Can this Microsoft 365 tool solve the problem of endpoint data loss prevention?

Every device—whether it’s a company-issued laptop or your personal tablet—that connects to your corporate network is considered (in IT parlance) an endpoint. The ability to protect and manage data flowing through these endpoints is a critical concern for every corporate IT organization. With more and more of us working remotely, it’s more important than ever for companies with “work from anywhere” options to secure company data on every endpoint on the corporate network. Training employees on common sense cyber-security practices never hurts, but companies using Microsoft 365 also have a powerful new tool to secure corporate data across all employee endpoints: Microsoft Endpoint Data Loss Prevention (DLP).

What is data loss prevention?

Amaxra has blogged in the past about how in a digital economy, data is the new oil—meaning that data is an extremely valuable resource. Depending on your business’ location, protecting your data can also be subject to various regulatory compliance standards to follow. Data loss prevention (DLP) covers the various methods for a business to prevent even inadvertent public disclosure of sensitive corporate data.

A good DLP policy combines employee training with digital tools. These tools should automatically monitor the various locations (both cloud and on-prem) where sensitive data such as corporate financials, employee social security numbers, customer credit card numbers for a retailer, and patient health records for a clinic are stored. What makes the new Microsoft Endpoint DLP tool for Microsoft 365 special is its ability to extend the monitoring and protection to sensitive information stored on Windows 10 devices. Microsoft Endpoint DLP uses the power of the Microsoft Cloud to automatically identify sensitive data anywhere on your corporate network and then prevent and monitor any data sharing via a clean and simple dashboard interface in the Microsoft 365 Compliance Center.

Why you need Microsoft Endpoint DLP protection

A common DLP scenario that applies to both remote workers and employees working in a traditional office is copying sensitive corporate data to a cloud-based or physical hardware storage device. As we’ve already established, any and all devices connected to your corporate network is considered an “endpoint” and therefore monitored by Microsoft Endpoint DLP. Microsoft’s approach to DLP is to provide protection without impacting employee productivity—and do it in a way that educates users that they are about to share sensitive content.

For example, say your company is a law firm that uses a combination of Microsoft OneDrive, Microsoft Teams, and Adobe Creative Cloud online storage to share video depositions of your clients. A new hire at the firm, for whatever reason, attempts to upload a large MP4 file of a client’s video deposition into their personal Dropbox storage then share the link in Microsoft Teams. Microsoft Endpoint DLP will detect that uploading to Dropbox is a policy violation and automatically block that file from being uploaded. However, when the employee drags the same MP4 file directly into Microsoft Teams for sharing, Teams will automatically upload large files into OneDrive and Endpoint DLP recognizes that specific OneDrive tenant is authorized for use by the law firm.

Another powerful feature of Microsoft Endpoint DLP is the ability to apply these endpoint DLP policies at the file system level. Going back to the law firm example, many of those businesses use external hard drives to store large video deposition files. But with Microsoft Endpoint DLP, a policy can be set up so that only certain external hard drives are authorized to store sensitive files. So, if that same employee tries to copy a video deposition file to their personal USB drive, Microsoft Endpoint DLP will notify the employee that copying to that particular hardware storage device is blocked.

How to set up Microsoft Endpoint DLP for your organization

The native integration of Microsoft Endpoint DLP with Windows 10, the Microsoft Edge browser, and Microsoft 365 apps means that setting it up is relatively simple. There are no additional software or agents required so it will not slow down your PC. Corporate IT managers will appreciate how Microsoft Endpoint DLP is 100% cloud native and cloud managed, meaning that this tool leverages Microsoft’s $2 billion annual investment in cyber-security and artificial intelligence to recognize sensitive content and the ever-evolving threats to them.

Polices for data-loss prevention are configured by authorized users in the Microsoft 365 compliance center, an administration portal available to corporate IT managers. While there are plenty of default data-protection templates provided by Microsoft in Endpoint DLP, corporate IT managers can either configure those preexisting templates to better match their specific data-prevention policies or create them from scratch. One important prerequisite to using the Microsoft 365 Endpoint DLP is a Microsoft 365 E5 license. This means organizations with Microsoft 365 For Business licenses or Microsoft 365 E1 and E3 licenses do not have access to the Endpoint DLP feature.

Microsoft Endpoint DLP is a must for many businesses

In the new normal of post-pandemic working, professional service firms in the legal, financial, and healthcare industries greatly benefit from endpoint protection. No matter what size your organization, Amaxra can help. If you’re concerned about the costs of E5 plans compared to Microsoft 365’s less expensive offerings, then Amaxra can help make it work for your business. Amaxra consultants understand Microsoft software licensing inside out. We are a Gold-level Microsoft Partner with extensive experience maximizing the value of Microsoft 365 and deploying secure remote working solutions for businesses large and small.