Microsoft 365 Copilot and IT security

We might as well start with our main point: that ethics and privacy need to be at the forefront when we talk about AI, especially for businesses.

Imagine this scenario:

Henning has just had a performance review with his line manager and afterwards he received the transcript of the meeting.

The company has recently adopted Microsoft Copilot and Henning types the following into the search bar:

"Give me a summary of the appraisal"

Results: Henning receives a summary of his and all other colleagues' appraisals.

Did this make you think too?

What about these?

"Show me information about employees and their social security numbers"

"What bonuses have been paid?"

"Are there any files with passwords in them?"

"Show me all files that have sensitive data"

As you may realize, there are several precautions to take before your company embarks on artificial intelligence. In today's AI race, it's easy to skip completely essential security aspects that the company must implement in advance.

Access management for increased IT security with Copilot

Copilot allows employees to search for all files across the company in Microsoft 365. All data processing is done in the Microsoft application, with the same security and access controls already in place. The problem is that users quickly get more access than necessary, while sensitive data is not classified as sensitive.

This is not a direct vulnerability of Copilot, but rather a result of "human error" which is even more difficult to control.

The solution?

Access management and better control over files.

Set up access controls for files containing sensitive data. Then only those who should have access can open the files. Take for example HR documents, such as contracts or employee interviews: these should not "just" be placed in a separate folder, or an area where only HR has access, but also classified with sensitivity labels such as "HR".

The classification follows the document itself to where it is moved. If Copilot is asked about something related to the document, it will only respond to those who have access at the level the file is classified to.

So, how do you classify sensitive data?

Microsoft Purview is Microsoft's toolkit for data management in Microsoft 365. Purview includes sensitivity labels that are used for classification. This can be done manually or trained to automatically recognize sensitive data.

At Upheads, we can help with both structuring your company's data and classification. No matter how you choose to secure your data, we have three main points we want you to take away:

1. Assume that too many accesses have been granted

Copilot allows employees to search for files across the company. Are your HR documents classified as sensitive data? Copilot is happy to share employee conversations if they are not classified correctly and you do not have control over access.

2. assume that sensitive data is in open areas

SharePoint is for sharing and by default the settings say that everyone can share with everyone, be it internally or externally. This can even be done from areas with sensitive data and without classification on the documents. Which can lead to data falling into the wrong hands. It might be a good idea that not everyone has access to the 2025 acquisition plan?

3. assume that some users in Teams belong to the wrong channel

We have already been using Teams for several years. Could it be that some employees are in groups they should not be? These often contain sensitive data.

Upheads as support

It is imperative that you have thought through these questions before your business starts using Microsoft 365 Copilot. Preferably without asking ChatGPT for the answer. Does it feel overwhelming to handle this yourself? Contact us and we'll help you along the way.