The Security Blueprint for Microsoft 365 Copilot: Safeguard Your Data

Microsoft has positioned data protection as a key differentiator of Copilot for Microsoft 365, but organizations are still wary. This guide provides actionable ways to get prepared for an initial rollout.

‍

Copilot for Microsoft 365: An Overview

Copilot for Microsoft 365 promises a significant leap in AI-driven workplace productivity within the Microsoft 365 suite. With insights from GPT-4 and DALLE-3 models, Microsoft hopes to remove mundane tasks to boost employees’ productivity and creativity. At the heart of this is the ability to sift through an organization’s Microsoft 365 content. Microsoft claims that the most efficient Copilot users are saving ten hours a month.

Copilot is not cheap; it costs $30 per user per month, and these licenses can be reallocated every 90 days. What’s more, Microsoft has stated that there is a 12-month minimum commitment after the free trial month.

‍

Data Protection in Copilot

Intellectual property is the lifeblood of many organizations, so you will see a lot of reference to data protection and privacy:

‍

• Microsoft Copilot lauds its “commercial data protection” which means that “Copilot doesn’t save prompts or answers, nor use them to train the AI model”. 
• Microsoft states that “EU traffic stays within the EU Data Boundary while worldwide traffic can be sent to the EU and other countries or regions for LLM processing.”
• Microsoft hopes that Purview’s labels will go a long way to identifying and protecting sensitive data. 

‍

All of this is pitched as a differentiator from other generative AI technologies and is designed to give security leaders a warm, fuzzy feeling.

Yet this isn’t enough and sensitive data risks persist. Gartner has even suggested that “IT leaders protecting sensitive GenAI operations should include third-party guardrails in Copilot implementations or consider alternative solutions”.

‍

“Using Copilot for Microsoft 365 exposes the risks of sensitive data and content exposure internally and externally, because it supports easy, natural-language access to unprotected content. Internal exposure of insufficiently protected, sensitive information is a serious and realistic threat. External web queries that go outside the Microsoft Service Boundary also present risks that can’t be monitored.”

Gartner, Go Beyond Baseline Microsoft 365 GenAI Controls to Secure Copilot

The challenges are exacerbated by permissions issues. According to Microsoft’s own 2023 State of Cloud Permissions Risks Report, Identities are using only 1% of their granted permissions.

These excessive permissions can lead to real incidents. For example, with too much access, an employee may be able to extract information about the salaries of senior executives. Furthermore,  if an attacker were to take over these accounts or there was a malicious insider, imagine the type of data they could get hold of. In fact, Gartner discovered that “among organizations who have faced an AI security or privacy incident, 60% reported data compromise by an internal party.”

‍

5 Copilot Security Best Practices

Deciding whether or not to deploy Microsoft Copilot is a risk-based decision for organizations and one that is often decided by legal and privacy teams. 

‍

The security team, however, can play a huge role in enabling this.  From extensive conversations and research, we have come up with practical advice across five areas to concentrate on that will leave the best chance of preparing for rolling out Copilot for 365.

‍

1. Policy Creation

Before embarking on the Copilot rollout, ensure you have the stakeholders involved, use cases defined, and AI usage policies in place. 

• Start Early. Don’t wait until you have an “AI initiative” to create a working group or policies. 
• Involve the Right Stakeholders. Are security, engineering, legal, compliance, product, IT, and identity involved to help create the policy? 
• Set Strategy for GenAI. Be explicit about what you want to achieve with Copilot, what’s included, and what’s not included. 
• Decide Scope. Based on the defined use cases, stakeholders, and desired outcomes, define the scope of the initial rollout. Consider starting small and proving it out over time.
• Craft a Specific, Well-Written Policy. Create a policy that is well-worded and written for humans. It should outline real use cases across different functions and give specific examples.
• Review Regularly. Do you have enough feedback from the business to inform the policy? Is the policy reviewed and refined at a set cadence?
• Benchmark. Create benchmarks that help to understand how you are performing against the defined AI policy.

2. User Training

Effective user training is one of the most important activities in managing GenAI adoption risks. Microsoft provides a basic adoption kit that includes a slide deck and a few emails. 

Successful rollout requires somewhat more–especially from a security perspective.

