Information protection - thing that needs to be done.

Last weeks Finland has had a large volume of news and discussion around serious breach on one city file server which held millions of documents including files with personally identifiable information about 150000 students and 38000 employees.

I have conducted several assessments over the years searching PII data from on-premise servers and cloud locations like OneDrive or Sharepoint. Results are quite similar, there is good practices around core systems but files need to be created and edited before uploading them to core system and there is no process in place to classify, protect or delete them. This is unfortunate because these thing bulk up over time and information like social security number does not expire.

Lately M365 copilot has brought the problem on the eyes of decision makers, even based only to internal risk. Before you had to know where to look documents with sensitive information, so you might have access but no way to use that data. Ai indexes it and brings the information to you just by asking.

The way to tackle this is Information management model and it's implementation with M365 technology. Each document is classified and permissions and lifecycle of document is managed by that classification. With tools like MS Purview information protection the document can know who can open it and by which terms no matter where it is saved. Lifecycle management is almost as critical, if the document is temporary, it should be deleted as promptly as possible.

But like everything these things starts with a first step. Data risk check is a good starting point following with actions based on the findings. The path is not short but I can guarantee that there are nice views on the way by mitigated risks.