. Note that this isn’t an anti-hacker technology; it’s a way to ensure control over documents and help good people do the right thing. If I have read access to a document and I’m determined to steal the content, I can take photos of it with my smartphone, pop my laptop on the photocopier and hit print, or simply memorize the information. None of those actions can be claimed to be accidental if you’re caught, though. In contrast, if you have no information protection in place, you don’t even know if a copy of the text is pasted into another file or forwarded to a personal email address. A building block of M365 Information Protection is Sensitive Information Types (SITs), which are built-in ways to spot different types of data. At the time of writing, there are 264 types, including classics such as credit cards and SWIFT codes, and adding bank account numbers, passport, and identification card numbers for many countries worldwide. There are also more recent additions such as IP addresses, disease IDs, names and physical addresses, Azure Storage Account keys, and many, many others. You can also create your own SITs for organization-specific terms.

Data classification dashboard

Data classification dashboard

For more complex document types, where a string of numbers and corroborating evidence words aren’t sufficient (16 numbers in groups of four, with the words CC, MasterCard, etc. next to it), you can use Trainable classifiers that rely on Machine Learning models to identify data. There are 19 built-in ones (for English, a total of 49 when Japanese, German, French, etc. are included) for Agreements, Finance, HR, Intellectual Property, Legal, Resume, Source Code, Profanity, Targeted Harassment, and Threats, plus several others. If you have E5 licensing, you can also create your own by feeding it many documents of the type you’re seeking to classify (Australian Legal Contracts, for example) and then refine the model by feeding it the right kind of documents, as well as wrong ones, and manually marking each batch when it gets it right and wrong. When the model is accurate enough, you can publish it to your tenant and then use it in your policies. If you have a database of terms or codes (say employee IDs or project numbers), you can use Exact Data Match (EDM) to spot these when they show up in documents or emails. To see the SITs and other sensitive information types, go to compliance.microsoft.com, log in with an administrator account, and go to Data Classification in the menu on the left. But how do you know what sensitive data you’ve already got in your tenant so you know where to start? That’s where Content Explorer comes in; as long as you’ve been assigned the extra roles (on top of Global Admin) of Content Explorer List Viewer and Content Explorer Content Viewer, you can browse and see what’s already stored in your tenant. Here’s my tenant:

Content Explorer in M365 Information Protection

Content Explorer in M365 Information Protection

As you can see, many names across email and OneDrive for Business make sense, as does Australian Business Number, while the disease identification is a false positive. I can then drill down to individual documents, and if I have the Content Viewer role, I can even preview the documents themselves (obviously, be careful with this permission). This should give you a good starting point for understanding what sensitive data you have stored.

Documents identified in Content Explorer

Documents identified in Content Explorer

On the other hand, Activity Explorer shows you what users are doing with documents when you start using labels and protections and how they’re being used.

Activity Explorer in M365 Information Protection

Activity Explorer in M365 Information Protection

Nowadays, it’s not just files and emails that can be labeled; you can also apply your classifications to SharePoint sites and M365 groups (this is in preview at the time of writing and requires manual steps to enable). Note that today, that doesn’t mean that the documents inside those containers are automatically labeled (they don’t work as NTFS permissions, in other words); it means that you can control the external sharing of documents from those locations. Finally, you can also apply M365 Information Protection labels and policies to data other than documents using Microsoft Purview (up until very recently called Azure Purview). This extends the whole concept of labels to databases (SQL, Cosmos DB, Amazon RDS, Cassandra, DB2, Google BigQuery, and others), cloud storage, data lakes, etc.

Scoping a sensitivity label in M365 Information Protection

Scoping a sensitivity label in M365 Information Protection

Applying the labels

OK, you have worked out what labels to use (see below), at least for your first pilot project. Now, you need to create your policies to actually apply them. Still, in the compliance portal, go down to Solutions – Information Protection. Here, you create your labels based on the SITs and other classification options covered above and then publish them using Label policies. Pick the label(s) to publish and scope it to users and groups (you can select All for a companywide policy) and then select Policy Settings.

Policy settings for a Sensitivity label policy

Policy settings for a Sensitivity label policy

Here you can make it so that users must provide a business justification when removing a label or lower it to a less sensitive one, requiring users to always apply a label (be very careful with this setting; see below), requiring labeling for PowerBI content and offer a link to a custom, inhouse help page. Make sure that you give your policy a descriptive name that fits neatly into the flyout under the button in the Office apps and a longer description as well. This might seem trivial, but it is actually crucial in helping users understand what label to use for each type of content. Realistically, though, asking users to manually label documents and emails (hopefully without enforcing it) is only going to take you so far, and only with new documents. To really get a handle on and label all your data, you must use Auto-labeling policies. These are available in E5 licensing (for a good breakdown of what’s available in each licensing tier – see here). These will scan through existing documents in OneDrive for Business and SharePoint online and label documents based on sensitive data found, optionally applying markings and encryption based on your label settings. When you first create one, you can run it in simulation mode to ensure that it’s going to work as you expected. If you have documents on-premises, in file shares / SharePoint server, you can use the Azure Information Protection scanner to do the same for all that data. Managed from the cloud, once the agents are deployed on-premises, they will scan SMB or NFS (preview) shares and SharePoint 2013 to 2019 servers. Another important step to take is to designate a group of highly trusted users as super users so that they can unencrypt documents that were protected by an end-user who’s no longer with the company, for instance. I haven’t gone into it, but M365 Information Protection has had many names over the years, so if you see references to Azure Information Protection, Azure Rights Management Services, etc., they’re all talking about the same thing. The current product is also unified within Microsoft 365, and the client agent is built into Apps for Business / Apps for Enterprise, which the rest of the world calls Office – i.e., Word, Excel, and so forth on your desktop, on a smartphone or the web version in a browser.

