Protect your data and recover from insider data sabotage

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Insider risks are a top cause of data breaches. Nearly two-thirds (63%) of data breach incidents originate with insiders, while only 37% stem from external threats like stolen credentials[1]. Some of the risk from Insiders comes from well-meaning employees that make a mistake. Other activities may be malicious, like deliberate sabotage of sensitive and valuable data. Organizations may feel they need to implement stringent controls to protect their data from insider risks, but that approach can have a negative impact on employee productivity. How can organizations find a balance between appropriate oversight and the day to day demands of the business?


Today, we are announcing the public preview of Adaptive Protection integration with Adaptive Protection in Microsoft Purview helps you protect your organization’s data by integrating dynamic insider risk levels, as determined by data related activities, with various policy engines to automatically move users in and out of policies as their risk levels change over time.


Protect your data from sabotage with Adaptive Protection in Data Lifecycle Management

To explain further, let’s look at an example of how Adaptive Protection in DLM helps you to decrease the impact of an insider data sabotage event and recover more efficiently. In this example, a member of the sales team engages in activity that increases his insider risk level over time. For example, they may have downloaded unusual amounts of files that contain sensitive data or tried to email it to someone outside the organization. Now the person submits their resignation which raises them to the elevated insider risk level.


Figure 1: How Adaptive Protection in Data Lifecycle Management protects data during a sabotage event.Figure 1: How Adaptive Protection in Data Lifecycle Management protects data during a sabotage event.

When the account reaches an elevated risk level, a DLM policy dynamically activates to retain a copy of any files deleted by the user that are stored in SharePoint or OneDrive, or emails in Exchange for Microsoft 365. Now if the user tries to perform data sabotage by deleting the organization’s data, the investigations team has a log of what was deleted and where, so they can investigate the impact of the breach and restore data as needed.


In other cases, the user’s risk level may decrease over time to moderate, minor, or no risk. When this change happens, the user is automatically removed from the DLM policy, and the system will no longer keep a copy of content they delete. Any content copies previously retained when the user had an elevated risk level will be kept for the 120 days specified by the retention label.


Get started with Adaptive Protection in Data Lifecycle Management

Adaptive Protection in Data Lifecycle Management is now in public preview and will become available to commercial Microsoft 365 tenants throughout May 2024. You can follow the release of Adaptive Protection in Data Lifecycle Management using Microsoft 365 Roadmap ID 392839.


Figure 2: Enable the preview for in the Microsoft Purview Data Lifecycle Management setting page.Figure 2: Enable the preview for in the Microsoft Purview Data Lifecycle Management setting page.

If you are already using Adaptive Protection in your organization, enable the Data Lifecycle integration through Data Lifecycle Management settings. Please see the documentation for these steps.


If you have not tried Adaptive Protection yet, the Data Lifecycle Management integration will be automatically set up when you enable Adaptive Protection for the first time.


Learn about all the new Adaptive Protection innovations announced today at

[1] Rethinking Security from the Inside Out, Microsoft (2024)

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.