Office 365 Data Loss Prevention: 4 Proven Practices

By  //  March 25, 2020

Share on Facebook Share on Twitter Share on LinkedIn Share on Delicious Digg This Stumble This
Moving your data to the cloud can be liberating! It can unlock tremendous business tools and capabilities to your end-users and promote collaboration and teamwork by removing technical obstacles. (Focus Technology Group image)

Moving your data to the cloud can be liberating! It can unlock tremendous business tools and capabilities to your end-users and promote collaboration and teamwork by removing technical obstacles.

Despite the benefits and the robust nature of today’s cloud environments like Office 365, you still need to protect your business data.  

The main data protection strategy is Office 365 backup and recovery solution; no matter what you do, you can’t avoid that. But what else? And why can data loss happen in Office 365? What best practices can you follow to ensure your data is protected?

 Let’s cover these topics and see how you can effectively use Office 365 and protect your data at the same time.

Why Can Data Loss Happen in Office 365?

Why can data loss in Office 365 happen? Data can be deleted or corrupted by either legitimate or malicious actions in Office 365. This can happen even if there is no underlying hardware or system fault in cloud infrastructure.

In other words, the resiliency and redundancy of cloud infrastructure may be unaffected and still intact, but data may be deleted. It can simply be due to the actions of a user or potentially, an attacker.

There are two main threats to your data that exists in the Office 365 cloud:

• Ransomware

• End-user actions


Ransomware is arguably one of the most ominous threats to your data. Even in cloud environments, ransomware like a plague, can get its tentacles into your data and start slyly encrypting it.

Generally speaking, when you notice the encryption of your data, it is too late.  

Public cloud vendors are beginning to put protections in place to help fight ransomware and the effects on your data. However, these protections are not perfect. How does ransomware enter your Office 365 environment? File synchronization and Email. 

With file synchronization, on-premises Office 365 files are synchronized up to the Office 365 OneDrive for the Business cloud. Often, OneDrive storage is shared between departments or different teams of end-users.

As an example of how ransomware can infect the cloud via synchronization, if one user’s laptop is infected with ransomware, the local OneDrive file copies are encrypted and synchronized up to the OneDrive for the Business cloud.

This leads to all users connected to this cloud storage location seeing only the encrypted versions of the files stored in the OneDrive cloud.

Email is another attack vector. With Office 365 email, attackers have demonstrated they can encrypt Office 365 user inboxes.

An unsuspecting end-user simply has to grant permissions to a seemingly legitimate program that launches a ransomware attack on their inbox. Within minutes, their entire inbox will be encrypted.  

End-User Actions

Another way data loss can happen in Office 365 is due to end-user actions. Users carrying out a file operation they assume to be safe find they have deleted the wrong file or folder or have updated the wrong file. They may even perform a bulk delete operation on the wrong data.  

Again, Office 365 infrastructure may be operating normally, however, your data is affected by end-user actions that can result in data loss.

Resiliency and redundancy of the cloud infrastructure will not protect your data in these cases.        

Office 365 Protection Best Practices

1. Enforce Strong User Passwords

Passwords are one of the most basics aspects of securing today’s business-critical systems, both on-premises and in the cloud.

Making sure the passwords used by end-users are strong passwords comprised of mixed-case, special characters, and numbers is one of the most basic ways to improve overall Office 365 security.

Enforcing strong passwords helps to protect your Office 365 environment from data loss due to compromised accounts.

End-users have a tendency to use easy-to-remember, non-complex passwords. These types of passwords are easy for attackers to brute force and compromise with “dictionary-style” attacks. Using Azure AD, which is provided with Office 365, you can enforce strong passwords globally.

This requires all Office 365 users to make use of strong passwords when setting their Office 365 password on their account. 

2. Use Multi-Factor Authentication

Even with the above mechanisms in place to help secure end-user passwords, passwords alone are no longer sufficient in themselves to ensure the security of your Office 365 environment.

Due to sophisticated and very convincing phishing attacks and social engineering, end users can be tricked into sharing usernames and passwords with an attacker.  

Multi-Factor Authentication helps to protect your Office 365 environment by providing an additional layer of security with a second form of authentication. This includes using a mobile device such as a phone as part of the authentication process.  

Even if the correct password is known, the second form of identity validation is needed. If an attacker has possession of the password, they still do not have all they need to complete the identity verification process.

This greatly helps to reduce the ability of an attacker to be able to compromise an account.

3. Use the Security and Compliance Center Secure Score

Discovering security and compliance hot spots in your Office 365 organization can be a daunting task. However, with both the Security and Compliance Secure Score values, you can quickly understand potential “hotspots” in terms of security and compliance in your Office 365 environment.

The Secure Score in the Security and Compliance Center is a measure of both the security posture and compliance with regulatory standards.

This allows having quick visibility to known security or compliance issues in your Office 365 organization.

While the Security Center Security Score has been around for a while, the Compliance Score is a new offering that Microsoft released recently in conjunction with Microsoft Ignite 2019.  

The Secure Score helps your organization in several key areas:

1. Have visibility to your current Office 365 security posture

2. Improve your overall security posture via the recommendations given

3. Establish key security performance indicators and understand risk factors

4. Backup Your Office 365 Environment

Backing up your data in Office 365 is absolutely critical. Backups are the most fundamental way to protect your data.

Most organizations have a good handle on backups when it comes to on-premises data, however, during the incorrect migration the cloud, backups can get lost in the process. 

To make migration from G Suite to Office 365 smooth and secure, follow this Migration Guide to Office 365.

LLearn more about <a href=>Hybrid Migration Office 365</a> and <a href=>SharePoint Migration</a> to Office 365.

While there are native mechanisms built into Office 365 that many organizations attempt to use as a means to backup their data.

These include File Restores, in-place policies, and retention holds. Files restore is the only one of the three native mechanisms that are supported for data recovery.  

Even with File Restores, you can only recover versions of your data up to 30 days old. In addition to this limitation, it does not cover all Office 365 services your business may use.

In lieu of these limitations, using a true enterprise backup solution for your Office 365 environment is absolutely critical to protect Office 365 from data loss.

Spinbackup provides the backup tools you need to protect your Office 365 environment.

With Spinbackup you get:

1. Automated backups 1-3x daily

2. Ability to choose where backups are stored (even in different clouds)

3. Ability to choose your own retention policy for your backup data

4. Office 365 recover deleted items capabilities

5. Efficient incremental backups

6. Ability to migrate data between user accounts

7. Encrypted backups both in-flight and at-rest

8. Centralized administration dashboard

9. Advanced reporting on your backup data

Not only does Spinbackup allow protecting Office 365 by way of backups, but it also includes security for Office 365 to help protect your environment against ransomware.

Spinbackup’s Ransomware Protection module stops ransomware and automatically restores any Office 365 files that were encrypted.