Working with the business

This is the most important part of this article – the technology isn’t the crucial bit, even though it’s cool – it’s engaging with the rest of the business. Successfully implementing M365 Information Protection in your business relies on you being able to get executive sponsorship – it’s got to be something that the business leaders understand and see as aligned with business outcomes. If it’s something IT is trying to “enforce” for compliance reasons on their own, it’s unlikely to succeed. After the executives are onboard and lead by example (as they often handle the most sensitive data in the business), you need to train your users. Start small, perhaps with a group of users in the legal, finance, or HR department who understand the need more than other staff. Gather feedback and really understand how adding extra steps to their daily workflow impacts productivity. Ensure that the labels are crystal clear and that there are as few as possible. When you first start out, especially in a large business, you can end up with dozens of labels, with each department insisting that their Highly Confidential classification is different than in another department. Be ruthless – to have any chance of success. You must get everyone to agree on a small set of labels that are clear to everyone. If required, you can have different labels for different groups of users; just be aware of the potential management and maintenance overhead.  Just like file permissions can be straightforward on a new file server, over time, minor changes and exceptions can make maintenance hard, so plan for quarterly meetings to go back over labels and usage and impacts in the business to ensure that you can adjust as M365 Information Protection is more and more adopted by the organization (Activity Explorer really helps with this). Also – make it fun! Have competitions to see who can label as many documents as possible or who used the most labels in a week. To properly protect your Microsoft 365, use Office 365 backup by Altaro to securely backup and replicate your crucial Microsoft Office 365 data. We work hard perpetually to give our customers confidence in their Office 365 backup for MSPs strategy. To keep up to date with the latest Microsoft best practices, become a member of the Altaro DOJO | Microsoft 365 now (it’s free).

Conclusion

M365 Information Protection ties in nicely with several other governance features such as Data Loss Prevention (DLP), which is now available on Windows and MacOS endpoints as well as in the cloud. It’s also related to Retention policies and Records management and is part of an overall strategy to secure your Microsoft 365 tenant. As you can appreciate, Information Protection is a huge area of Microsoft 365 and one that is constantly evolving; a good place to catch the latest as well as ask questions is the Information Protection public Yammer community.
How will Microsoft Entra Change your Identity Security?

How will Microsoft Entra Change your Identity Security?

Out of the blue, and after the Build conference, Microsoft released a “new” service called Entra. In this article, we’ll look at what it is, why you should care, and how it will change how you do identity security. Many security pundits have said many times over the last few years: “Identity is the new perimeter,” “Identity is the new firewall,” and strong identity authentication is a cornerstone of a Zero trust strategy. Certainly, Azure Active Directory (AAD), as Microsoft’s central identity directory, has been adapting more security features over the last few years, and indeed, AAD is one-third of Entra. The second part is Microsoft Entra Permissions Management (MEPM? EPM?), based on the recent CloudKnox acquisition, and finally, there’s Microsoft Entra Verified ID for decentralized identities. Let’s dig into what each of these offers and why you should consider using them. Incidentally, if you’re wondering about the name, it’s an allusion to Entrance / gaining entry, and it ties in with two other name changes a little while ago – all the privacy-focused services in Microsoft 365 are now under the “Priva” name, and all the compliance features are under the Purview name.

Microsoft Entra Permissions Management

This cloud-based service is a Cloud Infrastructure Entitlement Management (CIEM) solution. It’s multi-cloud and can be connected to Azure’s, AWS’s, and GCP’s cloud identity and permissions systems. The basic premise is that there are so many permissions (40,000 across the three clouds, according to Microsoft) that tracking them manually is impossible to ensure that each assignment is privileged.  Instead, EPM (I’m going to stick with that) gives you a Permissions Creep Index (PCI), showing you the difference between assigned and used permissions for each user account, workload, or group. You can then easily right-size permissions to the required ones, lowering the gap between assigned and used permissions. There’s also an option to request permissions for those one-off situations where an administrator needs higher permissions for a particular task. I set it up for one of my clients (who only uses Azure), and it’s fairly straightforward to start with. Obviously, it’ll appeal to larger businesses with many administrators, especially when they’re using two or three clouds. The problem EPM helps address is definitely an issue (ever heard of a breach of a cloud instance due to lax permissions?), and it’s nearly impossible to do manually. Having this automated tool gives you a visual way to see the gap between granted and used permissions, and that’s very helpful:

Permission Creep Index heatmap

Permission Creep Index heatmap

EPM is free during the preview – note that it’s not GDPR compliant at the moment and hence is not available in the EU, something that Microsoft will fix before it becomes generally available.

Azure Active Directory

Take a deep breath; your cheese is about to be moved –the Azure AD portal will disappear (I suspect). It’ll be replaced with the new Entra portal:

Microsoft Entra portal

Microsoft Entra portal

Currently, this portal is in preview, but eventually, it’ll be the home for all identity-based UI actions. On the left, we have the three pillars of Entra, starting with AAD. Predictably, there are a lot more blades under AAD, which mirror most of the options in the current portal (legacy? classic?).

Azure Active Directory Menu

Azure Active Directory Menu

Although it’ll take some time to re-learn where everything is, I do feel like this is a cleaner and more logical layout (although that’s often true when you make something new, and then as more features are added over time, more menu options shows up and it gets messy again). If you’re used to the current Azure AD portal, there are no real surprises here. The External identities area, for instance, has links to the new Cross-tenant access settings and External collaboration settings. Once you open one of these blades, the menu layout is the same as in the AAD portal. Interestingly, Sign-in, Audit and Provisioning logs are now under Monitoring & health, and under Hybrid management, we find Azure AD Connect Health monitoring, including Active Directory DC monitoring.

