How to ensure the information within Microsoft 365 is compliant
In the previous blog, we talk about how to drive adoption of Microsoft 365. The next step is to look at how to achieve compliance when using Microsoft 365.
As more of your users embrace the tools and benefits of Microsoft 365, creating and sharing information has never been easier. However, due to the ever-expanding set of options for sharing data with other people, both inside the organisation and external to it, there are compliance and privacy risks that need to be considered.
Organisations need to leverage a prescriptive, repeatable and mathematical approach to risk management. Using such an approach to quantify and mitigate risk demonstrates intentional corporate action to deal responsibly with risk, which can soften the hard edge of legal and regulatory action.
A best-practice approach has six steps:
Step 1 Risk Identification and Surfacing: External Regulations and Internal Policies
Surfacing, identifying, describing and categorising these risks puts the initial shape to your specific situation, and then informs what you need to do about these risks.
Step 2 Determine Likelihood
The likelihood of a risk becoming an actual event is the first of two critical questions to ask about each risk. Some risks are highly likely to occur given the new culture of teamwork and sharing taking root across the world.
Tools for developing a sense of the likelihood of being impacted by each risk include:
- Market research on general cross-industry trends and incidents, such as the general rate of phishing attacks on organisations of all kinds.
- Industry-specific research on risk rates for your industry. For example, we know that the government, healthcare and education sectors are heavily attacked by external cyber criminals.
- The number of shadow IT services being used among employees instead of corporate sanctioned services.
- Current mitigations that your organisation already has in place, such as Advanced Threat Protection services in Microsoft 365 or from another vendor to reduce the likelihood of compromise through malicious attachments and links.
- The number of third-party business partners who have trusted relationships with your organisation, and the risk maturity for each one.
- The correlation between internal employee satisfaction survey scores and the departure of disgruntled employees to competitor firms.
3 Calculate Severity
The severity of a risk becoming an actual event is the second critical question to ask about each risk. Some risks carry CEO-goes-to-jail or go-out-of business level severities, but most rank lower on the scale.
Privacy risks subject to administrative fines under the growing armada of global privacy regulations threaten significant financial fines, such as the often quoted 4% of global annual revenue under the GDPR.
Step 4 Visualise the Portfolio
Plotting each of the risks on a heat map using likelihood and severity as the axes enables a visual representation of criticality and priority.
While risks are multitudinous, the resources to mitigate each are usually constrained in each time period and therefore prioritisation is essential to ensure limited resources are invested in the right places.
Step 5 Decide Mitigations
Armed with a prioritised risk portfolio, investigate and decide on mitigations to pursue immediately, in three months, in six months, and beyond.
Mitigations could include the following, for example:
- To reduce operational risk, migrate away from certain cloud collaboration platforms to one of the corporate sanctioned services, such as Microsoft 365.
- To reduce privacy risk, implement a cloud access security broker (CASB) to apply data protection mechanisms to data stored in cloud services, track potential credential compromise through anomaly detection, and audit the security settings on cloud services, among others.
- To reduce reputational, compliance and privacy risks, implement stronger authentication mechanisms including strong multi-factor authentication.
- As a general mitigation, employee awareness training on the different types of information risk, along with actions to take to reduce the likelihood of converting a risk into an actual event.
Step 6 Ongoing Risk Auditing and Updating / Incorporating Newly Identified Risks
Once the initial mitigations have been implemented, ongoing measurement is essential to ensure the mitigations are having the desired effect.
As soon as it is determined that current mitigations are not working, alternatives must be identified and put into play. Risk mitigation is not a matter of single one-time actions, but rather the development of a culture of appraising, rating and controlling risks.
To explore more about how you can accelerate your adoption of Microsoft 365 and the associated business value, and the steps you need to take to ensure the information created and shared within Microsoft 365 is compliant, download our eGuide now.