How to Develop Microsoft 365 Data Protection and Governance Strategies

Post Date: 03/18/2022
feature image

Building an effective data protection strategy for Microsoft 365 can be incredibly difficult, especially if there’s resistance from employees or a lack of tools to smooth out the process. In this week’s episode of #O365 Hours I sat down with Matthew Bookspan to gain insight into the tools and platforms he uses at Blacktip and how businesses should approach creating a data protection plan. Watch our discussion below or read the full transcript at your convenience!

Guest: Matthew Bookspan, CEO of Blacktip, an MSP based in Orlando, Florida (visit his website here)

Topics Covered:

  • Historically, Microsoft has provided a number of products and features to help organizations strengthen the security around their data. What are some of the tools and platforms that you leverage with your customers today?
  • Beyond the tools themselves, Microsoft seems to be taking a more holistic approach with their Microsoft Information Protection (or MIP) in Microsoft 365, focusing on 1) knowing your data, 2) protecting your data, and 3) preventing data loss. Is Blacktip levering this approach with your customers?
  • For businesses that are looking for guidance on building a strategy around their data protection, what would you tell them? Where should they begin?

What are some of the tools and platforms that you leverage with your customers today?

Matthew Bookspan: Today we’re pretty heavy in the Microsoft platform. So many of our clients (which are small-medium-sized businesses) are using a mixture of policies set in Intune and Windows Autopilot. In conjunction with conditional access policies, we also set up multifactor authentication (MFA) for our clients to make sure that all of the devices they use are secure. Lastly, we use a lot of Microsoft Defender, which is now thankfully included with Business Premium. It’s great for small businesses, so we’ve been using that and setting things up like a tax service reduction and other policies to ensure a level of security and safety for our clients.

Christian Buckley: There’s a lot of fanfare around the Microsoft Secure Score as well. In project management, when you go into any new project you always wonder “What’s the baseline? Where are we today? How are we performing against others within the industry?” And so the Secure Score is meant to help provide that baseline.

MB: We use that internally. We leverage it to say, “Okay, how are we performing compared to the rest of the industry?”  The secure score and the new productivity score (which is another measure Microsoft has come out with recently) are both very valuable because otherwise you really don’t have a metric other than what you personally define. So at least you have something to say, “Okay, here’s an interesting baseline. How do I grow from that?”

Microsoft seems to be taking a more holistic approach to their MIP in Microsoft 365. Is Blacktip levering this approach with its customers?

CB: What I like about it is that it’s a three-pronged approach in one: knowing your data, protecting your data, and preventing that data loss. If we don’t truly know what our data is and its attributes and what should happen and how it should be protected, then obviously we’re not going to be able to take the right steps, or we may overdo it on the protections and process end and surround that data where it doesn’t need it. So you want to be efficient in your application, but you want to be thorough.

MB: Right. It’s part of our plan, and it’s part of our roadmap. We’ve been looking pretty deeply at how we can be more prescriptive to our clients and how we can help them better classify the data so they understand what’s important and what isn’t, and what’s public and what’s private. How long do you want to retain that data? How long do you need that data? And lastly, once you do figure out what this data is and what’s meaningful about it, how do you then apply security measures effectively without preventing people from working optimally?

CB: Well, that’s always the thing. If people can’t get their work done, then what do they do? They go around the solution and usually in a much less secure and non-compliant manner, typically to some third-party cloud service. It’s a huge security issue for a lot of organizations that don’t have a strategy around external collaboration.

MB: Totally agree. We take the approach of considering how much freedom we can apply at first, check to see if we have any potential issues, and then maybe dial up the security a bit more. We tend to find better adoption, better results, and better engagement that way rather than saying “Hey, these are iron walls. This is what you can and can’t do. Too bad.” That’s not productive.

For businesses looking for guidance on building a strategy around their data protection, what would you tell them? Where should they begin?

MB: Engage with your partner. In terms of where to start, try stepping back and saying, “What’s the worst thing that could happen to me based upon my current posture today? Okay, what’s the next worst thing that could happen?” Go down that line of questioning. And then from there start developing a plan. Use the pilot programs and champion programs to start out small with testing new capabilities to see how well they work. See the results expand and continue to test and grow until you have your entire organization on board. You can run a pilot in a couple of weeks.

The more buy-in you get from the people doing the work, the better off you are. If they understand why it’s important then they’re more like to put up with the little inconveniences that come with things like MFA.


Looking for more Microsoft 365 insights? Subscribe here!

An Office Apps & Services MVP and Microsoft Regional Director, Christian Buckley is an internationally recognized author and speaker and runs the community-focused CollabTalk blog, podcast, and tweetjam series.

View all posts by Christian Buckley
Share this blog

Subscribe to our blog