Skip to main content
Microsoft Security

Protecting your data and maintaining compliance in a remote work environment

In this difficult time, remote work is becoming the new normal for many companies around the world. Employees are using tools like Microsoft Teams to collaborate, chat, and connect in new ways to try to keep their businesses moving forward amidst the challenging global health crisis. I sincerely hope you and your families are staying safe and healthy.

I have been talking with many of you about the impact today’s environment is having on your organizations. Business continuity is an imperative, and you must rely on your employees to stay connected and productive outside of the traditional digital borders of business. In doing so, identifying and managing potential risks within the organization is critical to safeguarding your data and intellectual property (IP), while supporting a positive company culture.

Because many of you have been asking, here is some guidance for things you can do to take advantage of these capabilities. I’ll focus a lot of the examples on Teams, but many of these features are relevant across Microsoft 365.

Staying secure and compliant

First, knowing where your data resides while employees are working remotely is a vital question, especially for your risk management-focused departments. Data in Teams is encrypted at rest and in transport, and uses secure real-time protocol for video, audio, and desktop sharing.

There are also several tools that help you remain in control and protect sensitive documents and data in Microsoft 365. For example, you can restrict Teams experiences for guests and people outside of your organization. You can also govern the apps to which each user has access.

In addition, we’ve made sure that the Teams service is compliant: to help you answer questions from your auditors, we publish auditor reports on the Service Trust Portal. And we help our customers keep up with evolving regulations and standards with a robust compliance controls framework, which meets some of the most rigorous industry and countries’ regulations requirements.

Applying data loss prevention in Teams

Data loss prevention (DLP) addresses concerns around sensitive information in messages or documents. Setting up DLP policies in Teams can protect your data and take specific actions when sensitive information is shared. For example, suppose that someone attempts to share a document with guests in a Teams channel or chat, and the document contains sensitive information. If you have a DLP policy defined to prevent this, the document won’t open for those users. Note that in this case, your DLP policy must include SharePoint and OneDrive for the protection to be in place.

Applying sensitivity labeling to protect sensitive data

You can also apply a sensitivity label to important documents and associate it with protection policies and actions like encryption, visual marking, and access controls and be assured that the protection will persist with the document throughout its lifecycle, as it is shared among users who are internal or external to your organization.

You can start by allowing users to manually classify emails and documents by applying sensitivity labels based on their assessment of the content and their interpretation of the organizational guidelines. However, users also forget or inaccurately apply labels, especially in these stressful times, so you need a method that will scale to the vast amount of data you have.

To help you to achieve that scale, we are announcing the public preview of automatic classification with sensitivity labels for documents stored on SharePoint Online and OneDrive for Business, and for emails in transit in Exchange Online. The public preview will begin rolling out over the next week. Like with manual classification, you can now set up sensitivity labels to automatically apply to Office files (e.g., PowerPoint, Excel, Word, etc.) and emails based upon organizational policies. In addition to having users manually label files, you can configure auto classification policies in Microsoft 365 services like SharePoint Online, OneDrive, and Exchange Online. These policies can automatically label files at rest and in motion based on the rules you’ve set. Those classifications also apply when those documents are shared via Teams.

Minimize insider risk

We also know that stressful events contribute to the likelihood of insider risks, such as leakages, IP theft, or data harassment. Insider Risk Management looks at activity from across Microsoft 365, including Teams, to identify potential suspicious activity early.

Communication Compliance, part of the new Insider Risk Management solution set in Microsoft 365, leverages machine learning to quickly identify and take action on code of conduct policy violations in company communications channels, including Teams. Communication Compliance reasons over language used in Teams which may indicate issues related to threats (harm to oneself or others). Detecting this type of language in a timely manner not only minimizes the impact of internal risk, but also can go a long way in supporting employee mental health in uncertain times like this.

Enabling simple retention policies

To comply with your organization’s internal policies, industry regulations, or legal needs, all your company information should be properly governed. That means ensuring that all required information is kept, while the data that’s considered a liability and that you’re no longer required to keep is deleted.

You can set up Teams retention policies for chat and channel messages, and you can apply a Teams retention policy to your entire organization or to specific users and teams. When data is subject to a retention policy, users can continue to work with it because the data is retained in place, in its original location. If a user edits or deletes data that’s subject to the retention policy, a copy is saved to a secure location where it’s retained while the policy is in effect.

All data is retained for compliance reasons and is available for eDiscovery until the retention period expires, after which your policy indicates whether to do nothing or delete the data. With a Teams retention policy, when you delete data, it’s permanently deleted from all storage locations on the Teams service.

Staying productive while minimizing risk

Working remotely helps your employees stay healthy, productive, and connected, and you can keep them productive without increasing risk or compromising compliance. For more guidance around supporting a remote work environment in today’s challenging climate, check out our Remote Work or Remote Work Tech Community sites.