Active Directory monitoring in the Entra portal

Active Directory monitoring in the Entra portal

Another recent addition to Entra is protection for workload identities. Until now, there’s been a strong focus on user identity (MFA, passwordless) but less on application/automation/service, i.e., workload identity. This was brought into sharp focus in the SolarWinds hack, as the Russians used these types of identities to compromise their victims further. Sometimes, you’ll see these types of identities being referred to as non-human, which always makes me think of Klingons and Vulcans, but that’s probably just me. For user identities, we have Identity Protection in Azure AD (Premium P2) which identifies anomalous behavior of user accounts and each sign-in (using Machine Learning). This is now extended to workload identities as well. Furthermore, we have Access Reviews where group owners or the users themselves regularly attest that they still need particular permission; again, this is now available for applications (by designated reviewers). Finally, Conditional Access is also available for workload identities.

Conditional Access Policy for workload identities

Conditional Access Policy for workload identities

There’s another preview currently for Lifecycle workflow, which manages the whole lifecycle of joining an organization, changing roles, and then eventually leaving through entitlement management.

Verified ID

This is possibly the part of Entra that will have the most impact on your work as an IT Pro going forward (it’s also in preview at the moment). It’s the result of a technology that Microsoft has been discussing for a few years now – decentralized identity. Today, our identity is “owned” to a large extent by tech giants Google, Microsoft, Apple, and Facebook. For example, many users simply use an FB account to sign in to sites and services. But you’re not in control of your identity and can’t control exactly what data about you is being shared with various sites and services.  On the business side (where verified ID as part of Entra sits), consider the challenges of new hires joining your organization. How do you identify them, what documents do they need to show your HR department (and how do you do that in a work-from-home setting where they’re not physically present), and how do you authenticate those documents?

Setting up Verified ID in the Entra portal

Setting up Verified ID in the Entra portal

Imagine if they had a verifiable identity that they could share with you, with exactly the right information you need (and no more), and that you could trust that identity because it’s cryptographically secured. That, in a nutshell, is a verifiable identity. There are many other scenarios, such as access to high-value resources and self-service account recovery, where a strong identity would be beneficial.  Microsoft has a click-through site that steps through an employee onboarding scenario, demonstrating the power of verifiable credentials and showing how much easier it is than today’s manual processes. The current preview allows you to both issue and verify identities. The setup is fairly straightforward: you need to create an Azure KeyVault to store signing keys, etc., and you need to register an app in Azure AD.

Create a key vault for verified ID

Create a key vault for verified ID

Several verifiable credential organizations are currently supported, such as Acuant, Clear, Jumio, and others, covering 192 countries and over 6000 identification documents.

Conclusion

The cynic in me looks at this new portal and wonders if it’s a subtle way of “selling” the new CIEM solution – although the final licensing cost hasn’t been announced yet, we know it’s not going to be part of Microsoft 365 E5 or Azure AD Premium P2 licensing.  By moving everyone to the Entra portal, more users will be exposed to Permissionless’s Management, be curious as to what it can do, and eventually become paying customers. But maybe that’s too cynical a view. Maybe having one portal for identity, one for security, and one for compliance makes sense. No matter what, Entra is here (at least in the preview). It’ll change some of your processes around workload identities, permissions management across clouds, and how you onboard new hires, plus other areas where decentralized identities will make your life easier. It’s exciting, and I can’t wait to see these services come out of preview so we can get a clearer picture of the licensing cost, scope, etc.
Use Microsoft Defender for Cloud Apps to Protect your M365 Tenant

Use Microsoft Defender for Cloud Apps to Protect your M365 Tenant

To say the IT world is changing would be an understatement. On the contrary, it’s changing quicker than it used to, which is common knowledge. But the ramifications of those changes can be hard to perceive when we’re in the middle of the shifting sands.  A few years ago, good firewall systems with content filtering and malware inspection were considered state-of-the-art. Today, you have two problems: first, most of your users aren’t in the office, so they’re not behind that big “blinky light” protector, and second, most of the applications and services your users are accessing aren’t on-premises anymore, they’re cloud services that they access from any device with an internet connection. No problem, says the older, “pry my servers from my cold, dead hands.” IT Pro, we’ll just force everyone’s traffic back to on-premises via VPN, and then we can inspect all the traffic. Sounds good? Quick question: when your VPN went from 10% of the workforce using it to 100% at the start of 2023 – how was the user experience? And even if that was mitigated, how’s their experience when they’re using Teams / Zoom? Not quite so “modern” anymore? The point is that security firewalls and filtering need to move with the times, and in this article, we’re going to discuss Cloud Access Security Brokers (CASBs) and, specifically, Microsoft’s Defender for Cloud Apps (MDCA), up until recently known as Microsoft Cloud App Security (MCAS). We’ll also look at how you can use MDCA specifically with Microsoft 365. But first, what is a CASB?

What is a Cloud Access Security Broker (CASB)?

