The concerns businesses have about handing data over to cloud providers have, to a large extent, been assuaged. The ongoing growth of Microsoft’s Office 365 and the general trend towards cloud computing are evidence of this. Yet, as much as cloud providers are now seen as secure, businesses still need to take steps to prevent the loss of data stored in the cloud.

In an interesting finding, Gartner suggests that through 2022, 95% of cloud security failures will be the fault of customers, not cloud service providers. As much as Office 365 is easy to adopt administrators carry a strong responsibility to maintain security. Here are three steps that can help your business secure its Office 365 data.

1. Use Office 365’s DLP tools

   

   In many ways, the attraction of Office 365 lies in the way Microsoft bundles a rich range of products and services into a simple to digest licensing fee. Larger businesses that typically use Office 365 Enterprise E3 and E5 licenses will have access to Office 365’s built-in data loss prevention (DLP) tools. An initial step is to instruct your employees, not to email or share sensitive information, and Office 365’s DLP tools can help enforce this policy.

   Located in the Office 365 Security and Compliance Center, DLP tools work according to a set of business rules. These can recognise personally identifiable data, financial data, and other protected information sets and perform an action that’s selected from a predetermined range.

   For example, you can block the ability to send credit card details via email if you configure DLP accordingly: emails caught by your rule will be rejected. Alternatively, you can set up policy alerts that warn users to think twice before sending an email. It’s a less draconian option, but still better than merely relying on users to remember a policy they may have signed years ago.

   DLP can be as granular as you need it to be. You can block users in certain roles from sending personal data altogether while sticking to policy tips for select users. Of course, DLP is not watertight and user education will remain an important factor. Nonetheless, with DLP in your arsenal, you can reduce the risk of accidents.

2. Roles and permissions in Office 365

   

   As we stated earlier, there is a growing acceptance of the efficacy of the internal security practices of cloud providers. However, users and the technology managers working on behalf of those users need to do their part. So it is with Office 365, and roles and permissions are a key concern when it comes to preventing data loss.

   In Office 365 it manifests in two ways. Who has the permission to access data, and who has the permission to share data? Access rights should be viewed from a risk mitigation perspective and should be based on roles. Configuring permissions in Office 365 is straight forward but it can be time-consuming to manage.

   Nonetheless, a carefully considered, implemented, and audited permission regime based on roles is a crucial step in preventing data loss. That new, untrusted staff member should not by default have access to confidential data. Permissions can be highly granular in Office 365 but there must be a willingness to exercise this power.

   The ability to easily share data is part of what makes cloud apps so productive, but this too should be tightly controlled. It goes without saying that sharing documents with users outside an Office 365 tenant should be tightly controlled. Sharing permissions should also be role-based, while administrators should tightly restrict sharing permissions on the most confidential data.

3. Use Office 365 MDM to manage mobile devices

   

   Enterprise mobility is key to getting things done in a mobile-centric age, but just like cloud-based file sharing, the productivity benefits should not be outweighed by the risks. Yes, you can allow employees to access confidential data on the go, but the devices that are used for access should be tightly managed.

   Mobile device management (MDM) is another tool that is part and parcel of Office 365, though advanced MDM features require a top-up unless the most comprehensive Office 365 licenses are deployed. That said, even the most basic Office 365 licenses include the ability to remotely wipe devices, essential for stopping data loss when a device is lost or stolen.

   For advanced MDM features, enterprises should consider deploying Microsoft Intune which offers very granular control over mobile devices. Intune includes the ability to deploy a custom app store, to manage business apps built by your organisation. It also offers additional security for mobile web browsing.

Other Office 365 tools that can help prevent data loss

We’ve covered the three most essential steps you should take to manage the risk of data loss in Office 365. Other tools operate behind the scenes, but some require license top-ups. These include, for example, Azure Identity Protection, which uses machine learning to flag compromised accounts.

Likewise, Advanced Threat Protection scans emails and blocks ransomware. Two-factor authentication (2FA) is available to all licensed users but is not enabled by default and should be strongly considered by most businesses.

There are clearly several cloud-centric security concerns that require a different strategy in the battle to prevent data loss, and Office 365 provides an arsenal of tools to mitigate the risk of data loss. However, to a large degree, administrators should follow standard good practice when dealing with Office 365, just as they would with on-site infrastructure.