Office 365 Security and Compliance: An intro to DLP, records management, and e-discovery concepts

Theresa Miller takes a look at DLP, records management, and e-discovery in Office 365 Exchange Online.

Security and compliance are two of the hottest IT topics today, likely due to continuous headlines about data breaches and theft. For a long time, security and compliance were also two of the main reasons why organizations were hesitant to move to cloud platforms. But now that there is more education and awareness about cloud security, many organizations are full steam ahead to the cloud—and more specifically, to Office 365.

Office 365 has some solid options to protect your corporate data, but you will need to understand how these can be used before you make any decisions. Today, we well uncover the options that can ensure that you have the best possible data protection plan for your Office 365 Exchange Online deployment.

Data Breach Loss Cost

Before you sit back and decide that you do not need to worry about data loss, I would like you to evaluate the following facts: the risk of data loss is not only its effect on your organization’s reputation, but its high financial cost. According to a study by IBM Security, as covered in Fortune, the highest cost of a lost record is in healthcare. Yes, in today’s black market, healthcare data is now worth more than financial data.

Here is the breakdown of what you can expect a breach to cost your organization, per record:

  • A stolen healthcare record costs $355
  • Education records have a cost of $246
  • If you are in the financial industry, a stolen record will cost $221
  • In the services space, a stolen record will run $208
  • Life science organizations lose $195 per record
  • In retail, it will cost $172
  • And a communications industry record cost is going for $164

The cost per stolen record in other industries goes down from here, but as you will see, you can avoid enduring it by taking some simple steps.

Data Loss Prevention (DLP)

Enabling data loss prevention is key if you are interested in protecting customer or patient data. This can be done according to various government-mandated standards directly in Office 365—Microsoft provides templates that can be used as is or edited to meet your more specific needs. This is an especially powerful option for Exchange Online, where it can be very easy to email confidential information outside of your organization.

In some cases, organizations have a “policy” that directs how customer or patient information should be handled, but this often is not enough. Human error can still happen, and it’s very hard to clean up. Regardless of how information ends up in the in the wrong hands, though, it’s important to have a DLP implemented as a failsafe.

Records Management: Keeping track of your Office 365 email

Records management is the concept of which data you will keep, and the duration it will be kept. This can be for email, traditional data, or both. Either way, you need to define a policy, since without records management, there can be serious legal consequences should litigation occur. I have a couple recommendations:

First, work with your legal team for all decisions. IT administrators are not lawyers, and should not be responsible for these decisions. Work to draft and apply policy for your organization’s data retention needs, and know that the policy your organization puts together will not be the same as the next organization. It will be unique to your industry, team, and business needs.

Once these decisions have been made, Office 365 can help with the rest—here are some of the key elements to records management in this platform: First you have option of “In-place Hold.” This will allow for certain items to be preserved based on a query. Then there is the “Litigation Hold,” where all items in a mailbox are preserved for whatever period of time you decide upon. These are some very powerful ways to keep what you need and protect your organization for the long run.

E-discovery for research and litigation

Within records management, there is another layer of consideration—Who should have access to your data for litigation or research?

Each organization may have a unique approach, and again, this can apply to email, data, or both. One example I can share came from the early days of email. At the time, I worked for an organization that chose to have the Exchange administrators do the e-discovery searches. This was due to system security limitations that made it challenging to allow others to do the research. Today in both Exchange on-premises and Exchange Online in Office 365, it is much simpler to allow your legal and compliance teams do the e-discovery for the legal cases they are working on. This is a huge win!

Parting Thoughts

There are many ways to protect your organizational email and data in Office 365, and overall, Office 365 actually simplifies how you can implement your various levels of protection. Be sure to work with your legal team to finalize policy, and you will be on your way to a safer and more secure Office 365 deployment.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.