A Cloud Access Security Broker (CASB) emerges as a pivotal player in ensuring the security of cloud-based applications and services. CASBs act as a gatekeeper, mediating between users and cloud service providers to enforce security policies and maintain the integrity of data. One of the primary roles of a CASB is to enforce security policies. As we migrate to cloud services, traditional on-premises security measures become less effective. CASBs step in to fill this gap by providing security at the cloud level. They ensure that organizational policies regarding data access, sharing, and storage are uniformly applied across all cloud services. These security solutions offer unparalleled visibility into cloud application usage, allowing you to monitor and control the flow of sensitive information. This visibility is crucial for compliance with various regulatory standards such as GDPR, HIPAA, and SOX. CASBs can identify and classify sensitive data stored in the cloud, monitor its movement, and enforce compliance policies. CASBs play a vital role in managing who has access to cloud applications and data. They integrate with existing identity management systems to provide secure authentication and Single Sign-On (SSO) capabilities. This ensures that only authorized users can access sensitive cloud resources. In this context, Microsoft Defender for Cloud Apps, a leading CASB solution, plays a pivotal role in securing cloud environments. It offers comprehensive protection across several dimensions of cloud security. With its advanced capabilities in data protection, threat detection, and seamless integration with various cloud services, it represents a robust solution for managing and securing cloud applications. Defender for Cloud Apps extends its functionality to monitor a wide range of cloud applications, thereby ensuring that organizations have the tools they need to secure their cloud footprint effectively. With the exponential growth in cloud adoption, the importance of CASBs cannot be overstated. They are not just tools for security; they are essential components of a modern cloud strategy. CASBs bridge the gap between the dynamic nature of cloud services and the need for robust security and compliance. They enable us to harness the power of the cloud while ensuring that data and applications remain secure and compliant with internal and external regulations. With that said, let’s dive deeper into Microsoft Defender for Cloud Apps and learn more about its potential. 

Deploy Microsoft Defender for Cloud Apps

While the new name makes perfect sense, I know I’ll have to deal with numerous questions about the difference between it and Microsoft Defender for Cloud, the new name for Azure Security Center and Azure Defender. Defender for Cloud is all about protecting workloads in Azure (and AWS & GCP, hence the name change from Azure Defender to Defender for Cloud), whereas Defender for Cloud Apps is all about spotting shadow IT, managing SaaS service access by your end-users, and applying policy. Let’s start with how it works – MDCA needs access to data on what apps your users are browsing on the internet. You can continuously upload logs from your on-premises firewalls and proxy servers, integrate directly with a set of cloud services with API connections, and use Microsoft Defender for Endpoint as an agent for MDCA. The number of cloud services that can be integrated into MDCA is increasing; at the time of writing, they are:
  • Atlassian (Preview)
  • AWS
  • Azure
  • Box
  • Dropbox
  • Egnyte
  • GCP
  • GitHub Enterprise Cloud
  • Google Workspace
  • NetDocuments
  • Office 365
  • Okta
  • OneLogin
  • Salesforce
  • ServiceNow
  • Slack
  • Smartsheet
  • Webex
  • Workday
  • Zendesk
The list of supported firewalls and proxies is too long to list, but you can find it here. It includes all the usual suspects plus cloud-based “firewalls” such as Zscaler and iboss. You can also use Syslog or FTP with “container appliances” to upload custom logs to MDCA, and you can customize the log parser if you need to. As mentioned, if you’re using Defender for Endpoint (MDE) Plan 2 on Windows 10/11, it’s an excellent way to gather data for MDCA. Note that while MDE also supports Android, iOS, Linux, and MacOS, they’re not supported as agents for MDCA today, and Defender for Business (in public preview) and Defender for Endpoint Plan 1 (included in Microsoft 365 E3) also aren’t supported.  Since both MDCA and Endpoint Plan 2 are part of Microsoft 365 E5 licensing, this is less of a hurdle than you might think (see flavors below). The steps to integrate them are really simple: a single slider in each portal needs to be enabled. The power this brings is not to be underestimated; you get a full 360 view of all services accessed by your users, no matter where they’re working and how they’re connecting, and you can apply policies to them.

Shadow IT Discovery

OK, once you have data flowing into Defender for Cloud Apps through any of the methods above, you’ll start getting Cloud Discovery reports. This will tell you what service categories are most used, which apps are most used by your users, and if there’s the usage of high/medium and low-risk apps. Commonly known as shadow IT, this is the usage of apps that the business isn’t aware of, including the potential storage of sensitive data in these locations. It’s vital that this is discovered and managed, and Defender for Cloud Apps helps you a lot with this task.

Defender for Cloud Apps Cloud Discovery dashboard

Defender for Cloud Apps Cloud Discovery dashboard

Based on this data, you can start digging into the riskiest apps with high usage and identify why they’re being used and what the risks are. There’s a built-in catalog of 30,036 apps (and growing; the last time I looked, it was just over 27,000). Each app/cloud service in the catalog has an overall score from 1-10, based on four categories: General, Security, Compliance and Legal.

Defender for Cloud Apps catalogue listing

Defender for Cloud Apps catalog listing

The point of the catalog is to give you instant visibility into the security stance (perhaps of a service you’ve just found out is used by the entire finance department) and regulatory compliance of an app without having to spend hours digging through their website or requesting more information from them. For instance, if your organization requires suppliers to adhere to a specific compliance regulation, you can filter the catalog to identify any application in use that doesn’t. The next step is to sanction or unsanction an app. The latter will block access if you’re using Defender for Endpoint, Zscaler, or iboss, and there are options to download a script to add the block to on-premises firewalls. But even if you’re not outright blocking the use of these apps, it does allow you to track down the users and suggest an alternative app with a better security track record. Another way that I find this discovery useful is by letting me find popular apps that I can publish through Azure Active Directory for users to add governance around their usage.

Using Defender for Cloud Apps

You can use several types of policies to detect risky behavior and suspicious activity and, in some cases, automatically remediate the issue.  Activity policies use the APIs of integrated applications and let you build custom alerts for multiple failed sign-ins and large amounts of file downloads or logins from unusual countries or regions. Anomaly detection uses User and Entity Behavioral Analytics (UEBA) and Machine Learning, and for most detections, it takes seven days to establish a baseline so it can identify what’s unusual. Signals used in these policies include risky IP addresses, inactive accounts, locations, devices, user agents, etc.  Malware detection across Box, Dropbox, Google Workspace, and Office 365 (when used with Defender for Office 365) is one of these policies.

