M365 Copilot Amplifies a Security Problem

How well do you know your Copilot?

Its answers may surprise you

Sandra, a bakery owner, welcomed Microsoft 365 Copilot helping with admin tasks. It summarized customer feedback, helped draft emails and tracked sales trends.

At year’s end she scanned her 1099 tax form and uploaded it to her OneDrive “Finances” folder to share it with her accountant. She wasn’t thinking that the “Finances” folder had been used for budgeting and forecasting with staff members and had a spreadsheet with employee salary information.

When tax season neared, Sandra instructed Copilot, “find my 1099.” It surprised Sandra when Copilot found her 1099, but also provided all employee salaries from the shared folder. Sandra’s query uncovered a hole in her company’s data security: as it stood, sensitive employee information might have been shown to anyone internally with Copilot access. This could lead to misuse, resentment and workplace conflict.

Collaboration and Copilot

Microsoft 365 (M365), with its powerful features like SharePoint, OneDrive and Teams, has changed how we collaborate.

But these tools, especially if combined with the integration of Microsoft’s AI Copilot, introduce data vulnerability risks if not implemented thoughtfully.

COO Anna Darlagiannis-Livingstone said, the direction technology has gone has made it really easy for people to just go ahead and set things up for themselves. But are they thinking about the big picture?

Following is a look at the scenarios Bryley is currently seeing and addressing regarding security and M365 Copilot.

M365 data vulnerability

SharePoint allows organizations to share data internally among employees within the same email domain. SharePoint also allows external sharing, for use with clients and vendors (though its ability to share externally is not limited).

OneDrive also gives the ability to share files and folders. OneDrive is really meant to be a personal drive, equivalent to Dropbox or Apple’s iCloud or Google Drive.

Teams – Microsoft’s Zoom-equivalent, but extended to be a feature-rich collaboration platform – also allows sharing of data. Anything you like can be shared via Teams.

A lot of times the architecture part of data access is only an afterthought, Anna said, instead of considering how to deploy these tools in a way that will not end up compromising your data. Bryley has had maybe seven cases the past year where people are frustrated about how thoughtlessly employees can put data here and there. It can become a spaghetti mess.

As an example, after completing a project with a freelancer, team members may forget to remove the contractor’s access to a shared SharePoint folder containing client data. The contractor still has access long after their work is completed.

That data vulnerability + Copilot’s loose lips

Copilot when integrated into M365, accesses and processes data within your M365 environment to answer queries. As COO Anna Livingstone explained, for your business’ purposes think of there being two Copilots. One is the freely available Copilot that has basically been fed the web. That instance does not have access to the contents of your version of M365. But the version incorporated into M365 when queried asks itself ‘what resources do I have to answer that?’ and it’s going to use the data its user is allowed to access on your organization’s slice of virtual servers at the M365 data centers. It will generate an answer out of that data.

Here’s a Copilot-enabled example: a vendor is invited to a Teams meeting. After the vendor leaves, your team continues discussing project details and shares confidential documents. But unless permissions are revoked, the vendor still has access to the meeting (and those documents). Copilot on the vendor’s M365, searching for answers to its user’s query, can now access this sensitive information, potentially exposing it to unauthorized people. Copilot’s ability to pull data from multiple sources (OneDrive, SharePoint, Teams) to answer a question like ‘what were last quarter’s sales figures?’ could reveal confidential data to someone who shouldn’t have access.

In this example, your organization doesn’t even need to have Copilot turned on to be vulnerable.

But this Teams meeting scenario shows how M365 Copilot surfaces sensitive information within the M365 environment — data you may have thought was hidden from view. While not intended, a vendor’s Copilot accessing sensitive information due to open permissions shows the ease with which data can be exposed.

Copilot isn’t making new vulnerabilities. It’s expanding their potential impact. A review of access controls and an understanding of the architecture that controls the data flow in your M365 instance have become critical.

Planning Copilot’s deployment

Mitigation strategies can help lessen the risk of confidential-data leaks. Here are two to-dos for today:

• Principle of Least Privilege Give users access to only the data and resources they need to do their jobs. Avoid blanket permissions or broad access rights. SharePoint and OneDrive have granular permissions to control access.
• Security Awareness Training It’s always something, because tech keeps shifting (and people forget the importance of their actions). Security Awareness Training should include education about best practices for data security, sharing permissions and using collaboration tools like SharePoint, OneDrive and Teams. Verizon year after year shows about 70% of security incidents involve a human element.

Think about it

But the main take-away is to think things through.

No matter how small it may seem, Anna said, the consequences may be large if you don’t think it through.

Your IT provider should be consulted before you introduce new software. New tech, so easy to turn on, can end up costing you far more than the conveniences it gave.

If you’re not a Bryley client, find out if Bryley can help your business, too. Contact Roy Pacitto today to learn about how Bryley could help you mitigate the exposure created by M365 Copilot.