The BCN Podcast
Keeping you up to date with Microsoft, IT trends, and business technology. It's everything you need to know about leading business technology to stay in the loop.
The BCN Podcast
Microsoft Purview Data Security
With AI tools now used by 75% of SMBs and 80% of individuals, safeguarding sensitive business data is more critical than ever. In this episode, experts Reece Gohil and Johan Venables explore how Microsoft Purview enables secure, responsible AI adoption across your organisation.
We cover:
- Real-world implementation tips, from licensing to security assessments
- How Purview addresses cloud sprawl and shadow IT without blocking productivity
- Options for SMBs via Microsoft 365 Business Premium and enterprise upgrades
- Microsoft Funding and workshops to map your data estate
Whether you're focused on compliance, governance, or AI readiness, this episode offers practical guidance to protect what matters most. Learn more at bcn.co.uk.
Hello and welcome to the BCN podcast. Today, we'll be discussing all things Microsoft Purview. This tool that has actually been around for a while, however, has come into prominent spotlight off the back of the AI adoption that we're seeing. It's something that is very topical, relevant and a must for really any business looking to embark on their AI adoption journey. Today, I have the pleasure of welcoming Reece and and Johan back for a deeper dive into the set of tools that Microsoft has made available. Gentlemen, thanks so much for joining us today. Let's give our audience a quick intro. Let's start with you, Reece.
Reece Gohil:Thanks for having me again, pete. So, Reece Gohil, I'm our Microsoft Alliance Manager here at BCN Group, so I manage the relationship and partnership between BCN and Microsoft to make sure our customers are getting the most value out of their Microsoft Cloud journey.
Peter Filitz:Thanks so much for joining us,
Peter Filitz:. It's always a pleasure, johan.
Johan Venables:Hi, pete. Yes, so, johan Venables, I am a cloud consultant focused on Microsoft 365, with a key focus on productivity, but also cover of security, to help and support our customers with their digital transformation and understanding all the use cases within Microsoft 365.
Peter Filitz:Excellent Thanks, gentlemen, for joining us. My name is Peter Phillips, I'm one of the data and AI sales specialists here at BCN and I'll be your host today. So we're talking about Microsoft Purview, which is a great follow-on to our earlier episode, where we were talking about shadow AI and some of the dangers and concerns that businesses are having at present in enabling staff to be more productive, but doing it in a responsible manner. As we had said, we had shared some stats. 75% of businesses in the small to medium space are using AI. The adoption in the enterprise space is not far off that either. We're seeing more than 80% of individuals across the board now using AI tools of sorts. So how do we protect our company information? How do we put those guardrails in place? What is Microsoft Purview and how can that help us? I think, Johan, you've had a play and been working with businesses on their adoption and utilization of Purview. Do you want to give us a high-level overview in terms of what it is?
Johan Venables:Yeah, sure. So Purview is a data governance and compliance solution which is integrated within Microsoft 365, which sort of gives you that seamless integration into your data. And with Purview you can do things like discover risks with your data within your applications. You know AI use from that. Once you've discovered all the risks within Purview, you can then start building a plan to protect your data and apply policies to ensure their safe use with your data.
Peter Filitz:Now I guess, as with most businesses looking to embark on a new digital transformation, cost always comes into play. Embark on a new digital transformation cost always comes into play. Reece, do you want to talk us through how clients can license and acquire Purview? How is it structured within the Microsoft licensing space?
Reece Gohil:Yeah, I guess there's a couple of different scenarios depending on the size of the organization. Microsoft sort of split what they refer to in licensing into two separate buckets what they refer to as an smb customer, which is any customer or any organization up to 300 seats, and through that you can license a lot of the purview stack through the microsoft 365 business premium subscription. So it is what microsoft referred to as sort of their hero skew for the smb market. So it's more than just your productivity suite. So you, you know your office applications, outlook, teams and SharePoint, but also all the security and compliance that comes with that and that comes with a number of the purview stack that I'm sure Johan's going to probably go through in a bit more detail shortly, but including things like, you know, data loss prevention, sensitivity, labeling, as an example. And then on the other side you've got organizations that are above 300 seats and sort of sit within the enterprise space and traditionally I think organizations have felt like they needed to go to microsoft 365 e5 to unlock all of these capabilities. And yes, granted, purview does sit within the Microsoft 365 E5 suite. So the full Purview suite sits within there.
Reece Gohil:But actually there are more cost effective ways. You know if a customer isn't embarking on or not ready for that full Microsoft 365 adoption. You know whether it's from a productivity perspective analytics. You know they don't have to go all the way to an E5 license to unlock the Purview stack. To go all the way to an E5 license to unlock the Purview stack. You've got other options and you've got what Microsoft referred to as E5 step-up SKU in Microsoft 365 E5 compliance, which is just under £10 a month and it's a bolt-on to E3. So instead of having to pay an extra £25 a month per user to get up to the E5, you can actually do a more cost-effective route if it is the compliance and data security that is the most of interest for a customer to adopt.
