Microsoft Information Protection

Information security and data loss prevention are vital to protecting your valuable business data. The team at CompanyNet are experts in best practice around Microsoft Information Protection, compliance, retention and sensitivity labelling.

Why is Information Protection so important?

Microsoft Information Protection (MIP) is essential for organisations seeking to safeguard their sensitive data in an increasingly digital and threat-laden business environment.

Firstly, MIP facilitates comprehensive data classification and labelling, enabling organisations to categorise information based on sensitivity. This classification helps ensure compliance with various regulations, such as GDPR and HIPAA, by enabling organisations to manage and protect personal and sensitive data appropriately.

Additionally, MIP integrates seamlessly with existing Microsoft 365 tools, offering a unified approach to data protection. This integration allows users to easily apply policies across applications, ensuring that protective measures remain consistent regardless of where the data resides.

In light of the growing threat landscape, including ransomware and phishing attacks, MIP equips organisations with the tools needed to respond effectively to potential security incidents.

Its capabilities extend beyond traditional data protection, encompassing advanced analytics and insights that help organisations understand their data usage patterns and identify vulnerabilities. By leveraging this knowledge, businesses can adapt their safeguarding strategies to enhance resilience against evolving threats.

Microsoft Information Protection is indispensable for modern organisations aiming to navigate the complexities of data governance and protection. Its comprehensive features not only address regulatory compliance and security needs but also enhance organisational agility and resilience in the face of persistent cyber threats. By investing in MIP, organisations position themselves to protect their most valuable asset — their data, while fostering a culture of security awareness and compliance across their workforce.

Microsoft 365 Retention Policy

Retention policies in Microsoft 365 ensure that your organisation is proactively adhering to regulations and retaining content for a required minimum period of time. This time limit may be set by an industry body or regulator within your sector, or be self-imposed by your own internal requirements.

Retention policies in Microsoft 365 help you achieve a number of goals. They reduce your legal exposure if litigation is brought against your organisation, and reduce your risk if you are involved in a security breach. They also help your organization to share knowledge more effectively and be more agile, by ensuring that your users are working only with information that’s current and relevant to their jobs.

By enforcing the retention of data that you are legally required to retain, and permanently deleting old content that you’re no longer required to keep, retention policies help take the human element out of information management, automating tasks that would otherwise be very difficult for your staff to keep on top of.

Ultimately, retention policies in Microsoft 365 and Office 365 perform two very simple tasks in order to manage your content:

Retention

Content is retained by policy, meaning it can’t be deleted before the end of a fixed period.

Deletion

Content is deleted automatically and permanently once the defined period comes to an end.

Benefits of retention policies with Microsoft 365

Retention and deletion policies help you keep on top of your data costs, too.

Keeping huge amounts of ‘Redundant, Obsolete and Trivial’ information – also known as ‘ROT’ – can cost your business, in terms of storage, management, compliance, and search and discovery capabilities. By ensuring the correct deletion of information you no longer need, you will not only be protecting your organisation, but saving it money.

What’s the end-state vision of an organisation protected by retention policies? Key benefits of Microsoft 365 Retention Policies include:

Data Protection

Our valuable business data is protected by Microsoft 365.

Compliance

We are compliant with industry/legal standards.

Backup of Data

Information can’t be accidentally or maliciously deleted or lost.

Keep the Necessary

We ensure information we’re required to keep is kept.

Disposal

We properly dispose of information we are not allowed to keep.

Cost-efficient

We are efficient and not paying over the odds for data storage.

Creating retention policies in Office 365

Until recently, there was a combined ‘Office 365 Security and Compliance Center’.

However, this has now been split into two separate destinations: the Microsoft 365 Security Center and the Microsoft 365 Compliance Center. Retention labels are available in both; retention policies can only be found in the Compliance Center.

Retention policies and retention labels are not available to everyone in Office 365; you have to be licensed correctly. For a feature like auto-labelling, for instance, all users who can edit a file would require an Office 365 E5 enterprise licence.

