Data loss prevention practices for Microsoft 365 organizations

Posted by Susan California on February 17th, 2021

There are two words that strike fear in the hearts and minds of most businesses – data leak.  There is arguably no greater nightmare for your business than making news headlines due to a leak of sensitive data.  However, it has been the brutal reality for many businesses, many of which never recover.

As your business defends against many cybersecurity threats, data loss prevention (DLP) is one of the most important considerations for your business.  This includes cloud SaaS environments like Microsoft’s Office 365, now rebranded as Microsoft 365 (M365).  Let’s take a look at data loss prevention practices for Microsoft 365 organizations and how you can protect your business.

Data loss prevention practices for Microsoft 365 organizations

To begin, what is data loss prevention (DLP)?  Data loss prevention is the practice of detecting and preventing data breaches, leaking of data, unauthorized access and dissemination of sensitive data.  How can this be prevented in M365?  Let’s look at the following data loss prevention practices for Microsoft 365 organizations:

  1. Inventory and understand what sensitive data is uploaded to Microsoft 365
  2. Prevent ransomware from infecting, encrypting, and intentionally leaking data
  3. Maintain visibility into who has access to data and where it is shared
  4. Control which third-party apps access your cloud data
  5. Detect and prevent abnormal downloads of data

1.  Inventory and understand what sensitive data is uploaded to Microsoft 365

As a business, you must first understand what sensitive data is uploaded to Microsoft 365.  Without having an accurate inventory of your data overall, it will be very difficult to prevent data leak.  Performing an audit of how departments are using M365 and what types of data they are storing there is a good start.

Sensitive data generally varies depending on your business type and particular industry.  It may include but not be limited to the following:

  • Social Security Numbers (SSNs)
  • Credit Card Numbers (CCNs)
  • Personally Identifiable Information (PII) – names, addresses, phone numbers, and others
  • HIPAA information


Businesses must understand what data is housed in Microsoft 365

Aside from more traditional audits and scans of data, it is generally necessary to put in place technologies to recognize these types of data and prevent leakage.  Microsoft’s built-in DLP solution allows identifying documents with sensitive information such as CCNs and other types of information.

2. Prevent ransomware from infecting, encrypting, and intentionally leaking data

Ransomware is one of the most ominous threats to the security of your data.  What’s more, new ransomware variants are using threats of data leakage as leverage to force ransom payment.  These types of ransomware variants go far beyond simple data encryption.  As an example, a new strain of the MegaCortext ransomware threatens to publish victim’s stolen data if they fail to pay the ransom demanded.

As demonstrated in the “Ransom Cloud” attack by famous hacker turned security researcher, Kevin Mitnick, ransomware can attack and infect cloud environments by simply being granted permissions by end users (the attack was demonstrated in Office 365).  With the looming threat of data leak by new ransomware variants, protecting your cloud environment from ransomware is extremely important.   

There are very little protections built into Microsoft 365 to prevent a ransomware infection. Additionally, most remediation with the native protective tools require administrator intervention.

3.  Maintain visibility into who has access to data and where it is shared

Not only is it important to have visibility and control who has access to what data, it is also important to understand how data is shared with others.  Cloud environments like Microsoft 365 in default configurations make it extremely easy to share data with those inside as well as outside your organization. 


The sharing icon next to a folder shared outside the organization

This is where danger can lurk when it comes to sensitive information.  With only a few clicks, an end user can accidentally or intentionally share sensitive information with someone outside, potentially leading to a major data leak.

Auditing and controlling data sharing in Microsoft 365 is critically important to preventing unauthorized access to sensitive information.  Microsoft’s built-in DLP solution, while limited, allows:

  • Preventing users from sharing sensitive information accidentally and limiting access to sensitive data

4.  Control which third-party apps access your data

Cloud SaaS environments like M365 allow integrating third-party apps into your cloud environment.  While this can add powerful features to your cloud SaaS environment, it can also lead to data leak and unauthorized access to sensitive data.  With cloud environments and OAuth permissions, end users can simply grant access to third-party apps and the permissions they request and your data is openly exposed.

Your organization must have visibility to both the apps and the data they have access to.  Controlling, and even blocking third-party apps is necessary to prevent data leakage of sensitive data from your Microsoft 365 environment. 

5.  Detect and prevent abnormal downloads of data from Microsoft 365

Another data leak threat is data exfiltration.  With end users often accessing business-critical data across a number of devices including even personal BYOD, it becomes extremely easy for data to be copied from a business cloud environment like M365 to personal local storage or even a personal cloud. 

This can be a real threat.  If an employee copies sensitive data to his or her own device outside of the security measures in place for the organization, data can easily be leaked.  Employees that plan on leaving can also easily copy sensitive data from your company to be used elsewhere. 

Having measures in place to have visibility to abnormal downloads of data from company cloud storage helps to prevent data leakage.  This will require technology solutions in place to be effective. 

How can your organization effectively implement data loss prevention practices for Microsoft 365? 

SpinOne for Microsoft 365

Having both the visibility and controls necessary in cloud SaaS environments like Microsoft 365 can be challenging with the native tools provided.  Microsoft’s own DLP solution for Microsoft 365 provides basic protection against data leak, however, it can’t properly protect you from the following:

  • Accidental deletion or sharing of data
  • Insider threats
  • Incorrect data migration
  • Malware - ransomware

Most organizations will want to make use of an enterprise grade DLP solution.  SpinOne is an artificial intelligence (AI) and machine learning (ML) enabled Client Access Security Broker (CASB) that provides visibility and automated Microsoft 365 protection for business and enterprise.

SpinOne for Microsoft 365 provides world-class AI/ML ransomware protection that automatically:

  • Detects the ransomware attack
  • Blocks the source of the attack
  • Identifies files that have been affected
  • Restores those files from the last backup

This helps to ensure that your organization’s data is protected from one of the most threatening cyberattack tools in use today.  The power of the SpinOne solution is that it is a fully automated approach.  Instead of waiting for a Microsoft 365 administrator to intervene to stop an attack, SpinOne takes care of the attack quickly, decisively, and effectively. 

SpinOne also offers enterprise grade backups for Microsoft 365 data loss prevention environments.  If your organization’s data is accidentally or intentionally deleted or improperly migrated, you can quickly restore the data with SpinBackup’s automated backups and easy recovery process.


SpinBackup provides enterprise grade backups of Microsoft 365

Additionally, to align with SpinOne G Suite functionality, SpinOne will soon provide third-party apps protection for Microsoft 365.  This will provide the ability to fully audit third-party apps and whitelist/blacklist apps to align with business needs and cybersecurity objectives.  This new feature will also allow fully auditing which third-party apps already have access to your data and how the data is being shared/accessed. 

Like it? Share it!

Susan California

About the Author

Susan California
Joined: August 12th, 2018
Articles Posted: 127

More by this author