Using Sensitivity Labels to classify and protect your data

The primary concern for businesses of all sizes, when contemplating a move to Microsoft 365, is data security. How secure is my data? Does it meet my business and compliance policies? Who is allowed to access it? How do I share it securely? With so many options for storing and sharing data, once you make the move, it can be daunting to understand what to put where. For example, SharePoint, Teams, OneDrive and email can all be used for document sharing, but which one is more secure?  

Fortunately, Microsoft 365 provides a robust set of information protection capabilities that provide the same level of protection, regardless of where your data is stored or with whom it’s sharedSo, whilst we still have to agree which of these locations is most suitable, we can at least rest easy knowing that the data is protected no matter which application is used. We can do this using Sensitivity Labels. 

What are Sensitivity Labels? 

Sensitivity Labels act like stickers that you apply to your documents, emails and even Teams and SharePoint sites. This lets you both classify and protect your data. When a label is appliedthe content or site is protected based on the settings you choose. For example, you can create labels that encrypt files, add content marking and control user access. 

The exact level of protection applied will depend on which label is used to protect the content, as well as which settings have been configured to apply when that label is used. A document classified as confidential may have a company watermark placed on it automatically, whereas a document classified as general may only need a header or footer adding.  

After you apply a Sensitivity Labelthe label and protection settings roam with the content. This means that your document or email will remain protected regardless of where it goes, either inside or outside the business. For instance, if you have used a label that only allows view access to the document and prohibits printing, those policies will apply no matter who opens it. 

You can also simply assign a classification to content, without applying any level of protection. You can use this classification to generate usage reports and see content activity. Using a label to classify all content relating to a new marketing campaign will allow you to see how much content has been produced, as well as where it has gone, either inside or outside the business. The data may not be sensitive but you're getting valuable analytics, by classifying the data. 

How does it work? 

The first step is to define your label names. You can use any classification that fits your needs but as a starting point, Microsoft recommend the following tried and tested taxonomy: 

  • Personal 
  • Public 
  • General 
  • Confidential 
  • Highly confidential 

Next, we need to define the protection settings that are associated to each label. The first two may not warrant any protection and are simply used to track the amount of this type of data. The general classification may have a policy that will apply a footer to the document with your company information. If something is classified as confidential, it makes sense to apply a watermark to it. For the highly confidential data, we can enable encryption and prohibit forwarding or offline access. 

Finally, we publish the labels for use. This can be either to the whole business or select users and groups. Your Office 365 applications will display a sensitivity menu that contains all created labels, along with any help tips that have been created. Labels can be applied manually when documents are created or edited, or automatically based on content detection rules. You can also specify default labels for all new documents and emails.  

Once you label the data, information protection can proceed in several ways and scenarios. For example, protection can control the rights of who can access the data, how they are allowed to access it and what they can do with it. Additionally, you can configure usage rights and restrictions, as show in the examples below: 

  • Only users within your organisation can open the company-confidential document or email. 
  • Only users in the marketing department can edit and print the promotion announcement document or email, while all other users in your organisation can only read this document or email. 
  • Users cannot forward an email or copy information from a document that contains news about an internal reorganisation. 
  • After a specified date, users cannot open a current price list that is sent to business partners. 

Why do I need them? 

People in your organisation collaborate with others both inside and outside the organisation. This means that content no longer stays behind a firewall – it roams everywhere, across devices, apps, and services. When it roams, you want it to do so in a way that meets your organisation’s business and compliance policies. 

Without an information protection and classification product, there is almost no visibility of the life cycle or whereabouts of a document. This lack of visibility can leave you open to attack, either through accidental or malicious data leak. 

By introducing Sensitivity Labels, you can regain visibility and control over that data. What’s more, the analytics and usage reporting will simplify the process of complying with your industry’s regulatory requirements.  

How do I get them? 

Sensitivity Labels are part of information protection, which is available in either plan one or plan two. The big difference between the two plans is the ability to apply labels automatically. This is only available in plan two. Information protection is available as a standalone product or included in Microsoft 365 Business Premium, Microsoft 365 E3 and E5. The feature is also included in Enterprise Mobility and Security (EMS) E3 and E5. If you have any of these plans, you will have access to information protection. The two E5 plans listed above include information protection plan two. 

With a myriad of plans available and the recent name changes of Microsoft’s Office 365 plans, it can be difficult to understand whether you have a feature and how best to access it.  

If you would like clarification on your plan, the security features available or how best to implement them then reach out to one of our team, who will be happy to discuss the options. 

How can LIMA help? 

Not all data is created equal. Some data types are more sensitive and require a stronger level of protection and control than others. The kind of information that needs protecting depends on your internal security requirements and compliance obligations. Due to the fact that every organisation may have different governance or compliance standards, it’s important to understand and account for your specific business needs. There are general guidelines for more obvious sensitive data, such as credit card and national insurance numbers. However, no two organisations classify data the same way. 

LIMA can work with you to understand what information is sensitive to you and how best to protect it. We can work with your legal and compliance teams to agree an appropriate taxonomy for your Sensitivity Labels and align each of them to the right level of protection. When you are ready to start rolling the feature out, we can help you plan and implement the solution with minimum disruption. 

It’s important to note that Sensitivity Labels are just one tool at your disposal, when it comes to security and compliance. There are also features like data loss prevention, advanced threat protection and cloud app security that all complement one another in securing your data, devices and users. 

Through our Microsoft 365 Security Assessment service, we can capture your existing security posture, highlighting areas of potential weakness. From here we can map Microsoft 365 security capabilities, such as Sensitivity Labelsto your security objectives and requirements, providing a prioritised and actionable Microsoft 365 security roadmap. 

Speak to your account manager or email to find out more about how LIMA can help secure your mobile workforce with our Microsoft 365 Assessment Services. 

Back to News & Events

Our awards & accreditations.

For the past 20 years, we’ve been solving business challenges by designing and delivering intelligent IT solutions with a passion for technical excellence and customer satisfaction.

We’d love to hear from you.

If you have a question you'd like to ask, we’d love to answer it.
Fill in the contact form below and we’ll get back to you as soon as possible.

Head Office
6 Digital Park
Pacific Way
Salford Quays
M50 1DR
0345 345 1110
We’d love to hear from you.

If you have a question you'd like to ask, we’d love to answer it.

Contact Us

6 Digital Park
Pacific Way
Salford Quays
M50 1DR

0345 345 1110