Peter Filitz:Yeah, and a lot of customers might say, well, do I really need it? What are the benefits? And, to that end, I know there are a number of Microsoft-funded security workshops that can help bring to life what Purview can bring to the business in terms of understanding what data they have and, more importantly, where is it. So maybe that's one for Johan. Do you want to talk us through some of these security assessments that we're working with clients on leveraging Purview and what we're seeing?
Johan Venables:Yeah, sure. So basically we call it a Purview workshop session where we just spend an hour's time with the customer and talk about the art of the possible. We highlight the risks, we highlight the challenges and why data security is such a big challenge tools that's been used in an organization and what you can do with Purview to protect sensitive content being used with AI tools and then at the end of the session, they should have a solid understanding what it is they can do as an organization to protect their data by using Purview. Following that, we agree with the customer what sort of modules we will include to do an assessment. So you get things like OneDrive, sharepoint, emails, teams, the full Microsoft 365 stack and once we've agreed what modules they use, we would then basically work with the customer to implement policies. To do an assessment.
Johan Venables:Now we need to have an E5 subscription to do a full, deep dive audit. There are some limitations with the business premium and E3, where you can only scan for a certain amount of data within your environment, but the full E5 stack gives you that granular audit where you can do a full assessment and identify where your sensitive content rests and where it travels, and we can see exactly what people are doing with that data. It travels and we can see exactly what people are doing with that data, whether it's renaming a file or editing a sensitive content, or maybe copying large sets of data, uploading it, business applications or ai tools. We can identify all of that, so they call it the user behavior with data. Then, once we've completed the audit, which generally takes about two weeks for us to run the scans we will then assess the data and provide our customer with a sort of a high level presentation on what we've discovered, the risks we've identified, and then, following that, we will then give them all the sort of exported reports so that they can do a deeper dive and assessment to review. You know where that sensitive content lies within Microsoft 365. You know where that sensitive content lies within Microsoft 365. And then, once we've completed that session, we will then agree with our customers what are the next steps and we'll give them some guidelines and a sort of data strategy on how they can implement these services.
Johan Venables:It's all about incremental changes.
Johan Venables:We are not a big fan to do the full-blown data security, you know, implementation, because that could really hinder productivity, because there are some policies that will need training and workshops for the end users for them to fully understand how to work with the data and what's going to happen and what sort of processes they need to go through to access sensitive content. And again, for those that's just utilizing Business Premium or E3, there's a bit of training that's required for end users how to manually tag and label sensitive content, as well as training on helping staff understand what is sensitive content when. Obviously, with E5, you're a little bit spoiled from that perspective because you don't need to rely on your staff to tag documents that contain sensitive info. You can just build your sensitivity labels. You can use Microsoft's out-of-the-box sensitive content types and you can auto-label so you can get it to go and scan and identify the sensitive content and then you can just auto-label that data. Because that's another risk, right? You're relying on your staff to identify what's sensitive content and to remember to tag that document.
Peter Filitz:That way, for me, I think you know the E5 is just a no brainer because you can safely protect your data automated and then you don't need to rely on your staff to sort of secure that data for you you, yeah, and data and sensitive data could be anything right From personal information, financial information or just general information that could be used to compromise your business in a cybersecurity attack, and this is why it's so important these days that we take action to protect our businesses.
Peter Filitz:We're seeing these malicious actors now using AI tools as well to help infiltrate businesses, so there is an AI war, so to speak, going on between the good, the bad and the ugly, and making sure that information that's pertinent to your business, your staff, your clients and your suppliers is adequately protected and secured. So that is fundamental not only to your AI journey, but really the operational continuity in the modern world that we're in today. So am I right in saying, Reece, that Microsoft is now also making funding available to fund these security workshops that we've just sort of touched on now? So talk us a bit through the process and what is involved, with clients being able to apply for that.
Reece Gohil:Yeah, absolutely so. You're right in the fact that Microsoft are approving and giving these customers or organizations access to this funding pot. There's a few eligibility requirements to qualify for this. Typically it's for 300 plus user organizations. However, you can get in touch with us. We can obviously clarify if you are eligible. We have the ability to deliver these and I know johan talked about you know you need the e5 license to get the full capability. It's okay if you're not on the e5 license today as part of the workshop and the funding, if approved, you get access to e5 trial licensing so we can still run the engagement even if you aren't ready to embark on that journey. So you can still see that, understand the capabilities of Purview if you're still running an E3 license today as an example to see whether it is the right approach to upgrade to that E5 option.
