Back to Blog

The More You Give, The More You Lose

Image of Megan Strant
Megan Strant

When managing your platform, some applications may be a higher risk of leaking data outside your organization and you just don't know it. There have been some very public scenarios of organization leaking data, or having breaches and stolen data. It's like a modern horror movie with the fear of what could happen to a company, or an an individual, if our data ends up in the wrong hands.

When it comes to Microsoft 365, the responsibility of managing a tenant shouldn't be taken lightly. The governance, configuration, and management of an organization platform by an IT team or provider can be the choices that control or enable situations that lead to data falling into those wrong hands.

A key part of those choices is the Microsoft 365 licensing structure across your organization, and it's not as simple as it used to be. Crucial to this is the license structure outline as part of your Microsoft agreement, and the levels of licenses across all staff. This detail requires crucial questions to be addressed, such as:

  • What level of licensing do you provide staff?
  • Is there variation across groups?
  • What licensing is required for the services across the organisation for back-end security, governance, and compliance?

Organizations often must choose between Microsoft E3 and E5 licenses for staff, review the applications to enable, back-end services, and try to drive value and ROI for their spend. At times choices involve a balance for services and spend, with decisions like Microsoft E5 for corporate or knowledge workers, and lower levels of licensing for frontline staff or other roles that have reduced needs.

There can be confusion about what you really get across the license levels, with the move from Microsoft E3 to E5 at times being more about platform back-end features, particularly security, rather than a big change in applications available to end-users. Microsoft E5 can be a way to extend the organize to Microsoft Teams telephony and Power BI Pro (which is often required to consume a report that has been shared by someone else), along with more back-end security and compliance, information protection, identity protection and records management for the organization.

Beyond the licensing structure is then decisions on how to configure these services, and what apps to enable for staff. You not only need to ensure the security of the platform is tightly managed, with compliance at the core, you need to think about how people work, the apps they will use and any risks.

Providing E5 to employees doesn't mean you have to enable as many apps as possible for greater ROI. You may want to consider disabling some apps because of risks, however this shouldn't be taken lightly.

Let's briefly consider some of the applications that have a greater risk of leaking data.

Sway

This is such a great app and produces stylish, professional content. It isn't something that is used widespread in many organisations due to perceived complexity and adoption. I tend to find it is used more so in a few key roles such as marketing or support roles, and when people try Sway they often fall in love with what it produces and how easily is can be to use once you know how.

The risk with Sway is how easy it is to create a public link and share outside of the organization. While there are benefits to this (one great example I have created for a client is a Sway for onboarding information for a new employee prior to their account setup and start date) caution is crucial. Sway does not show up in any reporting, retention policies, DLP, etc. So there's no way of knowing what was shared.

Planner

While this feels controversial with the popularity of Planner, I do feel it comes with risk and needs to be reviewed as an application used so much across organizations. Due to the ease of use and smooth adoption, Planner is one of the apps I have seen with the strongest organic growth of use across clients. It's visual, people pick it up quickly and there are easy wins with moving to using Planner for many use cases. An issue I have always had with planner is it's lack of version history. You cannot roll back or compare to a baseline. I have been uneasy about the amount of changes that cannot be tracked. Dare I say, Lists has tighter control, and these days I always suggest it to clients as something worth considering.

Power BI

There is so much amazing work being created in Power BI. It really has transformed some of the great work people used to do in spreadsheets or manual ways of working. When it comes to securing organization data, it is possible for IT to disable the ability to export reports or visuals as pictures. Where there is risk, is the ability for a user to save to pdf and share or send content outside the organization. Power BI does have a lot more controls than other services in Microsoft 365, with features that can be controllable by a security group.
Organizations are trying to be more data driven these days and the use of Power BI is growing, especially those that are viewing content. Organizations have dashboards on their intranet, reports viewed by managers. And online communication sites with web parts with visual representation of data. A problem can be that once you pull Power BI into a section of a site, everyone you want to access that page or site and view the content needs Power BI to view that content. With this controls need to be in place so people cannot share content. Whether the configuration is set for everyone, or specific groups and how this all is setup and works.

Forms

Again, such a popular application. Many people love using Forms to collect data and so they should. It's so great to drive people out of the old way of collecting information by email. Forms is such a value-add app. However, the share to collaborate functionality easily enables an external person to access the data, and it can also be easily forgotten they have this access. This can be disabled at the tenant level, but cannot be controlled per user. It is also easy for an employee to export the data and email as an attachment.

