Protecting Your Organization in the Era of AI: A Practical Guide to Safeguarding Against Risks with Microsoft Copilot

In the dynamic world of technology, organizations constantly seek ways to innovate and stay ahead of the curve. The introduction of AI tools like Copilot has opened new doors for efficiency and productivity. However, with these advancements come new challenges, particularly in cybersecurity and data protection. In this blog, we’ll delve into how organizations can protect themselves while leveraging the power of Copilot.

Let’s start by addressing the key question: why is this important to me?

At a fundamental level, upon activation within an organization, Copilot initiates indexing of data from multiple sources, including user mailboxes, SharePoint repositories, and Teams chats. Its architecture adheres to established access controls and aligns with Microsoft 365 compliance policies, ensuring that the data returned to users upon request is appropriately regulated.

When a user queries Copilot about data in their own mailbox, such as requesting a summary of all emails from a specific individual over a certain period, Copilot will provide this information. However, if the request involves accessing another user’s mailbox, like asking for a summary of the CEO’s emails, Copilot will deny such a request due to access restrictions. The issue becomes more pronounced with file repositories or sensitive documents that a user might access inadvertently. For instance, as demonstrated in a recent YouTube video, when Copilot was asked to list documents and chats mentioning “Live Chat,” it revealed a document and a Teams Channel previously unknown to the user. Although these were not confidential, this instance highlights the potential risks involving sensitive data within an organization.

Consider, for example, the unintended consequences if Copilot were to provide salary information of other employees due to a user’s inadvertent access. The following scenarios illustrate further risks:

  • Unauthorized Access to Sensitive HR Documents: The possibility of someone gaining access to confidential HR information.
  • Exposure of Key Intellectual Property or Financial Data: Risks associated with unauthorized access to crucial business information.
  • Healthcare Data Breach: The potential for unauthorized access to medical records in a healthcare setting.

Additional security considerations include:

  • Insider Threats: Insiders with access to sensitive information might not disclose such access. Upon leaving the organization, they could misuse this information.
  • Data Exfiltration: Users could inadvertently share or store sensitive data in insecure or unauthorized locations, possibly copying or distributing these documents internally or externally.
  • Threat Actors: In the event of user account compromise, the speed at which a malicious actor could access sensitive information could significantly increase. They might utilize M365 Copilot chat for quick data retrieval or as a part of a social engineering strategy for deeper penetration into the organization. In these scenarios, Copilot could inadvertently become a potent tool for such individuals.

 

Securing an Organization with AI and Copilot: Developing a Data Governance Strategy

The advent of AI technologies like Copilot highlights the urgent need for all organizations to develop a robust data governance strategy. A critical starting point for businesses is to address key questions around data management:

  • Identification of Sensitive Data: What constitutes sensitive data within your organization?
  • Data Flow Analysis: Are you aware of how data traverses through your organization?
  • Data Localization: Where is sensitive data stored within your organization?
  • Access Management: How is access to sensitive data and documents controlled?
  • Internal Data Sharing Policies: What are your organization’s policies regarding data sharing within the Microsoft environment?

These questions form the bedrock of an AI readiness assessment. The cornerstone of protecting an organization in this AI-enhanced landscape lies in implementing robust Access Controls and Data Protection strategies. Drawing parallels to the CIS Controls framework, this corresponds to Control 3 (Data Protection) and Control 6 (Access Control Management).

I propose a hypothetical framework for organizations to conduct an audit and develop a data governance model tailored to their specific needs. This involves assessing current data management practices, identifying vulnerabilities, and implementing strategies that align with the unique demands and structures of the business.

  1. Establishing the Definition of Sensitive Data for Your Organization

The nature of sensitive or confidential data differs significantly across businesses. For example, the type of sensitive data handled by a healthcare organization is much more complex compared to that of a small business specializing in iPhone repairs. It’s crucial to identify the kind of data that encompasses both internal operational details and external customer or patient information. Key considerations should include:

  • Location of Sensitive Employee Information: Determine the storage locations of HR, payroll, and expense-related data.
  • Company Financial Records: Identify where your company’s financial documents are kept.
  • Personal Identifiable Information (PII): Assess whether your organization holds PII, such as credit card numbers, social security numbers, or banking routing details.
  • Data Security Concerns: Reflect on the types of data that could pose a risk if accessed by unauthorized parties.

This process should ideally be a collaborative effort involving key executive members of your company to ensure a comprehensive understanding and identification of sensitive data.

  1. Locating Sensitive Data within Microsoft 365 Ecosystem

Pinpointing the whereabouts of sensitive data in Microsoft 365 can be a complex task, varying based on your organization’s operational framework. SharePoint serves as the central hub for document repositories, integral to both SharePoint sites and Teams channels. This makes it a critical focus for auditing. If your organization’s Microsoft 365 subscription includes advanced features of Microsoft Purview, you can leverage its compliance solutions for automated scanning of documents. However, keep in mind that most business licenses, like M365 Business Premium, may not offer these advanced capabilities. Moreover, even with suitable licensing, the effectiveness in identifying sensitive information may vary based on your business’s unique definition of confidentiality.

For a practical approach, consider these steps:

  • Focus on Key Departments: Start with essential departments such as Human Resources, Finance, Legal, etc.
  • Identify Critical SharePoint Sites and Teams Channels: Determine which channels and sites these departments use and prioritize them for an audit.
  • Document Sensitive Content: Make a record of any sensitive files and folders discovered in these areas.

