Copilot for M365  – Before you begin – Key Considerations for a Secure and Successful M365 Copilot Journey – Technologist

As organisations embrace Microsoft 365 Copilot, balancing its potential productivity gains with robust cyber security measures is crucial.

Areas that need attention

Cyber Security

Keeping the threat actors out of your environment is crucial, as Copilot makes it easier to steal data and launch convincing attacks.

Expectation

Understand what Copilot can help you achieve and recognise that it can only ingest what it can see. If your data is not in M365, Copilot cannot construct responses that include that data.

Validate how helpful Copilot is in your daily tasks.

What time/efficiency savings are you hoping for, and does the solution deliver? Despite all the hype, it’s unlikely to save hours in the day or reduce the need for personnel. Remember that you are the “Pilot,” and Copilot is merely your assistant.

Data Security

Copilot, as part of MS data safeguards, respects the permissions of the person operating it. However, if the data it is searching for is overly permissive/accessible, this data could be surfaced in a response.

Consider making a folder in SharePoint or Teams accessible to everyone. It may be obscured by people’s eyeline, which may reduce the number of people who review the content in that folder.

However, Copilot will expose its contents to anyone who has permission to access the folder, including any sensitive or confidential information.

How well is your data secured to allow only access on a need-to-know basis, and do you know where your sensitive data is being held? Similarly, if such data is accidentally stored in an overly accessible area, Copilot may unwittingly expose it.

Guidelines for starting a Copilot journey

Ensure that access to 365 is as secured as is practically possible:

• Robust MFA methods enforced and mandatory company-wide deployment
• Intense monitoring and response capability against attacker behaviours on both Endpoint and M365 environments
• Educate end users on how to spot and react to techniques used by attackers

Limit the usage of Microsoft Copilot to senior personnel only

Deliver Copilot initially to senior/trusted personnel only, limiting the fallout for any overly exposed data, and have them establish whether it meets the business’s expectations.

• Try to establish some success criteria for your Proof of Concept (PoC) activity; what would a positive outcome include?
• Recognise where Copilot is not providing enhancement and determine if any system changes could improve (e.g. moving from File Server to Sharepoint Online (SPO).
• Try to establish some means of pricing the value delivered by such tool and calculate a Return on Investment (ROI).

Implementing a Cyber Security and AI policy

Implement a policy on the use of AI tools so that employees understand the rules and what’s expected/required.

• Set guidelines for how all staff can use AI tools in a business setting. Include training on the “dangers” of oversharing (especially with free/public tools) and the imperative to validate responses that are returned. Consider how people request access to company-approved AI tools.
• It should be expected that Copilot for M365 will not be made available to all staff. Your policy, guidelines, and training should reflect and respect the intended scope.