What is a Data Loss Prevention Policy? It is a mechanism to protect content containing sensitive information from being shared with people outside your
and taking an automatic remedial action such as restricting who can access the content, sending end-user or admin notifications, and auditing the event for later investigation.
It doesn't matter how big or small your business is, you have a responsibility to protect all of the data that you store whether electronic or not. For many of us in the UK, this started out with the Data Protection Act in 1998 which will be superseded by the GDPR (General Data Protection Regulation) in May 2018. Some small to medium businesses might feel disadvantaged compared to larger corporates who have full time Data Protection Officers and teams of security experts but fear not, there are a number of tools available that can assist you no matter what your size or experience. If you're using Office 365 there are two sections where you can set up a Data Loss Prevention Policy. The first is via the Security & Compliance section and the second is via the Admin section. When I wanted to implement our first policy it seemed obvious to go to the Security & Compliance, but this turned out to be the wrong place. The first policy I implemented was the UK Data Protection Act and it took almost 8 hours to go live across our end users. Even when it did go live, it worked for some of our users but not all of them. I then decided to implement the same policy but this time using the Exchange Admin Compliance Management section. Not only did the policy go live within 30 minutes, but there were actually a lot more options and rules that could be applied to each policy. Happy that we now had functioning policies that checked external emails and attachments for sensitive data such as National Insurance number, passport number, credit card and driving license, I went back to the Security & Compliance section to delete the original policies. The UK DPA policy deleted straight away, but one week later, the UK Financial Data policy still says it is "Deleting". It's like an exhausted introvert being held captive by an oblivious chatterbox. It just won't go away. If you are using Office 365 to set up a Data Loss Prevention Policy, don't assume the obvious and go to the Data Loss Prevention section in the Security & Compliance section, go to the Admin section and set the policy directly on the Exchange Server in the Compliance Management section.