Security Concerns of Hidden Permissions in SharePoint

Security Concerns of Hidden Permissions in SharePoint

SharePoint is a stalwart of collaboration and file sharing in Microsoft 365 which started its life as SharePoint server back in 2001. Most organizations use SharePoint online as hosted by Microsoft and it’s become a “plumbing” technology – something that’s fundamental, sits in the background and most people don’t take any notice of it, until it stops working properly.

This is even more evident in how SharePoint is used in Microsoft 365, you probably have SharePoint sites for various teams, departments, or countries, but SharePoint sites are also used as the backend file storage for everyone’s OneDrive for Business file storage. And when you share files and folders in Teams – guess what, that storage is also backed by SharePoint. So, not only do you need to govern the data stored in SharePoint sites, but also in these other locations, and as we’ll show you – governing data access in SharePoint is hard to do.

The heritage has a downside, starting life as on-premises piece of software and now running as a hosted service brings with it some serious security baggage. In this article we’ll show you the lack of permission visibility that can lead to security risks, and how hidden groups and hidden users make this situation even worse. Furthermore, custom permission levels can have disastrous consequences when it comes to assigning rights, and the manual management of user access is a recipe for security mistakes. Finally – custom document libraries can be an attackers’ hidden haven.

In other words – your SharePoint environment might already be infiltrated by an attacker, and you wouldn’t know it. At the very least, your permissions are likely not aligned with “least privilege”, one of the tenets of Zero Trust.

Most CISOs and security professionals are focused on the “loud” threats such as ransomware, but it’s important to be aware that there are many other avenues attackers take, and an attacker who’s been able to compromise a single user account might quietly watch the vendor invoice document folder in SharePoint for example. Gathering these documents, they may be able to change payment details in a classic Business Email Compromise attack (in this case without the email vector).

The Visibility Gap

We’ll focus most of this article on the Documents folder in your SharePoint sites – this is what most sites are used for – file sharing.

A fundamental difference, compared to traditional file shares, is that there’s no folder tree hierarchy that you can see. You can create subfolders in subfolders and so forth, and put files into any of the folders, but there’s no easy way to visualize the hierarchy, and you must click into each folder to see what’s stored in there.

To actually see which user accounts, groups or external guest users have been granted permissions to each folder (and each file, as they can have different permissions) means you must click on the object – then go to Manage Access to see who has access.

Manage Access Permissions for each individual folder and file

Manage Access Permissions for each individual folder and file

The second challenge is that while you can see the names of the groups that have been granted permissions on a particular folder, you can’t see the user accounts that are members of those groups in the Manage Access dialog. Clicking on a group name doesn’t bring up the members, in fact it does nothing.

List of groups that have been granted permissions

List of groups that have been granted permissions

To determine the user accounts in a group requires a visit to either the Microsoft 365 admin center (https://admin.microsoft.com) or the Entra ID portal (https://entra.microsoft.com). Administrators will have access to these portals but if you’re a department manager, who is the owner of a SharePoint Team site, trying to ascertain who’s got access to what document folders in a SharePoint team site means you can’t complete this task without contacting the IT department.

Even more troubling (thanks to the SharePoint server heritage mentioned above) is that there is a group type in SharePoint itself, that is not visible in the Microsoft 365 admin center or the Entra ID portal, only in the SharePoint admin center (again, which ordinary users don’t have access to). If there are nested groups inside one of these groups you might have to track down those groups in one of the three mentioned admin centers. Finally, if you grant permissions to a group which has one user and one group inside of it, it’ll tell you that you’re granting permissions to two people, when in fact there could be hundreds of user accounts inside the nested group.

Hornetsecurity’s 365 Permission Manager thoroughly fixes these visibility problems, showing you all the users that have permissions to a site, folder, or file, as well as if those permissions are inherited from the site, or are unique to that object. It also surfaces external sharing, either where it has been shared with specific people outside your organization, or where an anonymous link has been created.

Another innovative feature is the ability to see SharePoint / OneDrive for Business sites “through the eyes” of a selected user – exactly which sites / folders / documents does this user account have access to? This is useful during a forensic investigation (what data did the attacker who compromised this account have access to?), insider risk cases (what’s the blast radius of this malicious employee?), and data governance (do our permissions match our data access policies?).

Permission Levels

SharePoint Online provides four levels of access permissions to folders and files: Owner, Can edit, Can View and Can’t Download (=view but not save files locally). However, SharePoint Server had and still has a more comprehensive model – with multiple built-in permissions levels, as well as the ability to create custom permission levels.

The first issue that this leads to is that when you check permissions granted on an object, the UI will “round off” to the closest permission level granted, Design for example is a legacy level that grants more permissions than Edit, but this is shown as Edit in the UI.

Much scarier, however, is the ability to create custom permission levels with the same name as a built in one – such as “read”. This level could be granted every available permission (definitely not just read). Not only does that lead to the situation where a casual check of permissions granted would lead you to assume that a group or user only has read access but if you do decide to investigate why there are two permission levels called read / Read, it turns out that the UI will show you the built-in permission level, not your custom one. If a custom permissions level has the same name as a built in one, the URL in SharePoint isn’t case sensitive, and thus will show you the built in one.

365 Permission Manager will surface these custom permission levels, bringing visibility and governance to your entire SharePoint Online estate, it also allows you to use built-in or create customized policies that you can apply across different types of sites. This then shows you where sites are deviating from your policy intent and allows you to remediate permissions with a single click.

Site vs Document Library Permissions

Another risk is that you can set custom permissions on the Document library, that are different to the overall Site permissions.

Once granted, when an audit is done, these permissions are visible, but can’t be changed in the UI.

Example user whose permissions can't be changed

Example user whose permissions can’t be changed

Again, 365 Permission Manager will find these discrepancies, surface them as deviations from your policies, and prioritize their remediation in the handy To Do list.

Hidden Document Libraries

Normally a SharePoint site has a single Documents folder, but you can create other ones. Furthermore, you can hide it from the site’s navigation (so no one else knows it is there), and you can remove everyone else’s permissions from it, only granting yourself access. This will in effect create an exfiltration channel, where the attacker can copy sensitive documents from the site into their custom Document library, perhaps even returning on a regular basis to capture the latest versions of files, and then downloading them to their machine.

Hidden Document library - only visible to the attacker

Hidden Document library – only visible to the attacker

This is a huge risk in a compromised SharePoint site and of course 365 Permission Manager will surface custom, hidden, Document libraries, and their permissions for you to remediate.