Whiteboard

Another amazing tool that drives effective working and collaboration. Whiteboard is advancing every year with more features and templates. I don't see it as widely used as Forms or Planner, but it's gaining momentum.

A problem with Whiteboard is that employees can insert data, or an image, into a Whiteboard with then no DLP (Data Loss Prevention) scanning in Microsoft 365. You wouldn't know if there is sensitive information in the Whiteboard that staff can then access outside the organization or share with external stakeholders.

Microsoft Teams

Of all my years driving adoption across Microsoft 365, never have I seen such speed and growth as Microsoft Teams, especially through 2020. Organisation race to transform and enable features of hybrid work. With such amazing technology also obviously comes risk.
Firstly, challenges with having guests in Microsoft Teams. The main problem here is how easy it is for people to forget there are external guests and what they are storing, or communicating, within that space.

Then, shared channels is the new, less understood feature, and brings issues. It allows me to invite an external person into a channel inside of my team. The person doesn't have to be an official guest. The only indicator that you are not in your home tenant is an icon and brief text. Things creates a risk of knowing where they are (or where you are), what is going on in that tenant and they can upload files and post in that space with the organisation having no control of what staff are doing in those other tenants. There are similar issues with Yammer where staff join external networks and groups.

Phew!

And this is just a start. I am really just stepping into apps that can be disabled, but not going truly deep across the platform. I'll leave that to a technical expert. It's not too late to adjust some of your licensing if you have concerns or want to make adjustments, however you need to be aware that not all products provide reporting.

If you consider disabling apps like Sway, Planner or Forms, you cannot yet view reporting on use to check who is using these apps and will be impacted.

While this seems negative, it's not all doom and gloom. Yes, there are risks, and there is much to know and manage. But there always will be. People find a way. And if control is too tight or blocking productivity or process, they shift to 'shadow IT'. So, balance is crucial. Fear data leakage and disable all the above apps, and your organization loses so much value from the amazing apps and ways they can innovate.

In many cases, it is better to have apps available for employees but ensure things are setup to protect and control the organization data.
Keeping employees within the ecosystem can be a better situation over them shifting to 'shadow IT'. For example, remove Microsoft Forms and they'll use Survey Monkey. Carrying the risk, reducing the impact as much as possible can be a better solution than removing everything. You can find reassurance through strong monitoring, and drive awareness to help improve how employees work, the risks they take and to make everyone accountable.

As an organization, it can be worth making some decisions over apps to reduce risk, such as removing Planner, and put effort into guiding staff on using Lists, educating why it's important to choose 1 over the other.

Or, only enable an app for a group who have deep understanding of features and risks. For example. give Sway to the marketing team, but leave disabled for other staff. Know your people, what they need, and balance the risks, processes, goals, needs when making decisions.

Ensure you know your platform, setup your licensing, apps, services and all aspects to best suit the security of your data along with the needs of your business and people. And monitor this tightly to ensure it continues to be secure and enable your business goals.

 


 

Microsoft Office 365 License Management

Managing Office 365 licenses is no easy task, and forecasting for future needs can be exhausting. At ENow, we believe in ‘buy only what you need, and adopt all that you buy’, and our solutions can help you achieve just that.

ENow’s Office 365 License Management solution helps you easily and quickly obtain financial accountability and ongoing governance by providing key insights into your Office 365 environment:

  • Underutilized licenses
  • Overlapping licenses
  • Inactive licenses
  • Duplicate licenses

Efficiently and effectively optimize your Office 365 licenses to make informed licensing decisions with ENow Office 365 License Management reporting, including: customizable trend analysis, real-time licenses user lists, license addition history, and much more.

Access your free 14-day trial today! Be the IT hero and drive out any hidden costs.

Access Free 14-Day Trial


Microsoft 365 License Optimization

Microsoft 365: Are You Getting What You Pay For?

Image of Megan Strant
Megan Strant

From the 1st of March this year, there will be price increases across all levels of Microsoft 365...

Read more

Are Your Choices Already Costing You Money?

Image of Megan Strant
Megan Strant

The Microsoft 365 platform is a complex beast, and managing it sets many challenges for the IT team...

Read more