How to make sure your data is not at risk when using Microsoft Copilot

This article is part of our Opinions section.

The business community is understandably hyped with the launch of the long-awaited Microsoft Copilot and the boundless productivity gains it promises. Think of Copilot as the ultimate work buddy ultra-intelligent and always there to offer you help when you need it – although you’ll still need to make your own coffee!

Microsoft Copilot is a powerful AI-powered productivity tool that uses Large Language Models (LLMs) to help enhance creative and collaborative projects, whilst honing skills and focus. As the name implies, ‘Co-Pilot’ works alongside you in Microsoft 365 applications, including every favourite, Word, Excel, PowerPoint, and Outlook. Microsoft’s new AI tool supports efficient project management by undertaking tasks such as drafting documents, summarising text, and finding information on the user’s behalf.

Our guides to how Copilot works with Microsoft 365 applications:

It’s like having an encyclopaedia of coding knowledge that never gets tired of answering your ‘how do I do this?’ questions.  It can perform tasks such as language translation and even ‘write’ creative content such as company updates or client-facing blogs.

However, the tool is not without its controversies. Amongst all the excitement around its capabilities, there are concerns regarding potential issues with code plagiarism, licensing and security concerns around using AI-generated code.

There are also important considerations around data protection. Onboarding any new AI resource requires a business to take precautions in protecting data from unauthorised access, use, or disclosure. 

It is therefore critical that businesses keep in mind what data is being used. Copilot will utilise Office 365 data, extracting from sources such as SharePoint, OneDrive, and your email. With potentially sensitive, private, or confidential data spread across your O365 suite, there’s a costly risk that even with the best intentions AI could expose protected information.

So, how does your business ensure that its data remains secure while taking advantage of this innovative technology?

Understanding how sensitive your data is

If you are to safely protect your data, you first need to identify what kind of data you have and how sensitive it is. To that end, Azure Information Protection can be key to understanding your types of data. AIP is a cloud-based solution that helps you discover, classify, label, and protect your data across different locations and devices.

By using AIP, a business can ensure that its data is properly labelled and protected, helping to comply with various regulations such as HIPAA (Health Insurance Portability and Accountability Act, 1996) and GDPR (General Data Protection Regulation).

As a key example, a business could use AIP to classify customer data as “confidential” and then apply a set of security controls to that data set, such as requiring users to enter a password before they can access it. These technical controls create a kind of security baseline, controlling the ebb and flow of your O365 data and supporting confidentiality, privacy and all-around guarding data that requires strict levels of compliance.

Manage the risks with a data governance policy

Data governance is a set of policies and processes that ensure the effective and efficient use of information in your organisation. It covers aspects such as data quality, data security, data privacy, and data lifecycle.

By implementing data governance in your organisation, you can manage the risks associated with data, such as breaches, leaks, errors, or misuse. It also helps you optimise the value of data by enabling better decision-making, innovation, and performance. For example, administrators can create a data governance policy that requires all employees to use Microsoft Copilot in a secure fashion. This policy could include requirements such as using strong passwords, not sharing Copilot-generated content with unauthorised users, and deleting Copilot-generated content when it is no longer needed.

Enforce Data Loss Prevention (DLP) Rules and Actions

Data loss prevention (DLP) is a technology that helps you prevent your data from being leaked, stolen, or misused by unauthorised parties. DLP can help you detect and block sensitive data from leaving your organisation, alert users, or administrators when a potential data breach occurs, and enforce remediation actions such as deleting, quarantining, or encrypting the data. For example, you can create a DLP rule that prevents users from exporting confidential customer data from Microsoft Copilot. This rule would be triggered if a user tries to export a document that is classified as “confidential” to a USB drive or email.

Detect and respond to data threats by monitoring anomalies

Monitoring and auditing your data activities is crucial to data security. It helps you detect and respond to any anomalies or threats that may compromise your data, investigate, and resolve any data breaches or incidents that may occur, and identify and address any gaps or weaknesses in your data security posture. For example, you can enable logging and auditing for your Microsoft 365 environment to track all user activity in Copilot. This will allow you to see who is using Copilot, what they are doing with it, and when they are doing it.

By following these steps, you can ensure that your data is secure while using Microsoft Copilot. With a little planning and effort, you can harness the power of AI without compromising your data security. 

Bringing AI capabilities into your business

Microsoft Copilot is an exciting, powerful use of artificial intelligence that can meaningfully and beneficially improve an organisation’s ability to collaborate, create and manage its O365 workflows. Copilot is not just a content engine, it is a smart assistant that can help employees regain better focus and tackle time-sensitive, demanding workloads.

However, as with any AI tool or resource, it is important to take precautions in protecting business data so that your business isn’t exposed or preventing the misuse of sensitive data. There is also a critical need to safeguard proprietary data and ensure compliance with GDPR and HIPAA to prevent any inadvertent exposure.

Balancing the immense benefits of Copilot with a vigilant commitment to data security will be pivotal in harnessing its transformative potential whilst preserving the integrity and confidentiality of sensitive information.

Related: Confessions of a sysadmin: why honesty is the best policy

Mike Bellido
Mike Bellido

Mike is a technology professional with more than 20 years of experience in the IT sector. He currently works as a Lead Cloud Architect at CSI, an award-winning IT Managed Services Provider.