Information Protection:
Watch the video

Learn how to protect and manage your organisation’s vital business data in Microsoft 365 and Office 365 with this webinar from CompanyNet. Presented by our Microsoft Information Protection expert, Dave Campbell, it includes vital information on sensitivity labels, retention policies and DLP.

We hope it gives you a taste of how CompanyNet can help you implement to protect your business data.

How to apply retention in Office 365

There are two main routes to Retention and Deletion of information in Office 365.

They are not designed to be used in isolation – typically, your information protection scheme would make use of both.

Retention Labels

Retention labels can do disposition reviews, event-based retention, and more. However, you can only use them to manage SharePoint, OneDrive, Office 365 Groups, and Exchange (email) content.

Retention Policies

Retention policies can manage all the content retention labels can. In addition, they can be applied to Microsoft Teams, Skype for Business and Exchange public folder content.

Both of these perform the same actions: retaining content so that it can’t be permanently deleted before the end of the retention period, and deleting content permanently. One of or both actions can be performed by a single policy or a label.

Retain: Ensure information is kept for X years after creation. At the end of that period, do nothing.

Retain & Delete: Ensure information is kept for X years after creation. At the end of that period, delete it.

Delete: When information is created, do nothing. After a period of X years has passed, ensure it is deleted.

Microsoft 365 Sensitivity Labels

Discover Sensitivity Labels in Microsoft 365, which is a powerful way to ensure that your critical organisational information remains secure and well-managed in a world where sharing is the norm, without impacting efficiency.

Part of the Microsoft Information Protection suite, sensitivity labels are available with certain Office 365 licenses.

Sensitivity labels are a key feature in the Microsoft 365 Information Security suite. They mark up content such as documents and emails, in a way that makes users aware of the need to protect the information. They can also be used to encrypt that content, and to monitor it once labelled.

A document or email that has had a Microsoft 365 Sensitivity Label applied may have a ‘watermark’ across it, or a header or footer stating the security level.

Labels are persistent in that they remain attached to your content, meaning you can be sure they are still working even if a document leaves your organisation.

Sensitivity labels form part of the Microsoft Information Protection toolset for Microsoft 365 and Office 365. They are distinct from retention labels – any given document can have one sensitivity label and one retention label.

Applying sensitivity labels in Office 365

When you apply a sensitivity label in Microsoft 365, your content (such as a document or email), will have that label’s security properties applied to it. This could simply be a watermark, a header or a footer, or it could be advanced file encryption.

Sensitivity labels can be applied directly from within Office 365 apps such as Word, PowerPoint, Excel and Outlook. They can also be applied automatically by Microsoft 365 – such as if you save a document in a document library in SharePoint, Microsoft Teams or OneDrive which is set up to apply a particular label. This is also the case for sites and groups across Office 365, which can have a default label applied to any files stored there.

Furthermore, Office 365 can detect sensitive content using artificial intelligence and pattern matching. For example, you could have it set up to automatically apply a label to any document containing passport numbers, UK National Insurance numbers, or credit card numbers.

This proactively prevents users from accidentally sharing personal data with the outside world, or even with different units within your own organisation.

It’s important to note that a label can be created that prevents users from downgrading it to a lower sensitivity level. So if a ‘high sensitivity’ label is applied, it may require the user to provide justification for reducing the sensitivity level, or prevent them from doing so altogether.

Licensing and Microsoft 365 sensitivity labels

Whether you can use this feature is governed by your Microsoft 365 or Office 365 licensing.

In order to use sensitivity labels, you must be paying for the correct licence. Note that you may be able to access the feature even if you are not licensed for it – it is up to you to ensure you are legally compliant. If you use it without licensing, and are subsequently audited, you could find yourself being billed for unexpected costs (or worse).

