An effective cybercrime strategy takes a holistic approach, preventing intrusion in devices and applications and minimizing the harm done. In this blog series on digital workplace security, we mainly focus on the ‘prevention’ step. Using the cyber kill chain as our guideline, we described how to prevent hackers from intruding your system and gaining access in two earlier blog posts. Let’s now see how to prevent cybercrime in that next stage of the chain, when a cyberattacker gets close to your most valuable asset – your data.
Importance of data classification
The first step in preventing data breaches is data classification: understanding what types of data you have and how ‘valuable’ it is and then assigning levels of sensitivity to each data type. The level of protection and, consequently, the controls needed will depend on that classification. For example, while general information will get the label ‘public’ and be available to everyone, financial data or HR-related and customer PII (personally identifiable information) will be labeled ‘confidential’ or even ‘strictly confidential’ and require strong access control measures, like multi-factor authentication, encryption or conditional access.
"3,86 million USD is the average cost of a data breach – the average cost per lost or stolen record amounts to 146 USD."
IBM’s 2023 Cost of a Data Breach Report.
Labeling your documents with Microsoft Purview Information Protection (MPIP)
While data classification is crucial for security, it is not easy to properly categorize all your data. Moreover, your decisions greatly impact the cost of security and the user-friendliness of your applications and devices and, consequently, the productivity of your users: the more protection and control, the higher the cost and the more steps the users have to take to get access to the data.
Here too, Microsoft comes to the rescue: the Microsoft Purview Information Protection (aka AIP) suite helps to properly – and cost-effectively – label documents and emails. When the software detects sensitive data like credit card numbers within a document, for example, it will automatically give it the label 'secret' or 'sensitive' – which triggers protection policies, such as not allowing an employee to copy and paste from that document or to share it.
More than relying on automatic labelling, AIP also allows you to tag your documents manually as you create them or even classify and protect existing documents. Reports and a dashboard provide information on the volume of labeled and protected documents and label distribution and helps detect risky behaviors to prevent misuse.
Data loss prevention
To add an additional layer of protection to your corporate data, it’s a good idea to combine AIP with MS Data Loss Protection (DLP). While AIP links labels to documents, DLP identifies sensitive information across your Microsoft locations – from SharePoint, OneDrive and Teams to Office tools like Excel, PowerPoint and Word. Based on the rules that your compliance or security team has defined, DLP will take certain actions, like blocking sensitive data from being forwarded in or outside of your organization. Here too, the software continually monitors all the information being shared and provides an overview of compliance with your DLP rules in reports and dashboards.
Preventing data breaches on mobile devices
Your employees use their mobile devices for both personal and work tasks. So don’t forget to protect company data that is accessed from these devices. Here too, Microsoft helps.
By implementing app protection policies, you can restrict access to company resources and keep data within the purview of your IT department. IT administrators can, for example, deploy Conditional Access policies or deploy an app protection policy that requires app data to be encrypted.
Teaching users how to stay compliant
The Microsoft DLP suite even helps you educate your staff on the importance of data protection, by sending email notifications and showing tips in a pop-up. For example, if an employee tries to ‘send’ a document that contains a bank account number, the DLP rule will not only block the document from being forwarded but also create a pop up that warns the user. In this way, user awareness will improve gradually – to help you combat cybercrime throughout your organization.