DATA BREACHES CAN OCCUR VIA ANY OF THE ATTACK VECTORS (USERS, DEVICES, APPS, ETC).
If you are only addressing some of the threats, you may be adding locks to a door while a window is left open.
Data Loss Prevention is the catchall term for the prevention of losing company data, either to maliciously intended actors, from inadvertent user error (i.e. sending a file to the wrong person cached in your Outlook To: window), or from replying to all in error.
Microsoft doesn’t offer one specific DLP product, per se, but instead protects data loss at multiple layers:
- Locking down files with Azure Information Protection to keep users from sharing Personally Identifiable Information within documents
- Enabling access controls to critical data (i.e. SharePoint files) and systems (role based access control)
- Monitoring for and alerting on anomalous behavior (i.e. mass download from OneDrive), especially on users with access to and files with monetizable data (financial account information, personally identifiable information (PII), payment cards, medical records).
- Full Disk encryption, with Bit Locker is on by default after Windows 8.1
- Protecting from malware, which is the entry point to many command/control or keylogger attacks, using Advanced Threat Protection in Office 365
- Protecting user devices from being the entry point via remote application wipe/control using Office 365 MDM or Intune MAM
In their unique interactive infographic about the anatomy of a breach, Microsoft outlines an intruder’s approach to infiltrating and extracting data, as well as some of the other Microsoft capabilities that protect, detect, and respond.
Are data breaches completely preventable? No, but the impact can be minimized by employing all possible prevention techniques, along with monitoring and response tools.