Someone hands in their notice. They have two weeks left. They still have full access to your client list, your contracts, your pricing documents and your financial records.
Would you know if they were quietly downloading files before they left?
For most businesses the honest answer is no. And by the time you find out, the damage is already done.
Data leaks from the inside are more common than you think
It does not have to be malicious. A member of staff emails themselves a document to finish at home. A contractor copies files they worked on. Someone leaving for a competitor takes the client list they built. Each of these happens regularly across businesses of every size, and none of them are caught by standard Microsoft 365 security settings.
The risk is real. Under GDPR, your business is responsible for what happens to personal data stored in Microsoft 365, including what leaves through an employee's personal email or USB drive. The ICO does not accept "we did not know" as a defence.
How Microsoft 365 can detect insider risk
Catching this isn't something that happens automatically, it relies on two things being in place. You need to be on Microsoft 365 Business Premium, and on top of that, a compliance add-on called the Microsoft Purview Suite for Business Premium. This add-on is what actually switches the detection on, Premium alone doesn't include it by default.
One of its core features is Microsoft Purview Insider Risk Management. It uses behavioural analytics to detect risky activities, like an employee downloading large volumes of files before leaving the company. Privacy is built in, so you can act early without breaking employee trust.
In practical terms, if a Microsoft 365 user starts downloading unusual volumes of files, forwarding emails to personal accounts, or accessing data outside their normal patterns, the system flags it. You can investigate quietly before anything escalates.
Premium's tools are only as good as who's watching them, pairing it with a monitored service like our SOC as a Service means someone is actually acting on the alerts it raises, not just collecting them.
Is insider risk detection switched on for your business?
These capabilities were previously limited to large enterprises but are now accessible to smaller organisations too, the problem is that most businesses set up Microsoft 365 once and never revisit it, so this stays switched off even when it's within reach. If you are already on Microsoft 365 Business Premium, the Purview Suite is available as an add-on and could be the difference between catching a data incident early and discovering it months later. If you've never specifically asked whether insider risk detection is active on your setup, the honest answer is probably that it isn't.
Not sure which Microsoft 365 plan your business is even on, or whether Premium makes sense for you? We've broken that down separately in our guide to Microsoft 365 business plans.
How Reflective IT Can Help
At Reflective IT we review Microsoft 365 licensing with our clients as part of our Managed IT Support ,including whether insider risk detection is actually active, not just whether you're paying for the plan that makes it possible. If you want to know what your current Microsoft 365 setup covers and where the gaps are, speak to our team.
📞 0207 317 4535 | 📧 support@reflectiveit.com