Before rollout, consider: 

• Focused and Use Case Specific. Training should focus on developing practical skills and behaviors, rather than a generic approach. To achieve this, ensure the guidance is specific to a business use case and appropriate department. Being specific about what they can and cannot do will go a long way.
• Train on Reviewing AI Output. Ensure employees know the importance of reviewing AI output for accuracy. Users should be encouraged to ask Copilot to cite sources.
• Vary Training Types. With such a massive investment, a one-off online training may not cut it. Consider a variety of training methods that engage the user and even in-person options.
• Have a Plan to Revisit Regularly. Training should not only be provided before the rollout. Review how employees are using copilot and tailor training appropriately. 

‍

3. Limit Permissions

This is famously an extremely hard thing to do. Focus on admins and privileged accounts. 

‍

• Perform Regular Access Reviews. You likely already have a set cadence for access reviews, but consider a one-off effort before rolling out. 
• Be Selective. Select trial users with limited permission sets to reduce the risk of accidental data leakage.
• Get Close to Identity Teams. Ensure identity teams are represented in your AI Working Group.
• Protect Privileged Accounts. These accounts will provide most access and should be the focus going forward. Consider mapping to ASD Essential 8's “Restricting Administrative Privileges” to understand your current maturity levels.

‍

4. Understand Your Data and Inputs/Outputs

Even with great policies, perfect training, and ongoing access reviews, there will be instances of sensitive data being extracted from Copilot (or attempts to do so). Therefore, you really need to understand where your sensitive data lives, 

‍

• Understand your Data. Better organization of data will help to restrict unauthorized access, but it will also help to improve the quality of the Copilot responses. 
•  Data Retention. Create and enforce a data retention policy that will remove outdated data that hinders the quality of Copilot responses.
• Labeling. Data labeling can be a painful exercise, but Microsoft is pushing this hard to reduce the risk of sensitive data leakage. Automated labeling is available to E5 licenses. 
• Consume Logs. Don’t blindly trust – get visibility into what is going on! The operation “CopilotInteraction” will tell you when “a user, or admin or system on behalf of a user, entered prompts in Copilot.” For the inputs and outputs, you can use the Content Search which will provide user prompts and responses “stored in custodian mailboxes”. 
• Ensure Output Quality. Copilot should cite its resources, but there have been issues. Users should consider taking an extra step and always ask Copilot to cite its work. 
• Sensitive Data Detection. Remember, sensitive data that is an output from Copilot may still be shared externally. Labels will struggle to catch these instances, especially if data is being copied and pasted. 
• Detect Risky Users. Use existing signals to identify risky users and reduce account takeover risks. Entra ID’s risky user detections will go some way to providing visibility.
• Third party Guardrails. Investigate innovative security vendors (like Harmonic!) that can detect sensitive data and mitigate the risk.

‍

5. Reading the Smallprint

As always, don’t forget to read the small print! In particular, two areas can cause a bit of pain if overlooked during rollout.

‍

• Copilot Feedback. Is end-user feedback opt-in enabled? Consider what you are sending back to Microsoft and what that means for data leaving your tenant. Prompts, responses, log files, and history may all be sent to Microsoft. Read more about collected data here: Providing feedback about Microsoft Copilot with Microsoft 365 apps 
• Bing Search Queries. Are Bing search queries enabled? Beware that this data will go outside of the boundary. Microsoft does state that this is “abstracted from the user's prompt and grounding data”.
• Transcription for Teams. To benefit from post-meeting summaries, admins will need to enable transcription in the Teams Admin Center rather than the Microsoft Admin Center. 
• Change Channel. Copilot cannot be enabled on a Semi-Annual Enterprise Channel, and requires that you set your channel to “Current” or “Monthly”. If you still need devices that require that slow-roll of releases offered on the Semi-Annual channel, you’re out of luck.

Summary

Copilot for Microsoft 365 offers plenty of exciting opportunities, but they’re not without risks. While this risk cannot be eliminated, there are various steps security teams can take to reduce the risk of sensitive data exposure.

Harmonic provides full visibility into the usage and adoption of GenAI tools, including Copilot. Furthermore, our unique ability to detect all types of sensitive data can give you the confidence you need to securely adopt Copulot for Microsoft 365.

‍