There’s another very useful feature – the ability to revoke all access to SharePoint / OneDrive for Business data for an account. If you know that an account is compromised, manually revoking access across every location is extremely time consuming – 365 Permission Manager gives you a single button to do it.

To effortlessly manage Microsoft 365 permissions, enforce compliance policies, and monitor violations with ease, utilize Hornetsecurity’s 365 Permission Manager. Protect your Microsoft 365 environment and make admin tasks a breeze.

Conclusion

As with many Microsoft technologies, the focus on backwards compatibility has proven to be a strength when it comes to enterprises for decades. Imagine an organization with a large investment in SharePoint Server on-premises, with thousands of busy sites and Terabytes of data, migrating this to SharePoint online – this compatibility is a requirement.

However, it also has scary security implications – the reality today is that many businesses might be compromised, with bad actors exfiltrating data at will from your most precious intellectual property, with very little chance of discovery.

This is why any CISO who wants to apply comprehensive data governance to their SharePoint estate needs 365 Permission Manager.

 

I’ve been hacked! WHAT SHOULD I DO?

With Hornetsecurity’s 365 Permission Manager you can regain control of your SharePoint environment and protect your business immediately.

 

  • Remove User Access Feature: With a single click, the Offboarding feature in 365 Permission Manager allows you to revoke access and stop a hacker immediately. This immediate action can prevent further unauthorized access and potential data breaches.
  • The View as feature: Gain insight into what files a compromised user could access with the View as feature in 365 Permission Manager. This feature allows you to see SharePoint through a user’s eyes, helping you identify potential areas of unauthorized access and take corrective action.
  • Generate Reports for Forensics: Understanding the extent of a security breach is crucial for effective remediation and compliance. With 365 Permission Manager, you can generate detailed reports for forensics, showing exactly what files a user had access to and the full permissions inside all SharePoint sites and OneDrive for Business locations. This information is invaluable for identifying the scope of the breach, assessing the damage, and implementing necessary security measures to prevent future incidents.

FAQ

What are the primary security concerns associated with hidden permissions in SharePoint?

Hidden permissions in SharePoint pose significant security risks because they can allow unauthorized access without the knowledge of administrators or users. Key issues include:

  • Lack of Visibility: SharePoint’s permission settings can be complex and opaque, making it difficult to see who has access to what. This includes hidden groups and users whose permissions are not easily visible.
  • Custom Permission Levels: Custom permissions can be misleading. For example, a permission level named “read” might actually have full access rights, leading to potential security breaches if not properly managed.
  • Hidden Document Libraries: Attackers can create hidden document libraries with exclusive access, enabling them to exfiltrate data without detection. These hidden libraries are not easily visible in the SharePoint navigation, making them a significant risk.

How can 365 Permission Manager help mitigate the security risks in SharePoint?

365 Permission Manager provides several features to enhance security and governance in SharePoint:

  • Visibility Enhancement: It displays all users, groups, and permissions for sites, folders, and files, including inherited and unique permissions. This comprehensive visibility helps in identifying and addressing hidden access issues.
  • Permission Management: It surfaces custom permission levels and discrepancies, allowing administrators to standardize permissions according to policy. This reduces the risk of misconfigured access rights.
  • Access Control: The tool offers the ability to revoke all access for a compromised account with a single click, ensuring quick response to security incidents and preventing further unauthorized access.

How can Hornetsecurity help secure my SharePoint environment?

Hornetsecurity’s 365 Permission Manager enhances security by providing comprehensive visibility into all user permissions, managing and standardizing custom permission levels, and allowing for immediate revocation of access for compromised accounts. This ensures robust data governance and quick response to security incidents.

Cyber Kill Chain vs. MITRE ATT&CK: An Insightful Comparison

Cyber Kill Chain vs. MITRE ATT&CK: An Insightful Comparison

There are two challenges we in cybersecurity face when it comes to communicating what we do the rest of the business (and the rest of the world). For many people, computers, networks, and Information Technology in general are opaque, and most businesspeople know how to use tech to get their job done, but not how it works “under the hood”. Hacking that technology to subvert it for malicious purposes is another level of mystery.

Hollywood doesn’t help much either, with most on-screen depiction of hacking in movies and TV shows being radically different from reality (with the exception perhaps of Mr Robot).

The first challenge is communicating the technology and basic understanding of how it works to then show how it can be misused. But the second challenge is then imparting how the criminals carry out their attacks. Most people think a hack is just a single “thing” that happened – “we got hacked” and then all the bad stuff happened, when it’s actually a set of steps.

In this article we’ll look at two different frameworks that are used to communicate hacking processes, both to the wider business and within the cyber security community – the Cyber Kill Chain, and the MITRE ATT&CK framework. We’ll look at the advantages and challenges of each of them, how they compare and how you can use them to fortify your organization’s cyber defenses.

Meet the Cyber Kill Chain

This is the older of the two approaches, having its roots in military kill chains such as the Four F’s from the US military during World War II: Find the Enemy, Fix the enemy, Fight the enemy and Finish the enemy. A more modern version is F2T2EA: Find, Fix, Track, Target, Engage and Assess; it’s called a chain because an interruption at any step can stop the whole process.

Kill Chain Attack

Cyber Kill Chain

Not surprisingly, it was Lockheed Martin, a large military manufacturer in the US that took this chain approach and transformed it into the Cyber Kill Chain, with seven steps (and a very different result at the end compared to the literal kill chains mentioned above).

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control (often shortened to C2)
  7. Actions on objectives

As a communication tool for showing business leaders that there are steps in an attack, and that you want budget to interrupt or make each layer more difficult for the criminals, this is a good approach.

Cyber security after all always comes down to business risk. When you put it those terms, the CEO, CFO, and the board are more likely to pay attention. If you start talking about technical details, you’ll soon lose them, but business risk is something they’re used to dealing with, and cyber-attacks is just one of the many risks businesses faces.

Be aware that attackers may not perform every step, depending on their goals, their target, and any changes along the way, and that “attackers” might refer to different sets of people, where the early steps might be performed by an Initial Access Broker (IAB), who then sells the access to another group to actually run the ransomware and negotiate the payment.

In step one the attackers will gather information about your company and any employees of interest. This could be cursory, if they’re simply after a company with enough turnover to pay the ransom they might look at your financials, and who to target with their spear phishing emails.

