Microsoft Copilot is an AI productivity tool that significantly improves productivity by automating tasks and generating a variety of content. However it also raises security and data privacy concerns that must be addressed in your network before you widely roll out the product. 

In this post, we review the key concerns and then discuss the mitigation strategies for secure Copilot usage. 

How Copilot Works

Copilot is an AI assistant integrated within your Microsoft 365 apps, including Word, Excel, PowerPoint, Teams, Outlook, and more. Its purpose is to ease the burden of repetitive tasks, allowing users to focus on creativity and problem-solving.

What sets Copilot apart from tools like ChatGPT and other AI systems is its access to all of the data within your Microsoft 365 environment. Copilot can swiftly search and pull information from your documents, presentations, emails, calendars, notes, and contacts, and provide a comprehensive view of your work.

Data access controls need to be addressed before you roll it out

However, this capability raises significant concerns for information security teams. Copilot can access the same sensitive data that a user has access to, which often includes far more information than necessary. On average, 10% of a company’s Microsoft 365 data is openly accessible to all employees, creating a potential risk.

Microsoft states in its Copilot data security documentation: 

“It’s important that you’re using the permission models available in Microsoft 365 services, such as SharePoint, to help ensure the right users or groups have the right access to the right content within your organization.” 

Source: Data, Privacy, and Security for Microsoft 365 Copilot

In addition to this, Copilot can also quickly generate new sensitive data that may need protection. Even before the AI explosion, humans were creating and sharing data at a pace that outstripped our ability to protect it, as evidenced by the rise in data breaches. Generative AI only accelerates this challenge, intensifying the need for advanced data protection strategies.

Key Security and Privacy Risks 

Accessing Unintended Data

Copilot can utilize any data available to it, including data a user retains access to but should no longer be able to access. For example if an employee is promoted or changes a department, often permissions are not updated.  Users might then unknowingly still have access to newly created data from previous roles. Copilot can then reference this outdated access in its responses to an unintended audience. 

Sensitive Data Exposure

Copilot may formulate responses based on sensitive data, such as confidential documents, plans for mergers, or other proprietary information. Even if a user has legitimate access to sensitive data, allowing Copilot to process it increases the risk of accidental data leaks, especially when users generate and share documents without properly reviewing them before sharing. 

Data Leaks Through Unintentional Sharing 

Users may accidentally share sensitive or confidential information by not carefully reviewing Copilot-generated content before distributing it. This risk is amplified if sensitive information from multiple documents is inadvertently included in a single Copilot-generated response. 

Mitigation Strategies

Thorough Access Control Review

Conduct comprehensive reviews of user access permissions to ensure only authorized individuals have access to specific data. 

Implement Least User Access (LUA) or Least privilege to ensure that users can only access the data required for their current roles. This helps minimize unnecessary data exposure and limits the risk of ransomware attacks. 

Apply sensitivity labels in Microsoft Purview 

Apply sensitivity labels to private or sensitive data using Microsoft Purview. Sensitivity labels ensure Copilot cannot access or reference encrypted documents in its responses, providing an extra layer of protection for sensitive content. 

Configure sensitivity labels to:

• Encrypt sensitive data. 
• Disable Copy and Extract Content (EXTRACT) permissions to prevent unauthorized users from copying or sharing sensitive information. 

User Training and Awareness

Educate users on Copilot’s capabilities and risks associated with accessing sensitive data through the tool. Train employees to review Copilot-generated documents carefully before sharing them, particularly when dealing with sensitive or confidential information. 

See also: Developing a Workplace Policy for Generative AI

Conclusions

While Microsoft Copilot offers valuable productivity enhancements, it also introduces potential risks to data security and privacy. By conducting access control reviews, applying sensitivity labels, and educating users, organizations can leverage MS Copilot safely while minimizing the risk of data breaches or leaks. 

IT Solutions That Make Your Work Easier

At Horn IT Solutions, we prioritize your success with rapid response times, extensive experience, and outstanding customer service, delivering technology solutions tailored to your needs. Whether augmenting your IT department, guiding your in-house team, or providing fully managed services, our experts are here to help you succeed. 

We ensure your office technology runs reliably, securely and efficiently with dedicated 24/7/365 monitoring, so your tech never lets you or your clients down. 

For more information on how we can help, contact us at Horn IT Solutions.