Defender for Cloud Apps activity policy to catch ransomware

Defender for Cloud Apps activity policy to catch ransomware

OAuth app policies keep an eye on apps that are granted permissions in Azure AD, either by end-users (if you allow this) or by administrators. We covered the risks and mitigations in-depth in an article and webinar. File policies bring a built-in DLP engine to inspect content across 100+ file types and allow you to take automated action when the content matches your criteria. You can create policies for publicly shared files, files shared with a specific domain or with a specific set of unauthorized users, and even for specific high-risk file extensions. Access policies are a very cool concept, essentially combining the best of Azure AD Conditional Access policies with the app control of MDAC. You deploy the apps using Conditional Access App Control, and this lets you not only block access to applications based on the user’s device, for instance, but it also allows you to use session policies to control what a user can do in the app. You can monitor all activity, block all downloads, block specific activities, require step-up authentication for sensitive tasks, protect files on download or upload, block malware, and educate users on protecting sensitive files.

Defender for Cloud Apps cloud discovery anomaly detection policy

Defender for Cloud Apps cloud discovery anomaly detection policy

Finally, App discovery policies alert you to new cloud services that are being used (to continue the fight against Shadow IT), and cloud discovery anomaly detection policies alert you to unusual activity in cloud apps. Unlike many other security applications, what I like about Defender for Cloud Apps is that it creates many default policies for you “out of the box,” so you’re getting good protection even before you create your own policies. Alerts from these policies can be sent as emails or text messages, or you can use a Power Automate playbook to notify the right people. You can also automatically disable a user account, require the user to sign in again, or confirm them as compromised to automatically contain a potential attack. As you can see, you can provide granular control over what your users can and can’t do in cloud applications, and if they’re working from home (on Windows 10/11 devices), they’re still under your purview. Note that it’s not only end-user SaaS services that are protected with Defender for Cloud Apps: AWS, GCP, and Azure admin access and usage can also be monitored and controlled. The integration with the rest of the Microsoft 365 Defender stack is also strong; here’s an example of a Data Loss Prevention policy being used to control sensitive data in third-party apps. Microsoft 365 Data Loss Prevention Policy integration

Microsoft 365 Data Loss Prevention Policy integration

Flavors of Defender for Cloud Apps

There are three flavors of Defender for Cloud Apps; the full version we’ve described so far is part of Microsoft 365 E5 licensing (or a stand-alone license). With Office 365 E5, you get Office 365 Cloud App Security, which only has a catalog of about 750 cloud apps (that are similar in functionality to Office 365), only manual upload of firewall logs for analysis, app control, and threat detections for office type apps only and Conditional Access App Control for Office 365 apps only. On the other hand, Cloud App Discovery is part of Azure Active Directory Premium P1 and brings the full catalog of cloud apps and both manual and automatic log upload but no information protection / DLP or threat detections at all (hence the name “discovery”). Here’s a deep dive on licensing if you really have trouble going to sleep. Alternatively, I appeared on an episode of the Sysadmin DOJO Podcast discussing this exact topic:

Defender for Cloud Apps for Microsoft 365

There’s quite a steep price jump from Microsoft 365 E3 to E5. Today, if your business collaboration is built on Office 365, digital transformation is the aim of the business, and people are working from anywhere, the power of Defender for Cloud Apps, with Defender for Endpoint as the agent, makes it a lot easier to convince the bean counters. If you’re an MSP and have clients with strong security and compliance needs (financial industry, lawyers, medical facilities, etc.), even if they’re an SMB, consider upgrading to E5. This doesn’t just give you Defender for Cloud Apps; it also offers Defender for Identity along with a whole heap of other security features. To properly protect your Hyper-V virtual machines, use Altaro VM Backup to backup and replicate your virtual machines securely. We work hard perpetually to give our customers confidence in their Hyper-V backup strategy. To keep up to date with the latest Hyper-V best practices, become a member of the Hyper-V DOJO now (it’s free).

Conclusion

As you can tell, Defender for Cloud Apps is a powerful tool with numerous uses. Its comprehensive features, ranging from shadow IT detection to robust policy enforcement and integration with a broad spectrum of cloud services, make it an indispensable asset for any organization leveraging cloud technology.  This solution not only enhances security but also streamlines compliance, offering a seamless blend of protection and convenience. The versatility of Defender for Cloud Apps is further underscored by its adaptability across various cloud environments, including AWS, GCP, and Azure. This adaptability ensures that businesses can maintain a high security posture while embracing the flexibility of cloud services.  To learn more, visit the Ninja training page (each Microsoft security product has one), which is a set of links to webinars, docs pages, blog articles, interactive guides, product videos, and GitHub repositories.
What you Need to Know about Data Loss Protection in Microsoft 365

What you Need to Know about Data Loss Protection in Microsoft 365

Data is seen as the “new gold” for enterprise organizations as it is the lifeblood of the business revenue stream. No matter what industry, product, or solution a business offers, most companies have embraced data-driven processes to meet modern business challenges in today’s world. It underscores the importance for organizations to protect their data at all costs. Data Loss Prevention (DLP) solutions provide the capabilities for businesses to protect their data. Companies must include their cloud SaaS solutions as part of their overall DLP strategies. The Microsoft 365 cloud SaaS solution provides robust DLP capabilities built into the platform. We will look at how to protect your business data in Microsoft 365 with DLP and backup. Before diving into the Microsoft 365 DLP solution, let’s look at what DLP is in general and why do companies need it. Most organizations have sensitive data that would be highly damaging to fall into the wrong hands. Data, including financial data, trade secrets, personally identifiable information (PII) data for customers, health records, or other traditionally sensitive information such as social security numbers (SSNs) or credit card numbers (CCNs) is deemed sensitive.