It could also be more in-depth, when the scattered spider group went after the helpdesk at the MGM casino, they knew a great deal about the staff they were impersonating to ensure that the helpdesk would help them reset their credentials.

Phase two is taking advantage of the reconnaissance, to start exploiting a found weakness or packaging a payload, whereas step three is delivering the malicious bundle to the victims, via email, web etc.

Once the initial foothold has been established (someone clicked the link in a malicious email for example), step four starts the exploit to run code on the victims system, which may then continue with step five, further installations on other systems. This is often called lateral movement, as the attackers continue exploiting systems in your networks, to gain full Domain access.

They’ll also establish persistence (so they can come back in if you’re trying to expel them from your environment) and Command and Control (C2) in step six for covert communication with their external control systems. The final step, seven, involves the attackers springing their trap and encrypting all your files, after having corrupted your backup systems or perhaps exfiltrating all your sensitive data (or both).

The ”other side” of the cyber kill chain are the defensive actions your organization should take to deal with each phase:

  1. Detect – having sensors throughout your environment that trip when an attacker is present.
  2. Deny – control access and prevent information leakage.
  3. Disrupt – malicious processes and outgoing traffic to the attacker’s infrastructure.
  4. Degrade – means counter attacking the attackers C2 systems.
  5. Deceive – is about interfering with the C2 infrastructure.
  6. Contain – using network segmentation so that a single breached system or identity doesn’t have full access to every other system on the network.

This approach does have its detractors but as a conversation to start looking at different phases of an attack, whether your organization has security controls in place to detect it, disrupt it and contain it, it’s a good start. It also leads neatly in the modern approach of Zero Trust:

  1. Assume breach – work on the assumption that attackers will gain access and work on detecting it, containing it, and disrupting it.
  2. Verify explicitly – authenticate and authorize both human and workload identities at each access point in the infrastructure.
  3. Use least-privilege access – only grant identities access to the systems, data, and applications they need to do their job.

The challenges with the cyber kill chain is that it doesn’t work well for insider risks, the first couple of steps happen outside of the defenders control (unless you stop all staff from having LinkedIn profiles and posting anything, anywhere online) and it’s also quite focused on malware, some attackers now use Living Off the Land methods, only using built in administrative utilities in the systems, thereby often avoiding detection.

The MITRE ATT&CK Framework

MITRE is a not-for-profit company that works for the common good in the areas of security writ large, but for this conversation we’ll focus on their enterprise matrix (there’s also one for Mobile and one for Industrial Control Systems, ICS). The weird acronym comes from Adversarial Tactics, Techniques and Common Knowledge and it was initially released in 2013.

ATT&CK framework matrix

ATT&CK framework matrix

There are 14 tactics (the “why” of the attack):

  1. Reconnaissance
  2. Resource Development
  3. Initial Access
  4. Execution
  5. Persistence
  6. Privilege Escalation
  7. Defense Evasion
  8. Credential Access
  9. Discovery
  10. Lateral Movement
  11. Collection
  12. Command and Control
  13. Exfiltration
  14. Impact

And each of them has Techniques (and sub-techniques), the “how” of an adversary, so while you can see some overlap with the simpler cyber kill chain in the list above, this is much more comprehensive. I like to think of it as a common language we in the cyber security industry can use to communicate about different attack techniques. There’s also tracking of 143 threat groups and which Tactics, Techniques and Procedures (TTPs) they use.

As you can appreciate the matrix encapsulates all the different techniques, making this a tool to ensure that you’ve got coverage “across the board” in your cyber security strategy. Here’s an example from one client, using the Microsoft Sentinel SIEM, and the analytics rule detection coverage across the techniques.

MITRE ATT&CK Technique Detection Coverage in a SIEM

MITRE ATT&CK Technique Detection Coverage in a SIEM

Each Technique is described in detail, here’s T1563, Remote Service Session Hijacking, in the Lateral Movement Tactic, which has two sub-techniques (SSH Hijacking and RDP Hijacking) as an example. It has four mitigations that you can implement, and four detections that you can use to alert you if this is happening on your network. Most techniques also list Procedures which are the actual technical tasks applying that technique to a specific application or operating system.

Technique T1563 Remote Service Session Hijacking

Technique T1563 Remote Service Session Hijacking

While the matrix is very useful, it can be overwhelming with so many techniques and procedures. It’s also important to avoid thinking of the matrix as a long list of mitigations / detections – even if you have a “tick in every box”, for every technique you can still be compromised. Remember – “Attackers think in graphs, defenders think in lists” (John Lambert), so just implementing long lists of security controls isn’t the right approach, instead use MITRE ATT&CK with the context of your business priorities and unique network environment to build cyber resilience.

Comparing the Cyber Kill Chain and MITRE ATT&CK

The two are related in that they describe the steps in different cyber-attacks, but they have different aims. The cyber kill chain is more generic and is an excellent introduction to the idea of hacking occurring in stages, and it’s a chain that you can interrupt with security controls. I find it very useful when communicating with non-IT and non-security people in business to get that basic understanding of the phases and how it works.

The ATT&CK matrix on the other hand is overwhelming for a non-technical audience (there are over 200 techniques) but is an excellent tool for understanding the technical steps attackers can take during a breach. And it can be used as a tool for evaluating coverage across the entire spectrum – “do we have detections for every technique in every tactic”, whilst not losing sight of the fact that even if you do, you may still be compromised.

It’s also interesting to see how these two fit into the larger landscape of regulatory framework that mandate certain cyber security controls, and other approaches such as the Center for Internet Security (CIS) benchmarks. CIS offers benchmarks for different operating systems, SaaS cloud services (including Microsoft 365) and IaaS / PaaS cloud platforms, and much more, for free.

These cover all the controls that you should implement as a baseline for security controls for that particular technology. Microsoft offers CIS benchmarks for both Azure and Microsoft 365 in their Compliance Manager app. And the upside is that if you implement all these controls you’ll have covered most, if not all, of the MITRE ATT&CK techniques.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Conclusion

For beginners in cyber security, I recommend studying the MITRE ATT&CK framework, it’s like a common language for talking about different types of attacks.

I warmly recommend the free courses offered by AttackIQ, they’ve got one on Threat-Informed Defense which goes in detail on the MITRE ATT&CK framework. And use the Cyber Kill Chain phases when talking to the rest of the business.

Both have their place and are useful in their own right in helping you build a more cyber-resilient business.

FAQ

What is the main difference between MITRE ATT&CK and Cyber Kill Chain?

