In today’s digital world, data is everywhere—and so are the risks. From accidental leaks to insider risks and cyberthreats, organizations face growing challenges when it comes to keeping sensitive information secure. Information protection is no longer a “nice to have”—it’s a necessity.
According to a 2023 study by IBM, the average cost of a data breach reached $4.45 million, the highest on record. And with remote work, cloud collaboration, and AI becoming the norm, the area for potential data exposure has only widened.
So how do we ensure that sensitive emails, documents, and conversations stay exactly where they’re meant to be? That’s where Microsoft Purview Information Protection—and specifically Sensitivity Labels—comes in.
What Are Sensitivity Labels
Sensitivity Labels is one of the building blocks of Microsoft Purview’s Information Protection suite. They allow you to classify and protect data based on its sensitivity—whether it’s a confidential business strategy, internal financials, or personal employee information.
When applied, a sensitivity label can:
- Encrypt files or emails, restricting who can access or forward them.
- Mark content with headers, footers, or watermarks
- Control access based on users, groups, or conditions—even outside your organization.
Think of them as digital security labels that follow your data—no matter where it goes. Users can apply them manually, or organizations can automate them based on the content of the file. It’s smart, seamless, and scalable!
One Size Doesn’t Fit All
Not all sensitive data is created equal—and what’s confidential in one industry might be routine in another. That’s why it’s essential to build a label structure that fits your organization’s needs.
Clear, well-defined labels help users:
- Apply the right protection with confidence.
- Avoid over-labelling (which restricts collaboration) and under-labelling (which increases risk).
- Align with real business needs and compliance goals.
Start simple, test with key users, and evolve as you go. The best label strategy is one that works with your people, not against them.
Things to consider
When defining your labels, it’s important to think beyond the name or colour -even though those play an important role as well – and focus on what each label does when applied. Sensitivity labels can include different types of protection, depending on how your organization wants to handle various data types.
Here are three common considerations:
- Encryption: Labels can apply encryption to restrict who can open, forward, download or print content. This is useful in some scenarios—but it also introduces complexity, especially when collaborating externally, sending encrypted information to third party applications outside Microsoft 365 or automating workflows.
- Marking: Labels can add visual markings like headers, footers, or watermarks to clearly signal how content should be treated. Always keep in mind the impact marking files and emails have, when used without consideration, marking can be disruptive to end users.
- Manual or automatic labelling: With sensitivity labels you have the possibility of choosing whether you want the system to apply a label you set as default to all your pieces of data as standard, or whether employees should be responsible for labelling manually. From our experience, employees are happy when they have to change the label only when necessary!
These few points can quickly turn into discussions which can take up weeks if not months to agree upon. Often the bigger the company, the bigger the challenge. That’s why we like to approach Information Protection with a crawl-walk-run methodology. Start small and simple and expand when or if needed.
Simplicity often works best
After helping organizations of all sizes create their sensitivity label model, we’ve noticed that the most effective model is also the simplest. Here’s an uncomplicated label model we can recommend you start with:
Public (Silver)
Definition: For information that is or can be shared with the general public and poses no risk if exposed. No markings on this label.
Internal (Green) (Default)
Definition: Standard classification for information in a company. This information can be shared with external users if there is a legitimate business need.
Confidential (Red)
Definition: Information which contains sensitive content and requires extra care. This is the only label in the model that includes visual marking—a header—to signal the need for caution.
Why this works:
- “Internal” is the default for both emails and files which ensures that all content is automatically labelled by the system, reducing the burden on your employees. Additionally, it does not have any markings to reduce distribution when working on documents and presentations.
- Encryption is not used by default, as it often creates unnecessary friction and disrupts collaboration. The opinions on encryption vary, for example, Microsoft themselves recommend using encryption as a default setting. Based on our experience, encryption as default can work in Microsoft-only companies. But more often than not, the solution landscape is more complex which poses many difficulties to encryption. We recommend using encryption on the most sensitive label – in this case the Confidential– only when strictly necessary.
- Only Confidential content is marked, and only with a header – keeping things clean and unobtrusive for day-to-day work but still notifying employees that they handle sensitive information.
- Colours are easy to understand by the users. Green is often associated with safety, and red being the universal colour of caution, alertness and high importance.
This model balances usability and protection. It’s simple, so users can adopt it quicky and its non-distributive.
Additionally, this model is very east to scale if you need something more complex later. Remember, first crawl then walk so you can run at the end. It’s often best to start simple, expand later if needed.
Final Thoughts
Sensitivity labels are a powerful way to protect your data—but they work best when they’re simple, purposeful, and part of a bigger picture.
Think of them as a fundamental part of your Information Protection practices. In Microsoft Purview, they give us a solid ground – they tell us what is sensitive and what should be protected by classifying our information – so that we can build upon it further with features like Data Loss Prevention to help preventing accidental sharing, or Insider Risk Management to protect ourselves from internal theft.
If you’re unsure where to start or want to tailor a label strategy that fits your organization’s unique needs, we’re here to help. Contact us at contact@infotechtion.com and together we can design a solution that protects your data and supports the way your teams work.