If you have concerns about your Office 365 or Microsoft 365 licensing, the team at CompanyNet is happy to help. We know it is one of the trickiest areas to navigate; our licensing experts have not only helped our customers understand and optimise their licensing, but have saved businesses significant amounts of money on licenses they did not need.

FAQs

What are retention policies?

Retention policies are a tool to help you comply with industry regulations and internal policies that require content to be retained for a minimum period of time. They reduce risk in the event of litigation or a security breach and ensure users only work with content relevant to them.

How does retention work in Microsoft 365?

When content is subject to a retention policy, people can continue to edit and work with the content as if nothing has changed, because the content is retained in its original location. But when someone edits or deletes content that’s subject to the policy, a separate copy is automatically saved to a secure location, known as the ‘Preservation Hold Library’, where it is retained while the policy is in effect.

Shortly after the retention period comes to an end (usually about a week later). any copies of the document are automatically and permanently deleted. If no deletion policy is in place, the file will remain in place, but users can now delete it permanently without a preservation copy being made.

The precedence of retention and deletion policies in Office 365 is as follows: retention always wins over deletion; the longest retention policy wins; explicit inclusion wins over implicit inclusion, and finally the shortest deletion period wins.

In practical terms, this means if a document is in a position where two policies are applied to it – “retain for 5 years” and “delete after 3 months”, it will be retained for 5 years. If it is subject only to “delete after 3 months” and “delete after 5 years”, it will be deleted after 3 months.

What are sensitivity labels?

Sensitivity labels are a tool to help protect emails or documents which contain restricted content. They can add watermarks, headers or footers to content, encrypt content and enable its monitoring. In Office 365, they often appear as tags on documents and emails.

Why should I use sensitivity labels in Office 365?

It’s a simple fact that users in your organisation need to collaborate with others, both internally and externally. Furthermore, collaboration technology has made it easier than ever to share information. But not all information should be shared.

Protecting your critical business information should be a priority, but relying on people not to share information is not the best approach. Whether by accident, through ignorance, or through malicious intent, sensitive information has a habit of getting shared. Microsoft 365 Sensitivity Labels are a software solution to this challenge which let you manage your corporate information with ease.

Best of all, sensitivity labels are designed not to get in the way of your work, ensuring you can protect your information without any impact on productivity.

How can I create and manage sensitivity labels in Office 365?

Sensitivity labels in Office 365 are created and managed from the Microsoft 365 Compliance Center or the Microsoft 365 Security Center.

Setting up sensitivity labels is simply a matter of entering a name for your label, choosing who it will apply to, what kind of content marking you wish to apply, and what restrictions the label will impose. You can then publish the label, and it will become available for use to colleagues across your organisation, or to the subset of users you specified.

If you delete a sensitivity label altogether, it will not be removed from documents where it has already been applied. Office 365 will enforce any existing sensitivity labels that have been applied to documents, even if the label is no longer available for marking new documents.

Some more advanced actions around sensitivity labels, such as implementing Microsoft Azure Information Protection (AIP) Scanner can only be done from Microsoft Azure. There are also instances where creating sensitivity labels using Microsoft Azure can result in improved performance. CompanyNet’s subject matter experts are happy to advise customers on which approach will be most effective for their organisation’s requirements.

Get in touch

We know Information Security in Microsoft 365 is a challenging topic. That’s where CompanyNet can help your organisation. We have plenty of experience implementing information protection for organisations of all sizes – from household names and public sector organisations to small businesses.

Our subject matter experts have in-depth, up-to-date specialist knowledge of sensitivty labels and retention policies, as well as the wider Office 365 and Microsoft 365 field. We can help you master information security in Office 365.

If you’d like to discuss your requirements, drop us a line – we’d be happy to help.

Let’s talk

Fill in the form to discuss your options with one of our specialists and get a free assessment of your environment.

What you’ll get from the assessment:

An understanding of how your business can develop a Modern Workplace

Clear advice on any challenges your business may face and how to overcome them

A clear pathway for your business to take, with guidance on adoption and deployment