Data Loss Prevention: Ensuring documents are compliant and secure.

“Data loss prevention is not just an IT responsibility, it’s something the whole business needs to be aware of and take ownership of, but to do that we have to put it in a context that’s relevant to them.”

 We sat down with Jay McDougall, Deptive’s Modern Workplace Consultant, to talk about data loss prevention. Jay shares his thoughts on how IT and the wider business can work together to ensure documents are compliant and secure.

How should companies begin focusing on data loss prevention?

Data loss prevention is not just an IT responsibility, it’s something the whole business needs to be aware of and take ownership of, but to do that we have to put it in a context that’s relevant to them. Data isn’t just numbers and stats, it comes in many forms like employee records, customer details, meeting notes, internal communications, banking details, payroll records, patents and trademarks, product designs, research, strategic plans, contracts, production schedules, inventory, emails, services agreements, machine sensor data and more. So data protection really is a ‘whole of business’ issue.

We recommend you avoid using technical jargon like Data Loss Prevention (DLP) which can lose meaning outside of the IT team, and instead talk about ‘document security’ as well as data security. Break it down to the essentials. Each division should:

• know what data/documents they have,
• ensure it is protected, and
• control who has access.

IT can help the business protect their data by implementing a system of classification labels, encryption, and access restrictions across your platforms, whether the data is stored in SharePoint, Teams, or elsewhere. This will give the business the tools they need to protect their documents and data, but tools alone won’t provide full protection. It’s critical the business understands how to apply the labels and the importance of using them. That each user understands the role they play in protecting documents and data, and that their personal responsibility is clearly communicated.

What key policies should companies consider for data/document security?

Consider implementing policies that restrict document sharing outside designated groups, based on tagging types. Consider enforcing restrictions on viewing documents on non-managed devices outside of secure zones and blocking actions like screenshots or copying content between apps within these protected profiles. These steps should be part of a comprehensive approach to securing information across all M365 platforms.

How should regulations influence the data/document security strategy?

Regulations should be a central part of your security strategy. For example, ensure compliance with laws like the Employment Relations Act, adhere to the Privacy Act and other relevant regulations by implementing strict data retention and disposal policies.

What classification labelling system should companies establish?

Your classification labelling can be anything you like, but it doesn’t have to be complex. A simple system with categories like “External,” “Internal,” “Confidential,” and “Highly Confidential” may be all you need. These labels should dictate how information can be shared and what protections are applied. For instance, you might want to ensure that highly confidential documents cannot be copied, emailed, or shared unless a label change is logged and justified.

What surprises might companies encounter during the data/document security implementation process?

While labelling and classifying information may seem straightforward, ensuring compliance with legal requirements can be complex. Make sure you have or can access expertise to navigate these details, as this may not typically fall within your IT team’s expertise.

How should companies roll out these policies?

Start by socialising the policies with a smaller group to gauge whether you have the balance right between protection and useability, we don’t want the policies to be too strict or too lenient. Simplify the policies into a one-pager to make them more accessible to everyone. Additionally, make sure this information is easily accessible, such as by adding it to your intranet.

How should users interact with these policies when creating documents?

You don’t need to force users to apply a label every time they create a document, but having default policies in place is crucial. Allow users to choose the appropriate label while monitoring the effectiveness of this approach. Be ready to adjust the policies if needed.

What challenges might companies face when explaining these concepts?

Explaining structures like SharePoint sites can be challenging because they aren’t always intuitive. Use familiar terms and visuals to help make these concepts more understandable to your audience.

What’s the next step in refining a data/document security strategy?

Continue refining your policies to ensure they are well understood across the company. Plan to integrate more visuals and examples into your training materials to make the policies more tangible and relatable for users.

If your want to ensure your documents are compliant and secure, get in touch.