The Cyber Kill Chain in a useful communications tool when conveying cyber security concepts to non-technical people, and a basis for an overall IT security strategy for a business. MITRE ATT&CK on the other hand exhaustively lists every attack technique, grouped by tactics, and mapped to different threat actors, allowing an organization to identify detection gaps.

What are the types of a cyber kill chain?

There are a few different versions of the Cyber Kill Chain, FireEye (now part of Mandiant, which is now part of Google) proposed their variant which also has seven steps but which focuses more on the persistence of threats, whereas the Unified Kill Chain has 18 unique phases and attempts to marry the best of the original Cyber Kill Chain and MITRE ATT&CK.

What are the types of MITRE frameworks?

Generally, when people mention MITRE ATT&CK they’re referring to the enterprise matrix, but there’s also one for Mobile and one for ICS. Furthermore, there’s the D3FEND matrix of cybersecurity countermeasures which is sort of the other side of the attack techniques, all the different controls that an organization can implement to mitigate the attacks outlined in ATT&CK.

Microsoft 365 Permissions and Copilot Security – a ticking time bomb for Security and Compliance

Microsoft 365 Permissions and Copilot Security – a ticking time bomb for Security and Compliance

File sharing in business is one of those technologies that mostly happens “under the radar”. New SharePoint sites are spun up for projects or groups, or new Teams are created with lots of files shared.

This sharing can be both with internal users and external users. And mostly, no one thinks twice about it, until sensitive documents and data end up in the wrong hands.

In this article, we’ll look at the challenge of data governance, document sharing in Microsoft 365 and how it applies to compliance regulations and getting your business ready for Copilot for Microsoft 365 – all with the help of Hornetsecurity’s 365 Permission Manager.

The Dangers of Unmanaged File Permissions

As CISOs and IT admins know – file sharing, both with internal groups and external collaborators is designed to be as easy and frictionless as possible to cater for the reality of the modern, mobile, collaborative digital workplace.

From a compliance point of view however, this approach can be a ticking time bomb, plus there’s a new player on the scene that might accelerate the timer on that bomb – Copilot. Microsoft is keen to push the value of Copilot security for Microsoft 365 (at $360 USD per user, per year, you can’t pay per month) and here’s the rub – Copilot has access to the same documents as the user has.

Remember Delve? That was Microsoft’s earlier tech for suggesting documents to you, created by people you collaborated with that you might find valuable. Except sometimes business got a shock when they realized which documents were shared with different groups of people.

The Copilot situation is worse, because you won’t necessarily know which documents it has accessed to answer your prompt or create a new draft of a document for you.

Easy Sharing

Teams file sharing is possibly one of the most easily misunderstood avenues – when you share a file in a Teams channel, it’s actually stored in the team’s site in SharePoint. Whereas if you upload a file to a one-on-one or group chat, it’s stored in the Microsoft Teams Chat Files folder in your OneDrive for Business (which is actually a SharePoint site underneath the hood).

If you have a private channel, it gets its own, separate SharePoint site with a document library that only the members of the private channel have access to. So, the documents are all stored in various SharePoint sites, rather than in Teams itself.

And if you share a file with an external collaborator, depending on the settings your IT department has set in SharePoint online, this might send them an email with an invitation to create a guest account in your tenant.

YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

If you’re a CISO, you’re probably concerned at this point. Business data is easily shared internally, possibly with staff that shouldn’t have access to it, and you have limited control over this sharing.

It’s also (likely) shared with external collaborators, and you don’t have a lot of insight into this sharing either. But you must thread carefully, a knee jerk reaction of locking down file sharing completely, with no external sharing and default tight permissions for internal sharing will just lead to users looking for an alternative way to get their job done.

Sensitive documents might then be shared via third party cloud storage, where you have even less visibility into the risks.

On the other hand, if you’re an IT admin, tasked with managing file sharing (on top of all your other duties) this can seem like an overwhelming challenge.

Where do you even begin? Even if you can produce reports on permissions granted, and files shared externally, you don’t know what’s oversharing and what’s legitimate business. You’ll have to work with various business departments to identify this, on a site-by-site basis.

Finally, if you’re an end user, understanding what control you have over sharing documents internally and externally (which will depend on the tenants configuration), and how you can inventory your own role in oversharing is near impossible to do with the built in tools.

Data Governance

Getting a handle on your current file sharing situation (in most businesses this is something that’s been part of the landscape for so long, that no one has the full overview to see just how bad it is), using the built in tools is challenging.

Auditing hundreds of sites manually is impossible, and even scripting PowerShell reports to gather the data is difficult.

Certainly, take a look at your current settings and the options you have in the SharePoint admin center which we covered in this article. But even if you tighten those settings today (they’re tenant wide), they only apply to new sharing, not existing shared sites, and files.

Remember that one of the tenets of Zero Trust (and it has been around long before that) is least privilege access. In other words, only give users access to the data they need to do their job, no more. And keep this up to date as they change roles in the organization or are promoted.

This rarely happens, instead people keep existing access and just accumulate more permissions. And inventorying exactly who’s got access to what documents is hard to do with the built-in tools.

Different regulations that you might have to comply with have varying approaches to controls around file sharing, in ISO 27001:2022, “Information security, cybersecurity and privacy protection” there’s A.8.12 Prevent the sharing of sensitive information within business communication platforms and under A.8.3 there’s Block access to files for specific users and Create and manage access reviews.

In HIPAA, the Health Insurance Portability and Accountability Act in the US, under § 164.308(a)(4) Standard: Access control you have Review user groups and applications with access to ePHI for example.

In the US, organizations doing business with the Department of Defense need to comply with CMMC, Cybersecurity Maturity Model Certification with a new version v2.0 in the works, here for example, SC.L2-3.13.16 has controls for Data at rest, and AU.L2-3.3.1 has System auditing.

As a last example, the CCPA, California Consumer Privacy Act, control 1798.150(a)(1) Data Security Breaches involves audit logging and Data Loss Prevention policies.

These are just a few examples, depending on where your business is located, and what vertical you’re in and the type of data you store and process, different regulations will apply.

What’s common across many of them is that you not only must control access to data with least privilege access, and audit access, often with regular access reviews – you must also be able to demonstrate to an auditor that you’re doing so. It’s not enough to say you are, you must collect and present evidence for how you’re doing it.

365 Permission Manager

What’s needed is a scalable tool that can span large tenants with thousands of SharePoint sites, which is easy to use and gives you a centralized management interface to apply policies, find deviations from those and remediate over permissioned access in bulk.

