Data Security & Governance
Preventing the oversharing of documents and data in Microsoft 365
Whoops! Most IT managers know a horror story or two about the oversharing of a particularly sensitive document that either happened to them or one of their peers:
The time that the panicked PA of the CEO called IT to tell them that a highly confidential document about the company’s potential merger with their main competitor was currently coming up in a SharePoint search.
Or when a CSV file export from the CRM system that contains the name, address and personal emails of all your customers has accidentally been sent with a link to half of the customers on the list.
TL;DR?
Our upcoming webinar looks at practical strategies and actions you can take to minimise the risk of oversharing.
Oversharing – the usually accidental sharing of restricted content, documents and data with people who should not have access to it – is a common occurrence.  IT managers undertake a range of strategies and tactics to reduce the chances of happening and to minimise the impact if it does.  Within any organisation, particularly one with a large and sprawling Microsoft 365 tenant, it is extremely likely that there is sensitive information that is currently exposed and potentially discoverable. That doesn’t mean that it will be found, but the threat is there.  
Five truths about oversharing and Microsoft 365
1. Oversharing happens both internally and externally
Oversharing is not just about accidentally sharing something with a client or a third-party, but also restricted internal documents with people that shouldn’t see them or who may then more likely share them externally.
2. Most oversharing is down to user behaviour
Oversharing is principally due to user action. Usually this is accidental or being careless and involves sharing it in a place where more people have access than they realise. This may also be partly down to a person responsible for a Teams group or SharePoint who has not set the right permissions on a group or site they are responsible for. However, sometimes wilful actions such as using shadow IT or posting documents to a private email can also lead to oversharing,
3. Damage ranges from embarrassing to extremely serious
At best, oversharing results in a few red faces. At worst, it leads to data breaches which will result in compliance-related penalties, significant reputational damage or hugely damaging security issues.
4. Microsoft 365 is sprawling and complex and hard to control
Microsoft 365 can be particular prone to oversharing due to a combination of:
- Microsoft 365’s multiple toolset that empowers users to share documents and information in multiple ways, but which can also be confusing for users.
- The site sprawl that many organisations experience, which make it harder to apply governance.
- Search experiences, targeted views and now AI that potentially surfaces and expose documents from right across your tenant.
5. Oversharing on Microsoft 365 is inevitable but much of it is preventable
Because oversharing is principally down to user actions it is inevitable. However, the good news is that most oversharing via Microsoft 365 is preventable. A combination of:
- Setting and implementing the right business and technical policies
- Establishing the right behaviour and a security-first culture through a sustained programme of user education
- and ongoing monitoring to warn of potential incidents before they happen,
will not only reduce potential incidents, but also contain the potential fall-out if something does happen.
Five steps to gaining control and prevent oversharing on Microsoft 365
Preventing oversharing on Microsoft 365 doesn’t necessarily happen overnight but you can make good progress surprisingly quickly. The steps we describe below aren’t completely linear and will to a certain extent happen concurrently. For example, you’ll often find yourself crafting new technical policies as you implement and test them.
1. Assess how exposed your data is and the associated risks
Any opening gambit for sorting out the problem is to run an assessment on your level of risk and how exposed your data is across Microsoft 365. There are various tools and scripts within Microsoft that you can help, including:
- If compliance-audit is enabled, the unified audit log in the Microsoft 365 admin centre will spotlight sharing activities and highlight any items have been shared externally.
- Reports relating to One Drive and SharePoint in the admin centre will also allow you to see what is being shared.
- If you know your way around PowerShell scripts, then these are also always an option.
There are also a number of third-party tools that can also provide a comprehensive assessment of data exposure across Microsoft 365 and can sometimes add value, for example with focused reporting and actionable suggests.
Analysing this data will give you a strong overview of your level of risk. It can also be worth supplementing this by speaking to users to get a sense of the types of behaviours that are also leading to the risks. You could, for example, run focus groups with different groups to dig into the behaviours, assess their level of knowledge about using Microsoft 365, understand their needs around sharing, identify pain points and more. Having this 360-degree view will help you tackle the problem of oversharing in a more sustainable way.
If you need extra help in assessing your risk to oversharing across Microsoft 365, you can always use third-party experts like Essential to support you.
2. Get solid information management policies in place
Assessing your risk will allow you to identify the information management policies that need to be in place to both prevent and identify oversharing. At the centre of preventing oversharing will be your Data Loss Prevention policy. This will provide the detail of who can share what, with whom and how. It will identify the groups and the places where oversharing is most at risk and the processes that need to be in place.
This is also where adopting a Zero Trust mindset can make a difference. Verifying every access request, rather than assuming internal traffic is safe. Aligning your Microsoft 365 Groups structure with the principle of ‘least privilege’ ensures that only the right people have the right access, and permissions aren’t left open ‘just in case.’
