Deploying M365 Copilot? Security essentials to know

If you’re getting ready to roll out Microsoft 365 Copilot in your organisation, be sure to take a security-first approach.

Start by recognising that Copilot uses the existing security settings you have for Microsoft 365. So it’s a good idea to review those security policies, permissions and data settings to verify that they’re up to date and meet your organisation’s requirements.

Microsoft supports a zero trust approach that “treats each connection and resource request as though it originated from an uncontrolled network and a threat actor”. It provides a comprehensive set of tools to enable you to take this approach when you deploy Copilot, including Microsoft Defender, Microsoft Entra, Microsoft Intune and Microsoft Purview Information Protection.

Your organisation should use these tools to identify and defend against potential Copilot-related risks, protect all of the applications and data involved in your use of Copilot and to ensure that you use Copilot in a responsible and compliant way.

Copilot security considerations

Using Microsoft Purview and other tools, you can create a secure foundation for managing the potential risks associated with generative AI, including:

• Data oversharing – This involves preventing Copilot users from accessing information they don’t need to do their jobs and don’t have permission for. You can use Purview to manage access with the help of sensitivity labels that group data into different categories such as general, public or confidential. You can also use Sharepoint Advanced Management to ensure only the proper users have access to the data stored in SharePoint Online.
• Data retention risks – You’ll want to make sure that your data retention policies match your compliance requirements, which might include the need to retain Copilot prompts and responses for certain periods of time.
• Data sovereignty compliance – Copilot uses the Microsoft 365 security policies that are appropriate for the areas in which your users operate. For example, in the EU, it complies with GDPR and EU Data Boundary requirements.
• Copyright issues – Microsoft 365 Copilot supports detection of information that’s subject to copyright protection or licensing restrictions, but users should always practice responsible AI and manually review Copilot outputs for protected content. Microsoft also offers protection through its Customer Copyright Commitment, but this requires users to implement the proper guardrails and mitigations.
• Inaccurate information – Because it uses a large language model (LLM), Copilot can generate responses that are inaccurate. Your organisation’s users should understand the need to manually review results to verify that they are correct and compliant.
• Prompt manipulation – This involves users who might manipulate prompts to extract information they shouldn’t have access to. Microsoft’s zero trust approach to security helps to defend against this risk.

How to manage Copilot security

Your first step to building a secure foundation for Copilot is to carefully review your Microsoft 365 policies, permissions and settings. Make sure that users have access to only the information they need to do their jobs. It’s also important to support your workforce with the guidance and education needed to use Copilot safely and securely.

Take a phased approach to Copilot deployment, starting with a limited number of users and low-risk content only. That will help you to identify potential security issues that need to be addressed before you roll out Copilot more widely.

Finally, always keep humans in the loop and make it policy to manually review Copilot outputs to prevent errors, oversharing and other security risks. And commit to continuous monitoring, training and optimisation to stay on top of changing risks and security practices.