We looked at the basics of how 365 Permission Manager works here and this great video animation shows it visually. Instead of having to visit several different portals in Microsoft’s native tools, an IT administrator has a single console, and a single most important page – the To Do list.

This lists all the violations of the policies applied to every SharePoint Online site and let’s you remediate in bulk, as well as provide exceptions when there’s a business justification.

To do list - the IT administrators best friend

To do list – the IT administrators best friend

There are a number of built in compliance policies that you can apply to SharePoint sites, and you can also create your own customized ones.

This is a fundamental difference between the native approach and 365 Permission Manager, instead of having a single tenant wide default for all sites, that you must then further customize for each site, you apply a policy to each site, out of a library that you have adapted to your business.

The concerned CISO we mentioned above, he’s going to love the three reports that’ll show Full Site Permissions, User & Group Access and External Access.

And end users are also involved, receiving regular emails if their sites are violating policy, with links to 365 Permission Manager to remedy issues.

End user email notification

End user email notification

365 Permission Manager was initially built at Hornetsecurity to manage our own SharePoint file sharing challenges, and our CISO, Olaf Petry, loves having such a powerful tool, saying:

It is critical for a CISO to effectively oversee the company’s strategy and programs to ensure adequate protection of information assets and technologies, and yet this process can be very complicated. My peers often discuss what a great pain point it is for them. Hornetsecurity’s new 365 Permission Manager will set CISO’s minds at rest by enabling security and compliance managers and administrators to efficiently and easily control Microsoft 365 permissions, and help prevent critical data from getting into the wrong hands.

The ability to enter a username and see exactly what sites and documents a user has access to also really helps with preparing for an audit.

YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

To effortlessly manage Microsoft 365 permissions, enforce compliance policies, and monitor violations with ease, utilize Hornetsecurity’s 365 Permission Manager. Protect your Microsoft 365 environment and make admin tasks a breeze.

Conclusion

Whether you’re working towards compliance with a regulation, preparing your business for users with Copilot for Microsoft 365 or just want to make sure sensitive data isn’t shared too widely, the answer is simple – 365 Permission Manager.

FAQ

What are the risks associated with unmanaged file permissions in Microsoft 365?

Unmanaged file permissions pose a significant risk to data security and compliance. While file sharing is designed to facilitate collaboration, it can lead to sensitive documents ending up in the wrong hands. With the introduction of Copilot for Microsoft 365, the risks are further exacerbated, as it has access to the same documents as users, potentially compromising data privacy.

How does Teams file sharing contribute to data governance challenges?

Teams file sharing, although convenient, adds complexity to data governance efforts. Files shared in Teams channels are stored in SharePoint sites, while those uploaded to chats are stored in OneDrive for Business. Managing permissions for these shared files, especially when collaborating with external users, can be daunting for IT administrators, leading to oversight and potential data breaches.

How can businesses address data governance and compliance issues related to file sharing?

To address data governance and compliance challenges, businesses need effective tools like Hornetsecurity’s 365 Permission Manager. This tool offers centralized management of SharePoint permissions, allowing administrators to apply policies, identify violations, and remediate over-permissioned access. It provides customizable compliance policies, comprehensive reports, and end-user notifications to ensure data security and regulatory compliance.

Cyber Insurance: A Shield for Your Business in the Digital Age

Cyber Insurance: A Shield for Your Business in the Digital Age

In an increasingly interconnected world, where businesses rely heavily on technology, the risk of cyberattacks is ever-present.

As cybercriminals continue to evolve and become more sophisticated, the need for robust cybersecurity measures is greater than ever. Cyber insurance has emerged as a vital tool to protect your company from the financial and reputational fallout of a cyber incident.

In this article, we’ll explore why companies should consider taking out cyber insurance and how 365 Total Protection can make this process even more advantageous.

The Evolving Cyber Threat Landscape

The digital age has brought about a myriad of opportunities for businesses, but it has also given rise to new and constantly evolving risks. Cyberattacks, including data breaches, ransomware attacks, and phishing scams, are becoming more prevalent, targeting organizations of all sizes.

As a result, companies face the risk of financial loss, legal liability, and damage to their reputation.

The Case for Cyber Insurance

Here are compelling reasons why your company should strongly consider cyber insurance as part of its risk management strategy:

  1. Financial Protection: Cyber insurance covers the financial costs associated with a cyber incident, including expenses for investigating and mitigating the breach, notifying affected parties, and recovering lost data.
  2. Legal Liability: In the event of a data breach, your business may be liable to customers, suppliers, and partners due to data protection law violations. Cyber insurance can help cover legal expenses and compensation.
  3. Business Continuity: A cyber incident can disrupt your business operations, resulting in revenue loss. Cyber insurance can provide financial compensation to help your company maintain its stability during and after an attack.
  4. Assistance Services: Many cyber insurance policies offer assistance services, such as access to IT security experts, crisis PR specialists, and data protection lawyers. These professionals act as an extension of your team in navigating the complex aftermath of an attack.
  5. Data Protection: Cyber insurance can also cover the costs associated with the loss, misuse, or compromise of physical and electronic data, ensuring that your valuable information is safeguarded.

The Challenges of Cyber Insurance

While the benefits of cyber insurance are evident, it’s essential to acknowledge the challenges that come with it. To give some perspective: The global cyber insurance market reached $7.8 billion in 2020 and is expected to grow to $20 billion by 2025.

In recent years, the cyber insurance landscape has seen premiums rise globally by an average of 20% per year, driven by the increasing frequency and severity of cyberattacks. Insurers are also imposing higher minimum IT security requirements on policyholders. These changes can be particularly burdensome for small and medium-sized businesses.

The 365 Total Protection Advantage

To help our customers overcome these challenges and secure comprehensive cyber insurance on favorable terms, we’ve partnered with Hiscox, a leading cyber insurance company in Germany. This partnership offers special conditions exclusively for Hornetsecurity customers using 365 Total Protection or any of its components. The special conditions include:

  • Discount on Premiums: Enjoy a discounted insurance premium, ensuring cost-effective coverage for your business.
  • Reduced Deductible: Benefit from a lower deductible, making it more manageable in the event of a claim.
  • Higher Indemnity Limit: Receive a higher indemnity limit to cover potential losses during a business interruption.
  • Simplified Application Process: We’ve streamlined the application process for our customers. All you need is proof that you are using 365 Total Protection or just one of its included services, making the process hassle-free.