There may be additional high-level policies that need to be implemented or promoted through the business. You may not have a clear information security and sensitivity classification for documents and communications that is used outside IT, and it might need to be extended to better guide users to think about the information and content they are working with. Other policies might relate to Teams and SharePoint governance – putting an approval process in for the provisioning of new Microsoft Teams for example to prevent sprawl.
3. Implement your policies
Microsoft 365 admins have access to a plethora of settings that will allow them to manage policies relating to sharing documents and information, managing sensitive data and data loss prevention. These will allow you to support your policies, often in a highly granular way, that can also reflect the intricacies and inconsistencies that exist in most organisations.
But Microsoft 365 is a feature-rich, big product with a sometimes-overwhelming number of tools, all of which continue to evolve. If you’re not used to the admin settings available to you it can be challenging to fully protect yourself as well as keep up to speed on areas such as SharePoint and Teams governance which is always fiddly.
Microsoft Purview Information Protection is very comprehensive and is available to anyone who has at least one E5 license, although there are additional licensing options available. It covers both data security (data loss prevention) and data governance (classification) across Microsoft 365, Teams, SharePoint, OneDrive and beyond, even including some non-Microsoft cloud apps.
Purview’s DLP capabilities allows you to create technical policies that map to your business needs, and then get access to the detailed reporting you need. Once you start defining the type of information that is sensitive in your organisation – a client name, a piece of HR data, potential credit card numbers, just to name a few examples – you can build out the detail of all your policies and where they apply to, and identity potential oversharing incidents.
Defining this detail is often an ongoing process and sometimes an inexact science; the ongoing ability to run a data loss prevention simulation to see the real-world impact on your production environment of a policy is extremely useful. Purview’s data classification features that also enable you to automatically add relevant tags such as credit card numbers (with additional manual editing if required) to different assets, is also extremely useful in overall data management and keeping up the good fight against oversharing.
But in our experience, there can be a steep learning curve and ongoing monitoring using Purview can also be frustrating.
4. Educate users
Oversharing is principally due to user action. Usually this is accidental and not understanding the ramifications of sharing something in a particular place. It may also be partly down to a super user who has not set the right permissions on a Teams space or SharePoint site they are responsible for. However, sometimes wilful actions such as using shadow IT or posting documents to a private email can then lead to an oversharing incident. Changing behaviour requires influencing hearts of minds. Therefore, the focus of user education activity around oversharing not only needs to focus on the “how” but also the “why”.
Educating users to avoid oversharing is critical and requires a focused and ongoing programme to embed the right behaviours and create a security-first culture that minimises the risk of oversharing. The kind of approaches that work include:
- Including training around avoiding oversharing with any general cybersecurity training that also takes into phishing and security, and compliance areas such as data privacy.
- Ensure the training is mandatory and is not only part of employee onboarding for new hires, but is also included as part of an annual “top up” process.
- Targeting the training to the right roles so it is relatable and meaningful to their role, activities and systems they use.
- Encouraging leaders to model the right behaviours and spread the word.
- Partnering with the people responsible for learning and communications to run campaigns which could include events, news items, ongoing IT tips and more.
- Using voluntary ambassadors or champions to help spread the message on the ground, ask questions, give feedback about the programme and more; a peer-led approach usually makes the message more relatable and adds context around daily activities.
5. Equip yourself to tackle the ongoing challenge
Oversharing is a problem that is not going away. Ongoing user education and setting the policies will very likely reduce the level of oversharing incident and also contain the risk. However, people will continue to post documents in places that they shouldn’t or put data at risk through lazy practices.
As your Microsoft-powered digital workplace evolves there will also be new oversharing challenges. Many organisations are considering Microsoft Copilot or even experimenting with it. The potential of AI to supercharge productivity has caught the imagination for many but switching it on again can expose documents that people just shouldn’t see. Fundamentally, this is a just a new flavour of the same problem to when previously people switched on Delve or introduced Microsoft search and found that confidential report was suddenly being surfaced.
Ongoing monitoring to spot an incident before you get that panicked call from the CEO is critical. While Microsoft Purview can do some of the heavy lifting to alert you when you need to take the immediate appropriate action, it’s a complex product that has many places to look.
IT managers tell us they want that all-in-one dashboard that gives them the at-a-glance overview to monitor for incidents that not only helps their CIO sleep at night, but also some peace of mind for leadership teams to be able to green light turning on Copilot.
At Essential we’ve been supplementing Purview with AvePoint’s Policies & Insights for Microsoft 365 This has been enormously helpful in bringing many of Purview’s capabilities to a single dashboard that:
- Highlights risks, including specific “gotchas” that IT managers tend to miss
- Allows you to take action on these risks
- Provides suggestions and recommendations based on a risk assessment of your environment, supporting futureproofing for the future.
Struggling to track and manage guest users?
This quick demo of Avepoint Insights shows how to instantly report on external access, spot risks, and take action
 
			





 
											 
											