What is Data Loss Prevention (DLP)?

Data Loss Prevention (DLP) refers to the set of tools and solutions that protect against the loss, leak, misuse, or unauthorized access of sensitive data. It’s a critical aspect of complying with stringent regulations in today’s data-driven world. Failure to implement effective DLP measures can lead to severe consequences, including steep fines and regulatory violations. DLP is a framework that enforces remediation with protective measures that prevent users from accidentally or intentionally sharing data that places a business at risk. Data Loss Prevention is often categorized as a compliance concern for businesses since most compliance frameworks require organizations to proactively protect sensitive data. Maintaining strict adherence to compliance regulations is beneficial to customers, end-users, and businesses as it helps protect everyone involved. However, compliance can present challenges as organizations move into cloud Software-as-a-Service (SaaS) environments. Often, businesses have a solution that helps with DLP and other compliance concerns in on-premises environments. However, as they move to cloud SaaS and other cloud offerings, the traditional tools and solutions are no longer relevant to modern cloud architectures. As a result, organizations often must rethink their tooling and strategies for DLP as they migrate business-critical data to the cloud.

Data leaks can be catastrophic

A significant driver for giving due attention to compliance and DLP initiatives is the destructive nature of data breaches. The sheer financial repercussions alone can be substantial. The IBM Cost of a Data Breach 2023 Report helps to emphasize the fiscal implications of a data breach event. Note the following findings for 2023 derived from the experiences of more than 550 global organizations:
  • $4.45 million – the average cost of data breaches in 2023, representing a 15% increase over a three-year period
  • 51% of organizations plan on investing in cybersecurity – causes include data breaches – particularly in incident response, planning, testing, employee training, and advanced threat detection tools 
  • $1.76 million – the average a company saves by investing in cybersecurity and AI automation
  • 1 in 3 breaches were detected by an organization’s security teams or tools
  • $470,000 – the average cost of ransomware that didn’t involve law enforcement
  • Since 2020, healthcare data breaches have increased by 53.3%
  • 82% of all data breaches involved data stored in the cloud
As the numbers show, a data breach can ruin a business financially. Part of the cost of a data breach event is also the regulatory compliance implications as a result. These can be significant. For example, in cases of gross negligence leading to a data breach, the General Data Protection Regulation (GDPR) can fine a business as much as €20 million or 4% of the global turnover, whichever is more. Compliance is no longer a “nice to have” for businesses. Current compliance regulations have “real teeth” to impose fines and other legal ramifications.

In Cloud SaaS, DLP is Your Responsibility

Organizations may misunderstand the responsibilities of cloud service providers when they move their data to cloud SaaS environments like Microsoft 365. Many may assume protecting their data is now solely the cloud service provider’s responsibility. While hyperscale cloud service providers like Microsoft provide robust cloud architectures that do well to help protect your data from loss, the burden of responsibility for business-critical data rests with the cloud SaaS customer. Cloud service providers such as Microsoft operate on a “Shared Responsibility Model” that places responsibility for the data itself with the customer. In the “Shared Responsibility in the cloud,” note specifically the section of “Responsibility always retained by the customer.” Among the responsibilities that fall within the organization is the responsibility for information and data.

The shared responsibility model defined by Microsoft for cloud environments The shared responsibility model defined by Microsoft for cloud environments

Given that information and data are the customer’s responsibility, organizations must take the compliance and security of their data seriously.

Cloud SaaS Backups are Essential

Often, Data Loss Prevention (DLP) focuses on the data leak aspect of losing data. However, DLP also indirectly relates to data protection. Most organizations today have a solid on-premises backup solution they use to protect mission-critical workloads running in on-premises enterprise data centers. However, as mentioned earlier, there is a notion that data backups are no longer needed once data is migrated to cloud SaaS environments. This idea can prove to be a grave mistake for organizations that suffer data loss from human error or a malicious attack at the hands of ransomware. The shared responsibility model used by hyperscale cloud service providers such as Microsoft places all aspects of protecting your information and data, including backups. Backing up ALL your data, including Office 365 workloads, is the cornerstone of any data protection strategy and business continuity plan.

What is Microsoft 365 Data Loss Prevention (DLP)

Microsoft has not left organizations on their own regarding Data Loss Prevention (DLP) in the Microsoft 365 cloud SaaS environment. Microsoft has baked DLP into the Microsoft 365 SaaS environment using DLP policies. Microsoft 365 DLP is part of the Microsoft 365 Compliance tools that protect your sensitive data, no matter where it is stored and accessed. Microsoft 365 DLP policies allow businesses to monitor end-user activities and how users access sensitive data, whether at rest, in transit, or in use. You can log into the Microsoft 365 Compliance Center here:

Microsoft 365 Compliance Center Microsoft 365 Compliance Center

The DLP policies then allow taking protective action based on sensitive data access. For example, Microsoft 365 DLP policies can take action when a user attempts to copy sensitive data from the sanctioned Microsoft 365 business environment to an unapproved location. Additionally, it can block the sharing of sensitive information in an email or other restrictions defined in the DLP policy. Other protective actions that can be defined in the DLP policy include:
  • Warn a user they may be trying to share a sensitive item inappropriately
  • Block the sharing and, via a policy tip, allow the user to override the block and capture the user’s justification
  • Block the sharing without the override option
  • For data at rest, sensitive items can be locked and moved to a secure quarantine location
  • With Teams chat, the sensitive information will not be displayed