Peter Filitz:Yeah, and I think that's important right. It's giving businesses a better understanding in terms of what their data landscapes look like, how dangerous a situation they might be in with sensitive information being overly exposed and, as you say, they can try it before they buy it and see the value ultimately in what it brings to the table. So, obviously, data security in general has become phenomenally challenging in recent years with the adoption of multiple SaaS platforms, cloud solutions. Jan, do you want to elaborate a little more on what we're seeing in that space?
Johan Venables:Yeah, absolutely. I mean the thing. What we've seen is let's talk about storage as an example. You know, remember back in the day when we had on-prem infrastructure, what businesses used to do is they would follow a archive of their data every year because, you know, hardware is expensive, it's costly because you need to get an engineer to work out of hours to expand that storage and there's always problems that comes with it. So you know, businesses took archiving seriously and making sure they get rid of data. Strong security measures were in place, but the risks were really low, you know back then. But now we've got online storage that's easily accessible from any device, anywhere and storage is cheap. So what businesses are doing today is that, instead of paying for archiving, going through with the archiving process, what they tend to do is just buy additional storage and then what's happening is the data just keeps on expanding and it gets out of control.
Johan Venables:That, we see, is a serious problem, and understanding your data is the most challenging part. You know, if you don't have the tools that can help you identify how old your data is and look at retention policies and stuff like that, and where is your sensitive content stored and who's got access to the sensitive information, right, and so, yeah, there's so many other different challenges we see with multiple apps being used where businesses have not undertaken, let's say, onedrive, sharepoint. Staff are not trained to use these tools to share data securely, and what people tend to do is they find workarounds because there's always limitations on emails. You can only share a file with a certain amount of size, so you'll find that people use things like WeTransfer, dropbox, maybe their personal Google Drive. We've seen people still collaborating on WhatsApp sharing documentation because since WhatsApp became available for the desktop app, we still see businesses struggling with staff sharing confidential data via WhatsApp group chats and if that person leaves the organization, you've got no control over their phone because it's their personal phone, it's their WhatsApp account, right, so they still have access to that data when they leave the organization.
Johan Venables:When I speak to customers, I always ask them and I can see the worries in their eyes when I ask them who's governing your HR platform or who's looking after finance or your sales platform, and generally it's the head of sales or head of HR that looks after it and they've got no security experience. All they're through with governance to make sure that people have got the right access to information, making sure people are properly off-boarded when they leave the business. So you know that is a major risk. Look, it admins or security admins fully focus on infrastructure and Microsoft 365.
Johan Venables:And what we've seen is there's a big pushback from people from HR or finance or sales, because they want to own the platform, they want to control it, but they just lack that sort of security experience. Now what you can do with Purview is you can plug into these applications and you can put policies in place to sort of guide them to follow the right processes for governance on third-party applications and making sure people can't take data out of those platforms, take screenshots or do certain things to harm the data or steal the data from those applications. And when staff leave the accounts disable within 365, it will disable it throughout all the applications that that person's got access to, giving you that seamless off-boarding experience. But yeah, there's loads of challenges. You've got cloud applications, you've got messaging tools that people are using and we still have that challenge where people copy data onto USB drives.
Peter Filitz:Yeah, old habits die hard.
Johan Venables:Yeah, absolutely so. You know there's all these sort of risks you get with these platforms and cloud applications and this is again why I say don't just block stuff from certain tools, just control what they do with your data on those platforms. That is such a better approach because if you block them, they will find workarounds to get access to it.
Peter Filitz:Yeah, it's so true. If you control the data and you can limit what can be done with that data, then you don't really, in essence, need to care about the applications or the services that they, so to speak, are using. I mean, obviously, there are still considerations that must be made around shadow IT in general and safe use of IT, but if you control the data, it is the one thing. Then that gives you a handle on it, so to speak. Now, well, that's been super informative, gentlemen. Thank you once again for your time.
Peter Filitz:I think that brings us to the end of today's conversation, I think, key takeaways. If you are a business that has data in the cloud and you're using SaaS applications, then Purview is something you should be looking at, not only for AI adoption or for controlling AI, but to give you a better understanding and visibility of where your data resides, how is it being shared, how is it being secured. It's so important to make sure that you've got those governance, compliance and regulatory measures covered off. So if you'd like to know more, feel free to get in touch. Both Reece and and the various teams here at BCN are on standby, ready to help. Please feel free to visit our website, wwwbcncouk. There you'll find a wealth of information, white papers, we're producing podcasts and even events that we're hosting. So thanks so much, gentlemen, for joining us today.
Reece Gohil:Thank you, Peter. Thanks so much for having me.