Are You Ready to Implement Microsoft Copilot Safely?
Author: Beth Laws
Release Date: 14/02/2024
Copilot is Microsoft's new AI tool that is designed to accelerate productivity in the Microsoft 365 suite. Although it can be a beneficial tool for businesses, there are issues to consider before leveraging Copilot. Copilot uses users’ accessible data to create new content, which could pose security concerns if data loss prevention measures are not implemented correctly beforehand. Varonis can help businesses prepare for the deployment of Copilot.
What is Copilot?
Copilot is an AI tool available for Microsoft 365 customers to transform productivity and improve workflow efficiency. It works with 365 tools, such as Word, Excel, Outlook and uses Large Language Models(LLMs) with an organisation’s data. It can assist with tasks like creating content, prioritising emails and even taking meeting minutes.
Considerations before deploying Copilot
It’s important to consider whether there is any sensitive or business critical data exposed unnecessarily. Copilot uses current user permissions to determine what data a person could utilise. This means, if an organisation has a mass amount of sensitive data that is exposed organisation-wide to employees that shouldn’t be able to see this data, then this could cause issues. For example, if an employee were to ask Copilot to compile some information about a particular commercially sensitive project, this could lead to sensitive data being mistakenly added to new documents and consequently the information could end up in the wrong hands.
Are data classification labels applied correctly and reliably? This is another consideration as many organisations rely on classification labels to enforce their DLP policies. New content that is generated by Copilot does not inherit the MPIP labels of the files it’s sourced from. If a business relies on employees to add these labels, it does come with risks, as it’s very possible that employees may make mistakes when manually adding data classification labels, or don’t bother to label a document at all.
How can Varonis help?
Once DLP implementations are correct, then Copilot can really succeed and Varonis can help by getting organisations ready by offering automated data security.
Varonis can integrate with Microsoft Purview Information Protection to add or correct data classification labels. Varonis can discover where sensitive data lives and uses its classification engine to identify the type of sensitive data. From these results, Varonis can add the appropriate Microsoft label or even correct any data which has been labelled incorrectly.
Varonis’ autonomous remediation features can help businesses to implement least privilege permission models. Policies can be set up to automatically remove collaboration links that could be unnecessarily exposing data. As an example, an organisation may wish to set up a policy to automatically remove collaboration links which allows external users to access any type of sensitive data.
Varonis can also monitor activity across the 365 suite. It’s important to consider that Microsoft Copilot could be used as part of an attack, so monitoring activity is an essential component of countering insider threats. The Alerts dashboards help with alert investigation and triage.