Navigating to Data Loss Prevention in Microsoft 365 Compliance Center Navigating to Data Loss Prevention in Microsoft 365 Compliance Center

Visibility is essential for DLP to ensure your sensitive data is compliant. Microsoft 365 DLP outputs the monitored activity events to the Microsoft 365 Audit Log, unified auditing, and “event viewer” of sorts for your Microsoft 365 cloud environment. It provides visibility to user and administrator activities in your organization. As mentioned, the Microsoft 365 Audit Log is “unified.” This aspect of the logging capabilities in Microsoft 365 is important for DLP enforcement as it allows easy searching of the audit log for activities performed in different Microsoft 365 services. In addition, the sheer breadth of cloud services offered in Microsoft 365 is staggering, so the unified logging capabilities provide a single-pane-of-glass view for activities affecting your Microsoft 365 security and compliance. To take advantage of the Microsoft 365 Compliance Center auditing, you need to start recording user and admin activity.

Configuring Microsoft 365 Auditing to record user and admin activity Configuring Microsoft 365 Auditing to record user and admin activity

Microsoft 365 DLP vs. Microsoft Information Protection (MIP)

Many are confused with the various offerings from Microsoft related to compliance and data loss prevention. Microsoft Information Protection (MIP) helps discover, classify, and protect sensitive information. It is a suite of technologies rather than a single product. The capabilities of MIP include the Data Loss Prevention (DLP) capabilities found in Microsoft 365.
  • Sensitive information types (SITs)
  • Trainable Classifiers
  • Data Classification
  • Sensitivity Labels
  • Azure Information Protection (AIP) unified labeling client, now Microsoft Information Protection
  • Azure Information Protection (AIP) unified labeling Scanner, now Microsoft Information Protection
  • Azure Purview
  • Double Key Encryption (DKE)
  • Office 365 Message Encryption (OME)
  • Service encryption with Customer Key
  • SharePoint Information Rights Management (IRM)
  • Rights Management connector
  • Microsoft Cloud App Security (MCAS)
  • Microsoft Information Protection (MIP) SDK
  • Data Loss Prevention (DLP)

Data Loss Prevention (DLP) is Not a Substitute for Cybersecurity

It is essential to understand that while DLP is required to satisfy regulatory compliance demands and prevent data leak catastrophes, it is not an all-inclusive cybersecurity solution. While DLP should be part of your overall cybersecurity stance, it does not protect your environment from hackers. Data Loss Prevention helps organizations enforce governance restrictions with business-critical and sensitive data. However, it does not protect your environment from a ransomware attack, stolen credentials, phishing emails, malicious third-party applications, and other threats in the cloud. On the other hand, strong cybersecurity measures do not protect your organization from data leak events when users transmit or share data accidentally or intentionally. DLP helps organizations protect from insider threats, while other cybersecurity measures and technologies help protect them from outside threats posed by attackers and other malicious activities. Microsoft has other products that help organizations protect from malicious threats such as email compromise and credential phishing. Microsoft Defender for Office 365 provides deep inspection and can sandbox executables to understand if it is legitimate based on intent and behavior. Advanced artificial intelligence (AI) and machine learning (ML) in ATP help to protect your business-critical and sensitive data from attackers. Learn more about that solution here: 365 Total Protection from Hornetsecurity offers comprehensive protection for Microsoft cloud services – specially developed for Microsoft 365 and seamlessly integrated to provide comprehensive protection for Microsoft cloud services. Easy to set up and extremely intuitive to use, 365 Total Protection simplifies your IT Security management from the very start.

Data Loss Prevention (DLP) is Not a Substitute for Backup

Although Data Loss Prevention sounds like backup, as you can see, it’s not the same thing. Your information governance plan for your business should include DLP, Information Protection, AND Backup. Office 365, Exchange Online, and SharePoint Online / OneDrive for Business uses various data protection technologies to ensure your data is highly available and protected against hardware failure. Still, there’s NO backup in a separate system and no way to “go back in time.” Make sure you complement DLP and Information Protection with solid third-party backup services for Office 365, such as Altaro’s Office 365 Backup.

Microsoft 365 DLP Default Policy

In the Microsoft 365 Compliance Center, a default Data Loss Prevention (DLP) policy is listed, aptly named Default Office 365 DLP policy. The policy contains two safeguards by default, helping to protect organizations from data leaks involving credit card numbers. Let’s take a closer look at the default DLP policy, as it helps to get a feel for the configurable policy settings.

Viewing and editing the default Data Loss Prevention (DLP) policy in Microsoft Compliance Center Viewing and editing the default Data Loss Prevention (DLP) policy in Microsoft Compliance Center

The default DLP policy already configured in your Microsoft 365 environment applies to Exchange email, SharePoint sites, and OneDrive accounts. The great thing about Microsoft 365 DLP policies is you can effectively implement DLP policies across multiple services at the same time. As you see below, the policy applies to Exchange email, SharePoint sites, and OneDrive accounts.

Services assigned to the default Microsoft 365 DLP policyServices assigned to the default Microsoft 365 DLP policy

The default DLP policy contains two advanced DLP rules out of the box. The advanced rules contain conditions and actions that define the protection requirements for the policy. You can edit the existing rules or create new ones. The two default rules in the advanced DLP ruleset are:
  • Items containing 1-9 credit card numbers shared externally
  • Items with 10 or more credit card numbers shared externally

Default advanced rules contained in the Microsoft 365 DLP policy Default advanced rules contained in the Microsoft 365 DLP policy

You can see how the policy rules are configured if you edit one of the default policies. Under Conditions, the Sensitive info types are set to Credit Card Number.