Conclusion

As the digital landscape continues to evolve, the importance of protecting your business from cyber threats cannot be overstated.

Cyber insurance is a critical tool that provides financial protection, legal assistance, and peace of mind in the face of cyber incidents.

With our partnership with Hiscox, 365 Total Protection customers can enjoy special conditions, making the process of obtaining cyber insurance more advantageous than ever before.

Don’t wait until a cyber incident threatens your business – take proactive steps to safeguard your digital assets and secure comprehensive cyber insurance.

Reach out to us today to learn more about the exclusive benefits of our cooperative agreement with Hiscox and how 365 Total Protection can help you protect your company in the digital age.

Learn more about 365 Total Protection and request a free trial: https://www.hornetsecurity.com/en/services/365-total-protection-compliance-and-awareness/

FAQ

What is cyber insurance, and why do businesses need it?

Cyber insurance is a type of insurance that helps protect businesses from financial losses resulting from cyberattacks and data breaches. It can cover costs associated with data recovery, legal fees, and reputation management. As cyber threats continue to evolve, businesses need this insurance to mitigate the financial impact of potential cyber incidents.

What types of cyber threats does cyber insurance typically cover?

Cyber insurance policies can vary, but they often cover a wide range of cyber threats, including data breaches, ransomware attacks, DDoS attacks, social engineering, and insider threats. Some policies, like Hiscox’s, may also cover third-party liability, such as claims from affected customers or partners.

What factors influence the cost of cyber insurance?

The cost of cyber insurance can vary based on several factors, including the size and industry of the business, its cybersecurity practices, the amount of coverage needed, and the location of the company. Companies with strong cybersecurity measures in place may pay lower premiums than those with weaker protections.

Does cyber insurance cover the full cost of a cyberattack?

Cyber insurance policies typically do not cover the full cost of a cyberattack. They provide coverage up to the policy limit, and there may be deductibles or waiting periods before coverage kicks in. It’s essential for businesses to carefully review their policy terms and limits to ensure they have adequate coverage.

Can small businesses benefit from cyber insurance?

Yes, cyber insurance is not limited to large corporations. Small businesses are often more vulnerable to cyber threats due to limited resources for cybersecurity. Cyber insurance can help them recover from the financial impact of an attack and provide peace of mind. Many insurance providers offer policies tailored to the specific needs of small businesses.

Protecting Your Business: The Importance of Cyber Insurance

Protecting Your Business: The Importance of Cyber Insurance

In today’s digital age, the threat of cyberattacks looms larger than ever, and businesses are increasingly becoming targets of sophisticated cybercriminals. In this landscape, safeguarding your company against potential risks is paramount.

One crucial aspect of this protection strategy is investing in comprehensive cyber insurance. But simply having cyber insurance isn’t enough; it’s equally essential to ensure that you meet the stringent requirements set by insurers to secure favorable terms.

One way to achieve this is by employing an all-encompassing IT security solution like 365 Total Protection. In this article, we’ll explore the reasons why your company should consider cyber insurance and how 365 Total Protection can help you obtain favorable terms on your policy.

The Rising Cyber Threat Landscape

Cyberattacks have surged in frequency and sophistication over recent years. Hackers are targeting businesses of all sizes, seeking to exploit vulnerabilities in digital infrastructure, steal sensitive data, disrupt operations, and cause financial and reputational damage.

As a result, companies are exposed to a growing array of risks, including data breaches, financial loss, legal liability, and reputational damage.

According to the Hiscox Cyber Readiness Report 2023, the median cost of a cyber-attack has reached in Germany 16.000 Euro, down 32.4% from 2021. Although this is a welcome development for Germany, the average cost of a cyber-attack to a company is still considerable. And who can guarantee that it will be just one attack?

For other countries in the Western Hemisphere, things don’t look quite so favorable. In the UK, the average cost of a cyberattack was 24,200 euros in 2023, and 20,000 euros in the US.

The Importance of Cyber Insurance

To mitigate these risks effectively, businesses should consider investing in cyber insurance. A robust cyber insurance policy can offer comprehensive protection against the financial and legal ramifications of a cyberattack. Here’s why purchasing cyber insurance is a wise decision:

  1. Coverage for Incurred Damages: Cyber insurance typically covers the costs associated with defending against a cyberattack, restoring data and systems, and mitigating the impact of the attack on your business.
  2. Liability Protection: In the event of a data breach or cyber incident, your company may be liable to customers, suppliers, and partners due to data protection law violations. Cyber insurance can help cover the costs associated with legal liability and compensation.
  3. Business Interruption Support: Cyber insurance may provide financial compensation in case of a business interruption resulting from a cyberattack, helping your business maintain stability during challenging times.
  4. Assistance Services: A good cyber insurance policy includes assistance services such as IT security experts, crisis PR specialists, and data protection lawyers. These professionals act as an outsourced cyber crisis department to help you navigate the aftermath of an attack effectively.
  5. Data Protection: Cyber insurance can also offer protection for both physical and electronic data, including laptops, smartphones, and paper files. If data is lost, compromised, or misused, your policy can provide coverage.

The Challenges of Cyber Insurance

However, there’s a catch. As the frequency and severity of cyberattacks continue to rise, insurers are adapting to the changing landscape. They are striving to make their cyber insurance products profitable again. This translates to increasing deductibles, higher premiums, and more stringent minimum IT security requirements for policyholders.

According to the World Economic Forum, cyber insurance premiums have increased globally by an average of 20% per year over the past five years. For small and medium-sized businesses, these rising premiums and stricter security requirements can become a substantial financial burden.

How 365 Total Protection Can Help

This is where 365 Total Protection comes into play. 365 Total Protection is a comprehensive IT security solution that offers a multitude of benefits, including:

Email Security: Protect your business from email-based cyber threats, including phishing, malware, and spam. 365 Total Protection ensures that your communication remains secure; and thanks to a self-learning AI-based service, it ensures that email recipients are validated so that even outgoing emails don’t fall into the wrong hands.

Backup & Recovery: In the unfortunate event of a cyberattack, 365 Total Protection provides a robust backup and recovery system, ensuring that your data is safe and can be quickly restored.

Compliance for Permission Management: 365 Total Protection helps your organization comply with data protection laws, ensures that you effectively protect sensitive data in Microsoft 365 thanks to clear permissions management, and reduces the risk of data loss and legal liability.

