Protecting firm’s data in a remote work environment

Working from home
Working from home. FILE PHOTO | NMG 

With Covid-19 continuing to challenge countries on the African continent and the world at large, organisations are relying on their employees to stay connected and productive outside of the traditional digital borders of business. Working remotely helps employees stay healthy, productive, and connected, and you can keep them productive without increasing risk or compromising compliance.

In doing so, identifying and managing potential risks within the organisation is critical to safeguarding your data and intellectual property (IP), while supporting a positive company culture. First, knowing where your data resides while employees are working remotely is a vital question, especially for your risk management-focused departments.

There are several tools that help you remain in control and protect sensitive documents. For example, data in Microsoft Teams is encrypted at rest and in transport, and uses secure real-time protocol for video, audio, and desktop sharing.

In addition, whatever remote working platform you have selected to operate with, it is important to restrict access for guests and people outside of your organization. You can also govern the apps to which each user has access. Secondly, data loss prevention (DLP) addresses concerns around sensitive information in messages or documents. Setting up DLP policies in your remote working apps can protect your data and take specific actions when sensitive information is shared. For example, suppose that someone attempts to share a document with guests in a Teams channel or chat, and the document contains sensitive information.

If you have a DLP policy defined to prevent this, the document will not open for those users. Note that in this case, your DLP policy must include SharePoint and OneDrive for the protection to be in place.


Thirdly, you can also apply a sensitivity label to important documents and associate it with protection policies and actions like encryption, visual marking, and access controls and be assured that the protection will persist with the document throughout its lifecycle, as it is shared among users who are internal or external to your organization. You can start by allowing users to manually classify emails and documents by applying sensitivity labels based on their assessment of the content and their interpretation of the organizational guidelines.

However, users also forget or inaccurately apply labels, especially in these stressful times, so you need a method that will scale to the vast amount of data you have.

Like with manual classification, you can now set up sensitivity labels to automatically apply to Office files (e.g., PowerPoint, Excel, Word, etc.) and emails based upon organisational policies. In addition to having users manually label files, you can configure auto classification policies in Microsoft 365 services like SharePoint Online, OneDrive, and Exchange Online.

These policies can automatically label files at rest and in motion based on the rules you’ve set. Those classifications also apply when those documents are shared via Teams, for example.

Fourth, we also know that stressful events contribute to the likelihood of insider risks, such as leakages, IP theft, or data harassment. It is therefore critical that organizations put in place tools to identify potential suspicious activity early. For instance, we recently unveiled a solution called Communication Compliance, part of the new Insider Risk Management solution set in Microsoft 365 which leverages machine learning to quickly identify and take action on code of conduct policy violations in company communications channels, including Teams. Communication Compliance reasons over language used in Teams which may indicate issues related to threats (harm to oneself or others). Detecting this type of language in a timely manner not only minimizes the impact of internal risk, but also can go a long way in supporting employee mental health in uncertain times like this.

Fifth, and in order to comply with your organization’s internal policies, industry regulations, or legal needs, all your company information should be properly governed. That means ensuring that all required information is kept, while the data that is considered a liability and that you are no longer required to keep is deleted. When data is subject to a retention policy, users can continue to work with it because the data is retained in place, in its original location. If a user edits or deletes data that is subject to the retention policy, a copy is saved to a secure location where it is retained while the policy is in effect.

For individuals (and we will have another piece on this soon), you need to realise that information is the currency of the internet. Your privacy on the internet depends on your ability to control both the amount of personal information that you provide and who has access to that information.

In conclusion, while these are certainly unprecedented and challenging times, together, we can and will get through this.

The writer is Microsoft Kenya Country Manager.