Sensitive info types configured for Credit Card NumberSensitive info types configured for Credit Card Number

It is configured to look for the CCNs that are shared with people outside my organization.

Data shared outside the organizationData shared outside the organization

The Microsoft 365 DLP policies, by default, are configured for user notifications. These notify the following:
  • The person who sent, shared, or modified the content
  • Owner of the SharePoint site or OneDrive account
  • Owner of the SharePoint or OneDrive content
You can also configure additional notification rules to send emails to other recipients.

Notification rules for the Microsoft DLP policyNotification rules for the Microsoft DLP policy

Another configurable setting in the Microsoft 365 DLP policy settings is to allow overrides. This setting allows users to override policy restrictions in Exchange, SharePoint, OneDrive, and Teams. It is a setting that needs to be used with caution as it can potentially violate compliance and governance. As seen below, you can additionally require a business justification to override. Admins can also choose to receive alerts with user override activity.

Allowing user overrides from M365 servicesAllowing user overrides from M365 services

Built-in Templates

One of the really nice features Microsoft has built into the Microsoft 365 DLP policy configuration wizard is templates. Depending on the type of compliance, industry, and other factors, the templates make it much easier to start with a good baseline of DLP policy settings.

Using Microsoft 365 DLP templatesUsing Microsoft 365 DLP templates

Microsoft 365 Endpoint DLP

With Microsoft 365 DLP, organizations must monitor the actions taken on sensitive data and help prevent the unintentional sharing of those items. However, there is another aspect – the endpoint. Microsoft 365 Endpoint data loss prevention (Endpoint DLP) provides the capabilities to extend the activity monitoring and protection capabilities to sensitive items physically stored on the endpoint. These may include Windows 10, 11, and macOS (currently in public preview) devices. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.
  • Microsoft 365 E5
  • Microsoft 365 A5 (EDU)
  • Microsoft 365 E5 compliance
  • Microsoft 365 A5 compliance
  • Microsoft 365 E5 information protection and governance
  • Microsoft 365 A5 information protection and governance
The Endpoint DLP solution allows companies to onboard the devices into the Microsoft 365 compliance solution and monitor activities and actions taken on the endpoint. In addition, using DLP policies, protective actions can be enforced to provide DLP guardrails for the clients. There are specific activities Microsoft 365 Endpoint DLP allows monitoring and acting upon with Windows 10, Windows 11, and macOS devices. These include the following:
  • Upload to cloud service or access by unallowed browsers
  • Copy to other apps
  • Copy to USB or other removable media
  • Copy to a network share
  • Printing a document
  • Copy to a remote session
  • Copy to a Bluetooth device
  • Create an item
  • Rename an item
You can also monitor specific file types, including:
  • Word files
  • PowerPoint files
  • Excel files
  • PDF files
  • .csv files
  • .tsv files
  • .txt files
  • .rtf files
  • .c files
  • .class files
  • .cpp files
  • .cs files
  • .h files
  • .java files

Configuring Microsoft 365 Endpoint DLP settings

To configure Microsoft 365 Endpoint DLP settings, navigate to Data Loss Prevention (DLP) > Endpoint DLP settings. As you can see below, you can configure policy settings controlling:
  • File path exclusions
  • Unallowed apps
  • Unallowed Bluetooth apps
  • Browser and domain restrictions to sensitive data
  • Additional settings for endpoint DLP
  • Always audit file activity for devices

Configuring Endpoint DLP settingsConfiguring Endpoint DLP settings

As an example, let’s set up unallowed browsers. Under Browser and domain restrictions to sensitive data > Unallowed browsers > Add or edit unallowed browsers.

Adding Unallowed Browsers in a Microsoft 365 Endpoint DLP policyAdding Unallowed Browsers in a Microsoft 365 Endpoint DLP policy

Next, you will select or add the executable for the unallowed browser for your Endpoint DLP policy.

Choosing unallowed browsers for your Endpoint DLP policyChoosing unallowed browsers for your Endpoint DLP policy

Onboarding devices into Microsoft 365 Endpoint DLP

You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. You can enable device management and onboard devices using the Microsoft 365 Compliance portal. Onboarding is accomplished by downloading and running the script on the endpoint. You can also onboard devices using Group Policy, Microsoft Endpoint Configuration Manager, Mobile Device Management tools, and onboarding virtual desktop infrastructure (VDI) devices.

Onboarding devices into Microsoft 365 Endpoint DLP Onboarding devices into Microsoft 365 Endpoint DLP

Does DLP Cover All Your Data Loss Needs?

Compliance and governance are both extremely important initiatives for organizations today. Most compliance regulations require Data Loss Prevention (DLP) and helps prevent the accidental or intentional sharing of sensitive data outside the sanctioned environment. Microsoft 365 Data Loss Prevention (DLP) is a solution from Microsoft that helps organizations effectively meet the challenges of protecting their business-critical and sensitive data from leaking outside their Microsoft 365 environment. The policy-driven engine of Microsoft 365 allows effective building and application policies to control how data can be shared, accessed, and transmitted from Microsoft 365. It allows control of both the data that resides in the Microsoft 365 environment and the data that physically resides on the endpoint. By configuring both aspects of Microsoft 365 DLP, organizations can effectively prevent unauthorized data access of sensitive information. As covered, DLP is not an all-inclusive cybersecurity solution.  Organizations must combine DLP with other security solutions, such as Microsoft’s Defender for Office 365 or Hornetsecurity’s 365 Total Protection for protecting against phishing attacks, ransomware, and other threats, plus a backup solution such as Office 365 Backup. You can also bundle both together in 365 Total Protection Enterprise Backup.