Many companies are allowing staff to work from home indefinitely, raising questions about how they can protect work data on personal or uncontrolled devices.
Because we can lose company data in a variety of ways across different devices, we need to apply a variety of protection measures. Let’s take a look at the features in Microsoft 365 that can allow companies to protect their data while users are working remotely.
Use Mobile Application Management
Despite the name, mobile application management doesn’t just apply to mobile devices, it can also protect Windows 10 devices. Mobile Application Management policies can protect company data on both managed and unmanaged devices.
It works by applying protections to the apps your teams use to access company data, like Outlook, Teams, OneDrive and SharePoint.
You can enforce restrictions on these apps to prevent data being saved, cut, copied or pasted.
You can also require a PIN when the app starts or block the app from running on a jailbroken phone or tablet.
This feature can be used to selectively wipe company data from a users device, without affecting their personal files. This is handy for organisations where staff use their personal computers and mobile devices to access company information.
Set up conditional access policies
We can use Conditional Access to enforce restrictions on non-compliant or unmanaged devices. Such as blocking access entirely, or preventing particular actions like stopping users from saving attachments in Outlook on the web or syncing files to OneDrive
We can apply these protections in other ways to apps like OneDrive and SharePoint. Preventing users from syncing data to their personal devices by either blocking access or only allowing limited web only access
Use Cloud App Security to protect data on third-party apps
These protections don’t just relate to Microsoft 365 apps like OneDrive, SharePoint and Outlook; we can use Microsoft Cloud App Security to apply additional protections to apps like Dropbox Business too. Applying protection to a third-party app like Dropbox Business can prevent users from downloading your company data to unmanaged devices.
Apps like Dropbox Business also provide their own security measures, allowing you to block access and wipe company data when a device next comes online.
Configure idle session time outs
To lessen the likelihood of the wrong people accessing company information on a shared device, we can configure idle session time outs. These will sign users out after a period of inactivity, just like your bank does.
Get alerts on suspicious activities
Cloud App Security includes built-in alerts that trigger on potentially suspicious activities. We can use these to get notified about things like mass deletions, mass downloads and unusual volumes of external sharing
Protect sensitive data with Data Loss Prevention
We can use data loss prevention to restrict or impose conditions on the sharing of sensitive information. These policies can trigger on certain keywords like project names or sensitive information types like credit card numbers, driver’s license details or tax file information. Once a file containing this info is detected, it can display a warning, be blocked from being sent or have encryption applied.
Using Cloud App Security, we can apply additional data loss prevention measures to third party apps like Box and Dropbox Business
Use Sensitivity Labels
But what happens if this all fails, and someone downloads company data to a personal, unmanaged device. To protect against this, we can apply sensitivity labels. These labels define how sensitive a particular piece of content is and in turn can enforce protections on our data. What’s more, these protections apply no matter where it ends up. These baked-in protections can limit who can access the file and what they can do with it. Preventing the wrong people from opening, copying, saving, forwarding or printing sensitive documents or emails.
In many cases, these protections can be applied automatically by scanning for those same keywords and sensitive information types that data loss prevention uses.
As you can probably tell by now, there’s a lot you can do to protect your sensitive data when people are working from home. If you need help with any of this, reach out to us below.