MicrosoftMicrosoftFor similar reasons, it may also be valid to consider encrypting every file using a "Confidential/Employee-Only" sensitivity label. Theoretically, this would mitigate losses from malicious insider exfiltration as well as external breaches. And since co-authoring now works with encrypted files, there may not be loss of fidelity from the encryption(?). The downside may be cases when encrypted files need to be shared externally (i.e., users need to manually move/copy files to a suitable site then change labels before sharing them, a hassle and training issue). I suppose the compromise would be providing Confidential sites and instructing data owners that these are the desirable locations for sensitive data (however, this would require either a third-party tool or E5 licenses to get labels automatically applied to any uploaded/new files in the external-sharing-allowed sites). eDiscovery would also need that premium license too, right? It would be interesting to hear Purview IP team's perspective about encrypting all or most files in a tenant, to help mitigate data exfiltration.
