Data protection, governance & SharePoint

Know your data. Govern it. Make it safe for AI.

Most organisations cannot say what data they hold, where it lives, or who can reach it. We find it, structure it in SharePoint and Microsoft 365, put the right controls around it, and get it ready for Copilot, so AI is an advantage, not an exposure.

Why this matters

Years of SharePoint and Teams sprawl just became an AI problem.

Most Microsoft 365 tenants have grown organically: duplicated sites, inconsistent permissions, stale content and no clear data ownership. It was untidy but contained. Then Copilot arrived, and it can surface anything a user is allowed to reach. Suddenly the over-shared finance folder and the old HR site are one prompt away.

Fixing that is not a single product. It is knowing what you hold, structuring it properly, putting controls around it, and only then turning AI loose on it.

The exposure, in plain terms

Sprawl

Hundreds of sites and Teams, most with no owner and no lifecycle.

Over-sharing

"Anyone with the link" and broken inheritance expose far more than intended.

Copilot inherits it all

AI respects permissions, so weak permissions become an AI data-leak risk.

How we approach it

Five stages, from "what do we even have" to "AI-safe".

Each stage builds on the one before it. Select a stage to see what it involves and the technology we use.

SharePoint & Microsoft 365

Most data problems start in SharePoint. So does the fix.

We design and rebuild the information architecture underneath Microsoft 365: a structure people actually use, permissions that make sense, and clear data ownership. It is the unglamorous work that makes everything else, governance, compliance and Copilot, possible.

Before

Team Site (old) Finance copy 2 HR FINAL Anyone-with-link Project_old No owner Shared Docs Misc

Duplicated, unowned, inconsistently permissioned.

After

Hub: Corporate· owned · governed
Finance · restricted, labelled
People & Culture · HR group only
Hub: Projects· lifecycle applied
Per-project sites · Entra groups

Structured hubs, clear ownership, access by Entra ID group.

Information architecture & hub sites

A site and hub structure that mirrors how the organisation actually works, with navigation people can follow.

Folder taxonomy & metadata

A consistent taxonomy and metadata model so content is findable, governable and ready for classification.

Entra ID group architecture

Role, team and function-based groups that drive access, so permissions are managed by membership, not by hand.

Intranet, branding & navigation

A branded SharePoint intranet with home, hub and Viva Connections experiences your people will actually use.

Permissions remediation

Untangle broken inheritance, "anyone" links and over-sharing, and re-base access on clean group membership.

Teams, Viva & Copilot readiness

Integrate Teams and Viva navigation, then get the environment to a state where Copilot can be enabled safely.

A recent engagement

Rebuilding the data foundation for a national membership body.

A national professional association on Microsoft A5 licensing had years of SharePoint and Teams sprawl, with duplicated, inconsistently permissioned content, and wanted to enable Copilot safely. We ran a sprawl and access assessment, designed a unified SharePoint and Entra ID architecture with clear data ownership, then prepared the path for Microsoft Purview labelling and Copilot, with Cyera used to accelerate discovery and classification.

Discover

Teams & SharePoint sprawl and access assessment

Design

Unified SharePoint & Entra ID group architecture

Govern

Data ownership, taxonomy and lifecycle

AI-ready

Purview labelling and Copilot readiness

Classification & governance

Label what matters, then let the labels do the work.

With Microsoft Purview, and Cyera where independent discovery helps, we classify your data once and let that classification drive protection, retention and AI access automatically.

Sensitivity labels

Manual and automatic labelling so every document and email carries its protection with it.

Discovery & classification

Find and rank sensitive data across Microsoft 365 and beyond it, with Cyera DSPM where it adds reach.

Retention & lifecycle

Keep what you must, defensibly dispose of the rest, with retention and records policies in Purview.

Data ownership

Every site and dataset has a named owner accountable for access, so governance is a habit, not a project.

Data security posture management

Your data is everywhere. DSPM is how you see all of it.

DSPM answers five questions continuously, for data at rest and in motion: where data lives, what it is, who can reach it, how risky that is, and how to fix it. Sensitivity labels cover Microsoft 365; DSPM covers everything else. We deploy the platform that fits your estate.

DSPM finds and ranks the risk. DLP stops data leaving. See our DLP program
Stopping data leaving

Data loss prevention is a program of its own.

Once your data is classified, DLP keeps it from leaving where it should not. We deliver one coherent policy set across the planes your data actually moves through, Microsoft 365, web and SaaS, endpoint and email, using Purview, Netskope, CrowdStrike, Cyera and Mimecast where each fits best. It is detailed enough to deserve its own page.

Explore data loss prevention
Microsoft Purview
M365 & endpoint
Netskope
Web, SaaS & BYOD
CrowdStrike
Endpoint egress
Mimecast
Email & insider risk
Cyera
Discovery & classification across the estate
Making data safe for AI

Control what AI can reach, and what your people feed it.

AI readiness is the same data work, finished to a higher bar. Two problems to solve: stop Copilot surfacing data a user should not see, and stop sensitive data being pasted into public AI tools. Our partners cover both sides.

Inside Microsoft 365

Purview & Copilot

Sensitivity labels gate what Copilot can use, and DSPM for AI shows what it is reaching. Classification done right is what makes Copilot safe.

Across web & SaaS

Netskope AI guardrails

See and control shadow AI use, coach users in real time, and stop sensitive data leaving in a prompt to a public tool.

At the AI interaction layer

CrowdStrike AIDR

Detects prompt injection, jailbreaks and data leakage as AI runs, across endpoints, apps and agents, and blocks sensitive data before it reaches a model. Part of the Falcon platform.

Across the estate

Cyera discovery

Find and classify sensitive data before AI can, including everything outside Microsoft 365, so nothing is a surprise.

How we deliver

Design first, then build, then hand it over.

We design the architecture before we touch a setting, document everything, and hand over a system your team can run, no lock-in.

Start by knowing exactly what you hold.

A data and SharePoint health check shows you the sprawl, the over-sharing and the exposure, and the shortest path to a governed, AI-ready environment.

Data protection

Questions buyers ask about labels, DLP and DSPM.

From what gets classified to what gets blocked.

What is data loss prevention (DLP)?

Controls that stop sensitive data leaving the business by mistake or by design. DLP detects sensitive content (financial, health, personal information, intellectual property) and warns or blocks when it is shared inappropriately.

Do we need both Microsoft Purview and Netskope?

Often yes. Purview covers data inside Microsoft 365 (Exchange, SharePoint, OneDrive, Teams, endpoint files). Netskope covers data leaving via the web and SaaS apps the rest of the internet does. Together they close both halves.

What is DSPM and how is it different to DLP?

Data Security Posture Management discovers where sensitive data lives across your environment, who has access, and the risks attached. DLP is the runtime control; DSPM is the visibility and governance layer underneath. We use Cyera for DSPM.

Do sensitivity labels actually work?

When configured correctly. Auto-labelling, encryption and downstream DLP policies all hang off labels. Many organisations have labels turned on but not driving real protection, which we fix.

How do we start?

With a discovery: where sensitive data lives, what is already classified, what protection is in place. That informs a roadmap to close the highest-risk gaps first.

What about regulated industries (legal, health, finance)?

The same pattern applies, calibrated to your sector. We map to APRA CPS 234, the Privacy Act, sector-specific standards and overseas frameworks where you trade.