Top 5 most common DLP in Office 365 questions answered

There are a lot of possible threats to an organization’s data banks, which can arise from any number of sources, from hacks to malware to physical storage failure and more. So, to help you protect your data, let’s look at the most common questions around DLP in Microsoft’s Office 365 platform and suite of services.

What is DLP in Office 365, and how to search for it

Data Loss Prevention (DLP) refers to the set of practices and mechanisms in place in an organization structure which secures its data and prevents its loss or unauthorized sharing by users with external users or people who should not have access to it. 

You can implement DLP in your Office 365 environment by enforcing policies and practices to protect data and valuable information across the M.S. and Office platforms, such as: 

• M365 offerings and services: Teams, Exchange, SharePoint, and OneDrive. 
• Office products: Word, Excel, and PowerPoint. 
• Windows 10, 11 and macOS.  
• Cloud-based applications and services.  
• File shares and SharePoint on-premises and location.  

DLP policies operate by identifying items and data of a sensitive nature through operations such as deep context analysis, machine learning algorithms, business intelligence capabilities, and alternative methods to locate content that matches the DLP policies in place for an organization.   

To find the location for DLP, you need to follow these steps: 

 Go to the admin center dashboard for Office 365.  

• Go to the Exchange admin center. 
• Choose compliance management. 
• Choose the Data loss prevention option.

And then, you can begin setting, customizing and implementing the DLP policies you want for your organization.

How to setup DLP policy Office 365 for HIPAA

HIPAA is the Health Insurance Portability and Accountability Act of 1996, which deals with patient confidentiality and access to their medical data. 

The US Centers for Disease Control and Prevention defines it as a “federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” 

Office 365 and its suite of services and software comply with HIPAA, and you can find a preexisting template in the DLP settings.   

To set up a DLP policy in Office 365 for HIPAA, follow the below-mentioned steps:   

• Go to the admin center and choose the security and compliance center.  
• Select the DLP tab and then go to Policy.  
• Select Create a policy on the new page that will open.  
• From the Template list, choose Medical and Health and then US Health Insurance Act (HIPAA).

• Set out the desired parameters and actions of the policy you want to implement as well as the locations it will operate it.  
• Create the policy and let it come into effect.

How long does it take for Office 365 DLP to sync up and take effect

Once you have created your DLP policy or made changes to it, it usually takes one hour for the changes and edits to make their way through an organization’s data center and sync up with user accounts.

In what version of the M365 license is DLP offered

Office 365 and Microsoft 365 E3 licenses are adequate to have and offer DLP practices for SharePoint Online, OneDrive, and Exchange Online. Furthermore, these two licenses also cover files that are shared through Microsoft Teams. 

However, these licenses don’t offer DLP for Microsoft Teams chat and channel messages, and you will need any of the following E5 licenses to cover that aspect: 

• Office 365 E5/A5/G5 
• Microsoft 365 E5/A5/G5 
• Microsoft 365 E5/A5/G5 Information Protection and Governance 
• Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance

What DLP policies come with M365

There are over 40 templates you can start working with and implementing right away instead of having to design your custom DLP policy.  

Furthermore, these templates are dynamic starting points – you can customize and edit them according to your preferences and goals.   

The following are the broad templates and the laws and policies they cover:   

Financial:  

• Australia Financial Data 
• Canada Financial data  
• France Financial data  
• Germany Financial Data  
• Israel Financial Data  
• Japan Financial Data  
• PCI Data Security Standard (PCI DSS)  
• Saudi Arabia Anti-Cyber Crime Law  
• Saudi Arabia Financial Data  
• UK Financial Data  
• US Financial Data  

Medical and health:

• Australia Health Records Act (HRIP Act) Enhanced  
• Australia Health Records Act (HRIP Act)  
• Canada Health Information Act (HIA)  
• Canada Personal Health Information Act (PHIA) Manitoba  
• Canada Personal Health Act (PHIPA) Ontario  
• U.K. Access to Medical Reports Act  
• U.S. Health Insurance Act (HIPAA) Enhanced  
• U.S. Health Insurance Act (HIPAA)  

Privacy:  