The rationale here is to balance Time and Impact. By concentrating on these areas, you can achieve significant, broad-based protection.

 

  1. Assess Current File-Sharing Protocols (Both Within and Outside the Organization)

Microsoft’s default settings typically enable users to share documents freely with colleagues or external parties. This approach is intended to streamline user experience but may not be ideal for preventing unauthorized distribution or accidental sharing of sensitive information. It’s crucial to scrutinize and adjust these configurations. Focus on the SharePoint admin center and the related sites identified in your previous audit to ensure a more secure and controlled sharing environment.

 

  1. Develop a Data Classification Framework

Leverage Microsoft Purview’s feature of information protection labels, available in licenses like Microsoft 365 Business Premium, to establish a data classification system within your organization. These labels enable you to categorize documents according to their level of sensitivity and apply corresponding controls, such as encryption, restricted external sharing, and limited visibility. Basic label categories could include Public, Private, and Confidential.

In relation to Copilot, these labels act as an additional layer of control. They can prevent Copilot from analyzing or providing information about a document based on its classification, even if a user has access to the data repository. For instance, if an employee who is not part of the finance team but has access to financial documents due to their membership in a related Teams channel, labeling these documents as “Confidential” would prevent Copilot from disclosing their contents to unauthorized personnel.

When implementing information protection labels, consider the following approaches:

  • Start Simple: Begin with a basic label like “Confidential” to safeguard critical data. Over time, as the organization becomes accustomed to this system, additional labels can be introduced. Ideally, limit the total number of labels to five to avoid confusion.
  • Gradual Implementation of Detailed Protections: Initially, getting users to consistently apply labels can be challenging. While you might consider making it mandatory for every document to be labeled, ensure there is adequate training and understanding to prevent disarray and ensure smooth adoption of these practices.
  1. Review and Update Access Control Mechanisms

A critical component of your security audit involves scrutinizing the existing access control systems, focusing on how they govern user and group permissions. Rather than assigning access rights on an individual basis, it’s advisable to manage permissions through group memberships. This approach necessitates a thorough examination of your organization’s change management procedures, encompassing user onboarding, offboarding, and role transitions.

For optimal rights management, especially within the Entra ID ecosystem, consider employing Dynamic Groups (a feature requiring Entra ID P1). This tool enables the automation of access controls based on specific user attributes, such as job title, department, or account status. Such automation not only facilitates the appropriate allocation of access to documents, Teams Channels, and SharePoint sites but also ensures timely revocation of access when necessary.

Therefore, a detailed evaluation of user memberships across various sites and Teams Channels is essential to identify any individuals who may have unnecessary or inappropriate access to certain data repositories.

 

  1. Implement Sensitivity Labels on Critical Data

After completing your preliminary audit and preparatory steps, it’s time to take decisive action. Begin by applying the sensitivity labels you’ve established to the most critical data identified during your audit. This step is crucial for maximizing the effectiveness of your AI and Copilot readiness.

 

  1. Revise Access Control Measures

Your audit may reveal several areas for improvement in access controls, which could include:

  • Removing individuals from repositories, Team Channels, and SharePoint sites where they are not needed.
  • Adjusting group memberships to align with current roles and responsibilities.
  • Establishing new Dynamic Groups for more efficient and automated access management.
  • Archiving inactive or unnecessary Teams channels and SharePoint sites.
  • Developing a new standard operating procedure (SOP) for managing changes in user access, including onboarding, offboarding, lateral moves, and access to Teams and SharePoint sites.

 

  1. Enforce Restrictions on Sharing and Repository Creation

It’s essential to refine your internal and external sharing policies, ensuring they offer granular control over data distribution. Additionally, unrestricted creation of Teams channels by all employees can lead to data management challenges and potential security risks. Implement measures to regulate the creation of new Teams channels to mitigate these risks and prevent unintended data exposure.

 

  1. Craft a Strategy for Data and Access Control Lifecycle Management

To build on the successes of the previously implemented measures, it’s essential to establish a continuous process and clear definitions within your organization’s data governance policy. Conducting a gap analysis to assess your current status and setting future objectives is also crucial. Consider these examples:

  • If currently using a single label, aim to introduce three distinct labels by year-end.
  • Transition from manual group membership reviews to automated access reviews with Entra ID.
  • Move towards mandatory document labeling after providing adequate user training, if it’s not already in place.
  • For businesses dealing with highly sensitive PII, consider implementing automatic labeling systems.

Remember, the goal is to continually set and achieve objectives that advance your data governance maturity.

Also, pay special attention to formulating retention policies as part of this lifecycle approach. Following the CIS Control safeguards, include a clear policy for data destruction. This helps in minimizing data privacy and security risks by avoiding the indefinite retention of data. A well-defined data retention policy not only ensures compliance but also significantly reduces the potential security and privacy risks associated with unnecessary data storage.

Conclusion

In conclusion, safeguarding an organization in the age of AI and tools like Copilot necessitates a comprehensive approach. This involves identifying sensitive data, auditing data within the Microsoft 365 ecosystem, revising file-sharing protocols, developing a data classification framework, updating access control mechanisms, implementing sensitivity labels, refining sharing policies, and establishing a strategy for data and access control lifecycle management. By meticulously addressing these aspects, organizations can effectively mitigate risks while capitalizing on the benefits of AI advancements, ensuring both data security and operational efficiency.