Secure Your Data For Microsoft 365 Copilot

Microsoft Copilot is here, and it promises to make our lives more efficient by handling our mundane tasks.  It does a lot of cool things like generating eMail responses and generates images (like the one on this blog!) One of my favorite Copilot capabilities is that it can easily summarize and serve my corporate data, like eMail, databases and shared documents. This data is only served to you if already have access to it, because Copilot will respect your security roles and Microsoft Purview policies.

This begs the question… what data can my employees access?

Can Copilot make it much easier for an employee to gain access to sensitive information that they may not be aware of? 
It sure can.  
Here’s a couple scenarios…

• IT shares out your mailbox to your manager, but accidently shares it with another employee. The employee can ask Copilot to summarize all eMail for the week, and see your Inbox.
• Accounting accidently saves an Excel document in the Human Resource SharePoint site containing bonus information. This file may be undetectable if no one is digging thru the SharePoint site, but Copilot can deliver that data to someone asking about bonuses.

How can you protect your data?

I really want to reemphasize that your data is fully protected within the Microsoft ecosystem, as long as you have bullet proof access control management and data protection policies. If you don’t, then consider adopting these six steps before turning on any of the Copilot features.

Define Sensitive Data

Some data is very easy to identify as sensitive, like Personally identifiable information (PII). PII includes information that can be used to distinguish or trace an individual’s identity, and should be protected with native Microsoft solutions like Microsoft Purview Data Loss Prevention.   But how do you define your sensitive data like financials, legal and human resources? How would you feel if that data got into someone else’s hands? How long do you retain it and how do you destroy it? Think hard on these questions before defining your policies for data governance. Once you have your policies, then you can set retention policies, and implement the proper tools to manage it.

Discover Where Your Sensitive Data Lives

You should start by identifying your high priority targets like financials and customer data. You should also understand how data can flows both inside and outside your organization, so you can then update your sharing policies based on the sensitivity. Did you know the default sharing policies allow your employees to share documents with anyone?  Lock those polices down by default, then strategically open them up as needed.

Identify Data Taxonomy

You should have a common nomenclature on how you classify your data, like public, private & confidential. Public can be appropriate to share with the world, private can be for authenticated users within your company, and confidential can be limited to certain named users. You should also agree on how you want to apply information protection tags across all of your sensitive data, like encrypt and restrict. Consider implementing a tool like Microsoft Purview, which will help you discover, classify, and protect sensitive information wherever it lives or travels.

Review Access Controls

You should take a deep look at how you grant and revoke access. Is your data assigned to users or groups? Group membership is always preferred, and is easier to automate. Microsoft offers the concept of dynamic groups, which can automatically add \ remove users based on key information like job title or department. You should actively look to remove users and archive dormant Teams \ SharePoint sites. You should consider reorganizing your structure if it doesn’t scale or if your data is in the wrong taxonomy. Microsoft has some cool tools available with their Microsoft’s Business Premium licensing, which can automate access control reviews. For example, you automatically send users eMails checking to see if they still need access and revoke when appropriate.

Review Change Management Process

You should have a consistent onboarding and offboarding processes. This will help you efficiently scale out, and keep your control management and policies in place. Make sure someone is accountable for the perfect execution of these processes.

Establish Your Management and Policy Life Cycle

Your access control management and data protection policies don’t stop here. You should perform a gap analysis between what you have implemented today vs what you want to implement in the future. For example, you may want to plan on establishing consistent labels today, so you can plan on enforce these labeling on sensitive documents in the future.

What is Copilot?

Microsoft Copilot is an innovative platform that integrates seamlessly with your Microsoft 365 suite, enhancing the capabilities of familiar applications and introducing new ways to streamline your workflow. Our daily work routine will be transformed as Artificial Intelligence (AI) such as Copilot gives us new ways to boost productivity and interact with technology. AI in Microsoft 365 Copilot is not just about automation; it’s about augmenting human capabilities and creativity in the workplace.

Reach out to Beringer today!

We love to implement Microsoft Dynamics, Power Platform, Azure and Copilot solutions here at Beringer. We’re a certified Microsoft Solutions Partner, and we’re always finding innovative ways to implement the latest Microsoft tools to enhance your business.

Beringer Technology Group, a leading Microsoft Partner specializing in Microsoft Dynamics 365 and CRM for Distribution also provides expert Managed IT Services, Backup and Disaster Recovery, Cloud Based Computing, Email Security Implementation and Training,  Unified Communication Solutions, and Cybersecurity Risk Assessment.