• Australia Privacy Act Enhanced  
• Australia Privacy Act  
• Australia Personally Identifiable Information (PII) Data  
• Canada Personally Identifiable Information (PII) Data  
• Canada Personal Information Protection Act (PIPA)  
• Canada Personal Information Protection Act (PIPEDA)  
• France Data Protection Act  
• France Personally Identifiable Information (PII) Data  
• General Data Protection Regulation (GDPR) Enhanced  
• General Data Protection Regulation (GDPR)  
• Germany Personally Identifiable Information (PII) Data  
• Israel Personally Identifiable Information (PII) Data  
• Israel Protection of Privacy  
• Japan Personally Identifiable Information (PII) Data enhanced  
• Japan Personally Identifiable Information (PII) Data  
• Japan Protection of Personal Information Enhanced  
• Japan Protection of Personal Information  
• Saudi Arabia Personally Identifiable (PII) Data

The above are only some of the many templates and laws already programmed for DLP implementation in Office 365. There are many more than these which can help you achieve compliance with most legal requirements and serve as a good launchpad for customizing and formulating your own DLP plan.

Benefits of DLP Office 365

As it turns out, there are a lot of benefits your organization can gain from DLP, such as:

• Protection from data breaches – Data breaches and hacking attempts are more common than ever, and strong DLP policies, in place with other mechanisms, can help prevent valuable data from being stolen and spread.
• Compliance with legal regulations – DLP policies are just good business practices in general since there are often legal compliance requirements for organizations to have data protection measures in place. Otherwise, they can risk being shut down or sued for negligence and jeopardizing their investors.
• Attracting investors – Investors and potential partners will naturally flock to an organization known for securing their data instead of one loose with it. Investment is the key to the continued growth of any organization, and any business entity that does not protect its investors’ security will soon see them leaving it.
• Automized threat identification – One of the powerful ways that DLP works is by having a pre-built threat detection system that monitors and investigates data to determine match keywords. These keywords are essential in permitting the DLP system to identify unauthorized access or sharing of important information and data. DLP plans conduct these scanning checks of data files every day for every M365 application and continuously update the keywords to protect new incoming data.
• Round-the-clock monitoring – As we said, DLP continuously checks and scans data files all day, every day of the week, 24/7, to protect them from breaches and threats. This allows the DLP system to identify and take action against any threats within a second’s notice while alerting you of the possible danger.
• Double security checks – The information and data files secured by DLP are kept under multiple security checks, usually double-key encryption. This means that only the right-approved individuals can decrypt the secured files and data as the data administrators. Here, responsibility also lies on those data administrators to ensure those encryption keys are protected and do not leak out.
• Cloud-based security – Since DLP is a party of the Office 365 ecosystem, it is powered and optimized by powerful cloud-based security and artificial intelligence technology capabilities to sync up with M.S. applications on the platform. After important data is discovered, classified, and protected, this process is carried across all apps on the MP365 platform regardless of geographical boundaries. The power of the cloud also enables data administrators to access data from anywhere in the world.

DLP best practices

To properly implement DLP across your Office and M365 applications, it is vital that you understand and adopt certain critical practices regarding its implementation so it functions smoothly and does not end up being a hassle for your employees and business processes.  

All security mechanisms and applications like DLP have certain intrusive procedures, and the following are the best practices to ensure they don’t impede or obstruct your organization’s processes. 

Understanding your current policies: Before implementing DLP practices, check the existing security mechanisms and how they operate. This way, you will ensure that they don’t conflict with DLP or negatively affect each other. 

Recording inventory data: The more data points that DLP has access to, the better it can read and secure them. Information about data, such as its type, format, and location, is important for DLP policies. Therefore, this information should be recorded and documented while ensuring that there is no data sprawl. 

Limiting access: Not all of your employees or users can be given the same level of access to all types of information or data. A wise practice in general, not specifically for DLP, is to have different rankings or levels which determine access to information and even then to document when, where, how, and why a user is accessing certain information. 

Ensuring consistency: The fight for Office 365 data security and data loss prevention is an ever continuing one as those who seek to abuse your data continuously improve their methods. An organization must always remain vigilant about the security of its data. To put it simply, data protection must become a part of an organization’s culture – across the hierarchy.