Security Awareness Training & Phishing Attack Simulation: Educate your employees about the importance of cybersecurity. Well-informed staff can be your first line of defense against cyber threats.

With the Security Awareness Service included in 365 Total Protection, you can train your employees at the touch of a button to recognize and report even advanced spear phishing attacks and learn safe behaviors to build a sustainable security culture. The Security Awareness Service runs continuously and fully automatically.

It includes advanced spear phishing simulation to continuously measure the security behavior of all employees, and then automatically manages the right level of training for each employee.

By implementing 365 Total Protection, your company can substantially enhance its cybersecurity posture, which, in turn, can lead to more favorable terms when purchasing cyber insurance. When insurers see that your organization has taken significant proactive measures to protect against cyber threats, they may be more inclined to offer competitive rates.

In Conclusion

In an era when cyberattacks are becoming increasingly prevalent and severe, cyber insurance is an essential component of your business risk and continuity management strategy. To secure favorable terms on your cyber insurance policy, invest in an all-encompassing IT security solution like 365 Total Protection.

By taking proactive steps to protect your digital infrastructure and educate your employees, you can demonstrate to insurers that your company is a responsible and secure entity, potentially leading to more cost-effective coverage.

Don’t wait until it’s too late – protect your business today with a combination of robust cyber insurance and 365 Total Protection’s comprehensive IT security offerings.

Learn more about 365 Total Protection and request a free trial: https://www.hornetsecurity.com/en/services/365-total-protection-compliance-and-awareness/

FAQ

What are the benefits of having cyber insurance?

Cyber insurance can help businesses to:

  • Recover from a cyberattack more quickly and efficiently
  • Protect their reputation
  • Avoid financial losses
  • Comply with regulatory requirements

How much does cyber insurance cost?

The cost of cyber insurance varies depending on the size of the business, the industry it is in, and the level of coverage it needs. Other factors included in the insurance premium are:

  • Risk assessment and deductibles
  • Type of information and data a company stores and processes
  • The type and quality of security measures implemented, such as security awareness training for employees
  • The company’s cyber history
  • Any global presence the company may have. Companies with a global presence typically pay higher premiums for cyber insurance because they are exposed to a broader range of risks.

What can businesses do to lower their cyber insurance costs?

Businesses can lower their cyber insurance costs by:

  • Implementing strong cybersecurity controls
  • Conducting regular risk assessments
  • Training employees on cybersecurity best practices
  • Having a comprehensive incident response plan in place
Protecting your data in M365 with Information Protection

Protecting your data in M365 with Information Protection

A few years ago, the expression was “data is the new oil,” and that might be true, but when it comes to your organization’s documents stored in the cloud, I think a more apt description would be “data is radioactive.” Yes, you can do good things with it (generate electricity), but it’s dangerous stuff, and you shouldn’t keep it around for longer than you need to.

For most IT pros, data security is NTFS, share permissions, and SharePoint access levels. Turns out that doesn’t work so well anymore. Even when documents are stored in OneDrive for Business, SharePoint, and Exchange Online, they don’t stay there. They’re shared via Teams, third-party collaboration, and cloud storage services, via email, and even stored on USB sticks now and then. And when everyone is working from home or anywhere, you quickly lose what little control you used to have over where these documents are and who has access to them.

This is a serious problem for businesses, both big and small, and I think it is going to come much more into focus over the next few years. But there are actually technical solutions to this that you may already have paid to license for but are not using today, in the form of Microsoft Information Protection, sometimes called Azure Information Protection. This article will show you how it works, how to start using it, how to ensure the business is onboard, and what you can do at the different licensing levels.

The Basics


Before discussing protection, let’s talk about labeling, the foundation of M365 Information Protection. A document is labeled with a classification, such as “Sensitive” or “Highly Confidential,” and this label follows it wherever it goes. Then you apply policies that say that “Public” documents aren’t protected at all, but “Highly Confidential” ones have a watermark applied on each page (or a footer or a header) and are encrypted and that a user has to designate the specific internal or external users that should have access to it. 

The labeling names are up to you; with some suggestions, you can have different labels scoped to different groups and have nested labels such as “Highly Confidential/All employees” and “Highly Confidential/Executives.” Again, the protection follows the document, and the recipient must prove who they are at the time of access and either give a few days grace period after the initial authorization to access the document offline or have to authenticate every single time. 

Access can be time-limited, and specific permissions can be assigned, such as read-only, or you can’t print it, etc. For emails, you can apply “Do not forward,” “no printing,” etc. Many file types are supported out of the box, including the Office ones and PDF, with third-party add-ins on offer to protect CAD engineering files for instance.

Microsoft 365 E3 and Business Premium offer manual labeling of documents, relying on staff training (more below) and judgment, whereas Microsoft 365 E5 can automatically identify sensitive information and label documents for you.

Rather than relying on where a document is stored (file share, cloud storage, USB stick, etc.) and trying to control access there, M365 Information Protection embeds the protection in the document itself. This means that if you try to open a protected/encrypted document in a third-party application instead of Microsoft Office or a compatible PDF reader (Adobe Reader works), it won’t open.

Note that this isn’t an anti-hacker technology; it’s a way to ensure control over documents and help good people do the right thing. If I have read access to a document and I’m determined to steal the content, I can take photos of it with my smartphone, pop my laptop on the photocopier and hit print, or simply memorize the information. None of those actions can be claimed to be accidental if you’re caught, though. In contrast, if you have no information protection in place, you don’t even know if a copy of the text is pasted into another file or forwarded to a personal email address.

A building block of M365 Information Protection is Sensitive Information Types (SITs), which are built-in ways to spot different types of data. At the time of writing, there are 264 types, including classics such as credit cards and SWIFT codes, and adding bank account numbers, passport, and identification card numbers for many countries worldwide. There are also more recent additions such as IP addresses, disease IDs, names and physical addresses, Azure Storage Account keys, and many, many others. You can also create your own SITs for organization-specific terms.

Data classification dashboard

Data classification dashboard

For more complex document types, where a string of numbers and corroborating evidence words aren’t sufficient (16 numbers in groups of four, with the words CC, MasterCard, etc. next to it), you can use Trainable classifiers that rely on Machine Learning models to identify data. There are 19 built-in ones (for English, a total of 49 when Japanese, German, French, etc. are included) for Agreements, Finance, HR, Intellectual Property, Legal, Resume, Source Code, Profanity, Targeted Harassment, and Threats, plus several others.

