How BDO Helped Automate the Protection of Sensitive Information

Top 3 Areas of Impact

""Improved enforcement of data sensitivity policy due to automatic protection of sensitive PII and financial information. 

Enhanced the ability to classify documents with sensitivity labels based on confidentiality and protection requirements.

Supported compliance with regulatory requirements related to the use of sensitive information including GDPR & CCPA

Summary

Discover how BDO helped an international home building products manufacturer enable data classification and automate the protection of sensitive information across their data estate by leveraging Data Loss Prevention (DLP) capabilities within Microsoft Purview and Defender for Cloud Apps.

""

Challenge

As a publicly traded company that operates internationally, this manufacturer is required to comply with industry regulations by implementing policies and security controls that protect personally identifiable information (PII), protected health information (PHI), and financial information.

Previously, the client mainly relied on written policies to protect specific sensitive information from getting into the wrong hands. Unfortunately, written policies rely on trust and fall short of affirmative real-time protection required for today’s markets. 

The company needed automatic and real-time protection of sensitive information, which upgrading their Microsoft 365 licensing to E5  would provide. Existing written policies could inform new solutions that improve overall data security, and support compliance with industry regulations.

Recommendations

We determined that the client had put appropriate written policies governing the use of sensitive information in place; however, without tooling to inspect and enforce these policies, business actions with sensitive data did not always live up to the standards the business set.

BDO recommended augmenting the client’s existing Microsoft toolset with Microsoft Purview — including sensitivity labels, data loss prevention policies — and Microsoft Defender for Cloud Apps policies. This helped users automatically classify PII and financial information and restricted the ability to share this information outside of the organization.

The client also was in a good position to implement our recommendations. Because the company already owned the Purview and Defender products under its existing Microsoft 365 E5 subscription, BDO could suggest improvements that fit within their existing toolset.

Results

Our team provided the DLP experience needed to assist the client through its initial foray into data loss prevention. We built the project roadmap after interviewing business representatives from the departments most impacted by DLP. We then worked with the client’s team to successfully execute the project plan by designing DLP controls that met our objective and participating in prolonged testing to ensure a seamless transition from auditing to enforcement.

Brad Ellison
Principal and Market Leader, CITS