How to Create An Effective Data Loss Prevention Plan In Microsoft 365

POSTED ON October 14, 2020

One of the most significant blind spots in maintaining cybersecurity is user error. The majority of cyberattacks specifically target employees, manipulating them to share sensitive dates or click on malicious links.

Cybersecurity efforts that help mitigate employee error help to minimize their threat. In Microsoft 365, you can use a Data Loss Prevention (DLP) policy to ensure that the sharing of any sensitive data is intentional.

What is a DLP policy?

DLP is an intelligent service that looks for messages, files, or documents that contain information you have deemed sensitive in your policies. For example, suppose an employee tried to email a client’s social security number. In that case, a supervisor could be alerted and provide a second confirmation that information should be shared before the email is sent.

The DLP Policy tells the DLP service what information is sensitive, how to identify it, and who to alert when it is shared.

What types of information should I make a DLP policy for?

The most common types of sensitive information a business might be sharing are:
• Credit card numbers
• Social Security numbers
• Insurance policy numbers
• Bank account numbers
• Home addresses
• Other personally identifiable information

The DLP service includes 87 built-in sensitive information types, but you can also create customized ones if needed.

How do I set up a DLP Policy in Microsoft 365?

When creating your DLP policy, you want to make sure you are configuring it for your entire 365 platforms, not just for email. If you would like assistance setting up your DLP policies or aren’t sure what sorts of policies you need, give us a call!
Follow these steps to set up a DLP policy:

1. Go to the Security and Compliance Center in the administrative portal. You can click this link to it.

2. On the left, click Data Loss Prevention and then click Create a new policy. If you do not see Data Loss Prevention on the left, you might not have admin access. Contact your administrator and share these tips with them.


3. Choose a policy type. Microsoft 365 provides DLP policy templates based on industry. For example, there are templates for some of the common occurrences:
• United States personally identifiable information (U.S. PII)
• Data subject to the Payment Card Industry Data Security Standard (PCI-DSS)
• Data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

4. To continue following this example select Financial and then S. Financial Data. Click Next 

5. Assign the policy a name and description. We encourage you to put thought into our naming conventions, so you don’t have trouble keeping track of your policies or mixing them up. Click Next.

6. On the “Choose locations” page, determine which areas of Office 365 you would like to apply this DLP policy to. For this example, we would choose All Locations. Then click Next.

7. On this screen you can customize the type of information included in this policy. In most cases we would recommend accepting the defaults. In this example, credit card numbers and U.S. bank account and routing numbers will be flagged. Once enacted, this policy will let us know when anyone attempts to share this content with people outside our company. Click Next.


8. You will now be asked what methods of enforcement you want to use. You can have a policy tips reminder show to the sender, you can select to have this notify a co-worker or supervisor or block the action entirely. For this example, lets change the number of incidents required to 1. If you work in an industry where you frequently share this information you can use a DLP policy to automatically encrypt the email before sending by checking the last box on this page. Click Next. 


9. Now you can choose to block certain people form assessing SharePoint and OneDrive content and if users can override the DLP policy. We would recommend only allowing people within your organization to have access to SharePoint or OneDrive content if you store sensitive information there. For override purposes you can use your discretion based on the information type and your business practices. Click Next.

10. Here you can choose to run the policy in test mode or begin enforcement immediately. Using test mode might help you demine if this will impact your workflow negatively and cause bottlenecks. Having time to test and then adjust the settings before full enforcement can be beneficial. Click Next.

11. Final step: review your settings and save the policy

If you experience any issues setting up your DLP policy or would like help creating custom ones for your business, don’t hesitate to reach out to us for help. You can schedule a call with us any time.

About the Author: Agilitec IT
Cloud Storage Solutions: 3 Things You Should Know
What Can You Do To Improve Your Microsoft Secure Score?