If you have E5 licensing, you can also create your own by feeding it many documents of the type you’re seeking to classify (Australian Legal Contracts, for example) and then refine the model by feeding it the right kind of documents, as well as wrong ones, and manually marking each batch when it gets it right and wrong. When the model is accurate enough, you can publish it to your tenant and then use it in your policies.

If you have a database of terms or codes (say employee IDs or project numbers), you can use Exact Data Match (EDM) to spot these when they show up in documents or emails.

To see the SITs and other sensitive information types, go to compliance.microsoft.com, log in with an administrator account, and go to Data Classification in the menu on the left.

But how do you know what sensitive data you’ve already got in your tenant so you know where to start? That’s where Content Explorer comes in; as long as you’ve been assigned the extra roles (on top of Global Admin) of Content Explorer List Viewer and Content Explorer Content Viewer, you can browse and see what’s already stored in your tenant. Here’s my tenant:

Content Explorer in M365 Information Protection

Content Explorer in M365 Information Protection

As you can see, many names across email and OneDrive for Business make sense, as does Australian Business Number, while the disease identification is a false positive. I can then drill down to individual documents, and if I have the Content Viewer role, I can even preview the documents themselves (obviously, be careful with this permission). This should give you a good starting point for understanding what sensitive data you have stored.

Documents identified in Content Explorer

Documents identified in Content Explorer

On the other hand, Activity Explorer shows you what users are doing with documents when you start using labels and protections and how they’re being used.

Activity Explorer in M365 Information Protection

Activity Explorer in M365 Information Protection

Nowadays, it’s not just files and emails that can be labeled; you can also apply your classifications to SharePoint sites and M365 groups (this is in preview at the time of writing and requires manual steps to enable). Note that today, that doesn’t mean that the documents inside those containers are automatically labeled (they don’t work as NTFS permissions, in other words); it means that you can control the external sharing of documents from those locations.

Finally, you can also apply M365 Information Protection labels and policies to data other than documents using Microsoft Purview (up until very recently called Azure Purview). This extends the whole concept of labels to databases (SQL, Cosmos DB, Amazon RDS, Cassandra, DB2, Google BigQuery, and others), cloud storage, data lakes, etc.

Scoping a sensitivity label in M365 Information Protection

Scoping a sensitivity label in M365 Information Protection



Applying the labels


OK, you have worked out what labels to use (see below), at least for your first pilot project. Now, you need to create your policies to actually apply them. Still, in the compliance portal, go down to Solutions – Information Protection. Here, you create your labels based on the SITs and other classification options covered above and then publish them using Label policies.

Pick the label(s) to publish and scope it to users and groups (you can select All for a companywide policy) and then select Policy Settings.

Policy settings for a Sensitivity label policy

Policy settings for a Sensitivity label policy

Here you can make it so that users must provide a business justification when removing a label or lower it to a less sensitive one, requiring users to always apply a label (be very careful with this setting; see below), requiring labeling for PowerBI content and offer a link to a custom, inhouse help page. Make sure that you give your policy a descriptive name that fits neatly into the flyout under the button in the Office apps and a longer description as well. This might seem trivial, but it is actually crucial in helping users understand what label to use for each type of content.

Realistically, though, asking users to manually label documents and emails (hopefully without enforcing it) is only going to take you so far, and only with new documents. To really get a handle on and label all your data, you must use Auto-labeling policies. These are available in E5 licensing (for a good breakdown of what’s available in each licensing tier – see here).

These will scan through existing documents in OneDrive for Business and SharePoint online and label documents based on sensitive data found, optionally applying markings and encryption based on your label settings. When you first create one, you can run it in simulation mode to ensure that it’s going to work as you expected.

If you have documents on-premises, in file shares / SharePoint server, you can use the Azure Information Protection scanner to do the same for all that data. Managed from the cloud, once the agents are deployed on-premises, they will scan SMB or NFS (preview) shares and SharePoint 2013 to 2019 servers.

Another important step to take is to designate a group of highly trusted users as super users so that they can unencrypt documents that were protected by an end-user who’s no longer with the company, for instance.

I haven’t gone into it, but M365 Information Protection has had many names over the years, so if you see references to Azure Information Protection, Azure Rights Management Services, etc., they’re all talking about the same thing. The current product is also unified within Microsoft 365, and the client agent is built into Apps for Business / Apps for Enterprise, which the rest of the world calls Office – i.e., Word, Excel, and so forth on your desktop, on a smartphone or the web version in a browser.

Working with the business


This is the most important part of this article – the technology isn’t the crucial bit, even though it’s cool – it’s engaging with the rest of the business. Successfully implementing M365 Information Protection in your business relies on you being able to get executive sponsorship – it’s got to be something that the business leaders understand and see as aligned with business outcomes. If it’s something IT is trying to “enforce” for compliance reasons on their own, it’s unlikely to succeed.

After the executives are onboard and lead by example (as they often handle the most sensitive data in the business), you need to train your users. Start small, perhaps with a group of users in the legal, finance, or HR department who understand the need more than other staff. Gather feedback and really understand how adding extra steps to their daily workflow impacts productivity. Ensure that the labels are crystal clear and that there are as few as possible.

When you first start out, especially in a large business, you can end up with dozens of labels, with each department insisting that their Highly Confidential classification is different than in another department. Be ruthless – to have any chance of success. You must get everyone to agree on a small set of labels that are clear to everyone. If required, you can have different labels for different groups of users; just be aware of the potential management and maintenance overhead. 

Just like file permissions can be straightforward on a new file server, over time, minor changes and exceptions can make maintenance hard, so plan for quarterly meetings to go back over labels and usage and impacts in the business to ensure that you can adjust as M365 Information Protection is more and more adopted by the organization (Activity Explorer really helps with this).

Also – make it fun! Have competitions to see who can label as many documents as possible or who used the most labels in a week.

To properly protect your Microsoft 365, use Office 365 backup by Altaro to securely backup and replicate your crucial Microsoft Office 365 data. We work hard perpetually to give our customers confidence in their Office 365 backup for MSPs strategy.

Conclusion


M365 Information Protection ties in nicely with several other governance features such as Data Loss Prevention (DLP), which is now available on Windows and MacOS endpoints as well as in the cloud. It’s also related to Retention policies and Records management and is part of an overall strategy to secure your Microsoft 365 tenant.

As you can appreciate, Information Protection is a huge area of Microsoft 365 and one that is constantly evolving; a good place to catch the latest as well as ask questions is the Information Protection public Yammer community.