A guide to sensitivity labels and how to apply them
Posted on March 4, 2024 by Louise Howland
Understanding what data you can share has never been more important for organisations. With so much information flowing across departments and teams, data leaks are a very real threat without the right security measures in place. Sensitivity Labels in Microsoft 365 can provide an effective way of classifying data without reducing productivity.
Sensitivity labels allow you to organise and protect information and content within an organisation including confidential emails, documents, meeting invites, and more. In this blog, we’ll explain what sensitivity labels are, how they work, and how to apply them across an organisation so that your protected information doesn’t fall into the wrong hands.
What are sensitivity labels?
Communication and team collaboration are central to the success and smooth operation of any organisation, but with that comes challenges. When team collaboration occurs across multiple channels, apps, and devices, how do you control the data that isn’t suitable for distribution, either outside a key group, or outside your organisation. For instance, some work files will be considered ‘public’, so it’s okay for them to be viewed by anyone outside an organisation. However, other documents may be ‘highly confidential’ with restricted access around viewing, sharing, and copying. And some data might be fine for your staff to work on but would ring alarm bells if it was suddenly shared as an Outlook attachment.
According to the Information Commissioner’s Office, approximately 80% of data breaches are caused by human error. For example, an email containing confidential information could be sent to the wrong recipient, or attachments containing private data are accidentally forwarded in error.
Sensitivity labels, a powerful feature of Microsoft 365, allow you to classify all information in a way that shows how sensitive the data is and then assign rules which govern what an individual can do with that file. For example, a given label could prevent a file from being attached to an external email, or require Microsoft 365 password authentication to open, even if the file is copied to a location outside of the business, such as to a USB device. This greatly reduces the risk of accidentally or deliberately sharing confidential data with those who should not have access to it, including people from outside your organisation.
How do sensitivity labels work?
Sensitivity labels can be configured to organise, classify, protect, and encrypt data within the Microsoft 365 environment. This applies to emails, meeting invites, documents, and files so that unauthorised people are prevented from accessing this data.
You can apply sensitivity labels to:
- Encrypt and protect data so it can’t be accessed by unauthorised parties.
- Choose permissions for all so that others can access and edit files or apply labels themselves.
- Forbid access to files or data after a specific period of time.
- Block a file from being attached to an email or sent externally
- Protect a document to require a password, even if that file is copied for use outside of the business
- Mark emails, documents, and other content with headers, watermarks, and footers.
In Microsoft Teams, sensitivity labels are commonly used by organisations to set privacy levels to public or private. For example, a ‘Confidential’ label used for team creation will keep that team private, and users will need permission to enter it. Alternatively, a ‘General’ sensitivity label configured to a public setting would give everyone within an organisation access to that team or channel.
Sensitivity labels in Teams also enable you to control and limit guest access so that confidential information won’t be visible to anyone outside your organisation. The same method can be used within an organisation when a higher level of data security is required.
What are the key features of sensitivity labels?
Many companies classify their internal documentation as public, private, internal, or confidential. Sensitivity labels are a digital version of this and allow organisations to highlight how sensitive data is.
Applying sensitivity labels to emails, documents, and files is a quick and easy way to protect all your data. Some of the important features of sensitivity labels include:
Flexibility
You can create your own, customised levels of data sensitivity according to the specific needs of your organisation. For example, you could mark a private email or file as ‘Confidential’ or ‘Highly Confidential’ before sending to a colleague. Similarly, you may select ‘Personal’ or ‘Public’ or ‘Internal Use Only’ as your sensitivity setting if that is the level of data protection required.
Simplicity
Labels are kept in text format within the metadata of your emails, documents, and files. In other words, labels give you information about the data you are sending, but not the content of the data itself. Therefore, third-party apps are still able to read the content and even apply their own protective labels if required.
Longevity
Once a sensitivity label has been applied, it remains with that content and becomes part of the metadata for your emails, files, and documents. In other words, the protection setting you have chosen follows the document, regardless of where it’s been stored, and even when it’s picked up by third-party vendors.
How do you set up sensitivity labels?
Your global admin has full permissions and control of your sensitivity labels. They have access to the Microsoft Purview compliance portal and can grant other people access too, without giving them all of the permissions of a tenant admin.
If you aren’t a global admin, you’ll require permission to create and manage sensitive labels. If you are a global admin, you can create sensitive labels by following these steps:
1. Go to the Microsoft Purview compliance portal, select Solutions > Information protection > Labels.
2. Within Labels, click Create a label to start configuring your sensitivity label.
3. Go to the Define a scope for this label page to configure where the labels will be visible and when they’ll be published and viewed by users. For example, will it apply to emails and documents or SharePoint sites and Microsoft Teams? Selecting Items from the options allows you to configure settings for apps that support labels including Office Word and Outlook. These can be extended to include meetings from Teams and Outlook. If Items isn’t selected, you can’t configure settings and the labels won’t be available for users in these apps.
4. Follow configuration prompts in the settings for Labels.
5. Repeat these steps to create more sensitivity labels. To create sublabels, click on the parent label then select Actions followed by Create Sublabel.
6. When finished, you can move the order of the labels around. Select Actions then reorder using Move up or Move down.
7. To edit an existing sensitivity label, select the label, then choose Edit label.
Sensitivity labels – FAQs
As mentioned, sensitivity labels provide a simple solution to protect and classify information across an organisation. They live as plain text metadata within emails, document, files, and other company resources, allowing Microsoft apps to interpret and apply these rules.
Some common questions around sensitivity labels include:
Q: Can I manage sensitivity labels for Office apps so content is labelled as it’s created?
A: Yes, follow Microsoft’s Manage sensitivity labels in Office apps guidance.
Q. Can I encrypt emails and documents with sensitivity labels and restrict user access and configuration?
A: Yes, you can restrict access to content that includes a sensitivity label by following Microsoft’s encryption instructions.
Q: Can I automatically label SharePoint files with a default sensitivity label?
A: Yes, you can configure a default sensitivity label for document libraries by following this simple process.
Q. Can I label and protect files that are stored in the cloud?
A: Yes, by integrating with Microsoft Purview Information Protection you can automatically apply sensitivity labels and encryption protection.
Q. Can I monitor the use of sensitivity labels in my organisation?
A: Yes, you can evaluate and tag content to control where it goes, protect it, and ensure it is preserved and deleted in accordance with your needs.
Are you looking to leverage the security benefits of sensitivity labels?
ramsac will help you migrate your business functions to Microsoft 365 so that sensitivity functions become part of your daily operations. For more information, contact us today.