I work for one of the early adopters of Copilot for M365. Last year we went through the process of getting comfortable with the change in the findability construct caused by Copilot. Whilst Copilot respects permissions, organisational fears emerged that Copilot would make it easier for staff to discover cracks in our information security. There were leadership fears that Copilot would be used for nefarious acts or increase insider risk. As part of the process, I drafted a 10-step process for piloting and deploying Copilot from an information security perspective. I developed the process from the perspective of the leaders who I was interacting with. I used their concerns as the guide and I shared it publicly in October.As Microsoft have subsequently made it easier for organisations to deploy Copilot, I thought it would be useful to repost my process in the Tech Community so that others may gain value from it. Undoubtedly, Microsoft Copilot and generative AI will transform the way we work. However, it also poses some information security challenges and risks that need to be addressed and mitigated. With the Copilot now generally available, there will be many who will be gearing up to pilot the service ahead of an organisation wide investment and rollout. In this post I share my thoughts about piloting Copilot from an Information Security perspective. I hope it will be useful for others who are interested in the same topic. I look forward to hearing about your experiences of information security with Copilot. Aim To be comfortable with the current state of sharing Increase organisational maturity in permissions management and the governance of information Objectives Reduce risks of oversharing through the correct application of wide scope permission groups and links Conduct a review of current permissions strategy and policy, updating as necessary Audit the current state of sharing Instil the right behaviours through a culture of information security and readiness for generative AI Identify longer running activities which can run in parallel to a pilot thereby shortening the runway Identify and exclude superfluous content Improve governance and auditing Implement additional tooling to better manage sharing Add additional layers of protection, reporting and alerting Why Copilot will expose the cracks that already exist in your approach to permissions management through a change in the findability construct. Microsoft assume that organisations have already reached a high level of maturity e.g. through the application of labelling and classification which is not always the reality. Failing to communicate the importance of the active management of permissions and reporting of oversharing will undoubtably lead to information security incidents which places the organisation at risk. How As a prerequisite, performing a risk assessment that covers items such as: Privacy and data protection Responsible use of AI Intellectual property and copyright Client or commercial contractual considerations Data licensing when using including content from connected services will provide the foundations for the information security requirements to be delivered. Pre-pilot These steps do not incur additional costs apart from time as they take advantage of existing E5 licensing needed to use Copilot (though if you want to demonstrate Copilot in action then it will cost you a license…). They are a mixture of technical (IT led with the Business as the Stakeholder) and business activities (e.g. business led communications with IT’s help). They should shorten the runway to Copilot as not everyone will have set up DLP etc. and should defer the need for heavy lifting to once the pilot is underway. The key point to remember is that you are probably already in a good place but Copilot will expose the cracks that already exist and people need to get comfortable with the current state. There is no specific order in which the activities have to be performed and pick the options that matter to you. 10-steps to pilot 1 Review the use ‘out of the box’ wide scope permission groups e.g. Everyone Except External Users. Remediate as needed. Using the Search Query Tool can help with this. Technical 2 Consider hiding wide scope permission groups e.g. Everyone Except External Users to reduce risks around accidental misuse. Be mindful that the Microsoft may ‘helpfully’ add these groups in certain situations. Technical 3 Review the Sharing links reports for SharePoint sites for “Anyone”, “People in the organisation” . Raise awareness of the side effects of “People in the organisation” and remediate links as needed. Technical 4 Review the default settings for file and folder links in SharePoint and adjust as required. This will not fix links which already exist but it helps to reduce future oversharing. Technical 5 Raise awareness of features like ‘Who can see‘ this in Delve, Search etc. to help staff identify and take action on overshared items. Business 6 Get staff to perform a check of their personal content in OneDrive. Highlight the OneDrive sharing report to them. Business 7 Remind SharePoint Site Owners and Team Owners that they are responsible for their content and highlight to them / remind them about the sharing reports, the impact of inheritance, how to handle sensitive document types. Ensure that the Site Owners are the recipients of access requests. Business 8 Identify specific sites or libraries which would benefit from being excluded from search results and exclude as necessary. In doing so balance the impact this would have on site users. Technical 9 Get VIPs comfortable with both the shift in the findability construct and what Copilot will decline to show (but search would). It helps if you show them Copilot in action*. Business 10 Work with the Infosec team and perform some randomised search whack-a-mole tests to get a sense of what the remaining oversharing looks like and to simulate potential employee search patterns. Remediate as necessary. Technical You might not need to do everything in this list… * If you have access to Copilot, use prompts like “how does my pay compare to my peers?”, “show me documents that contain the word passport”, “summarise the amount of personal information available to me” This will simulate the VIP fear associated with the change in the findability construct. The goal of the above is to get comfortable with your current state, raise awareness of the risks of oversharing and perform fast fix remediations. Once completed, you should be able to identify and understand any gaps or risks in relation to Copilot’s capabilities and your estate. During the pilot The next set are the slow burning activities which will incur costs and may take a considerable amount of time to implement. The aim is for these activities to run in parallel to your Copilot pilot and some may extend beyond that point. Some of the activities are not specifically related to Copilot but they take advantage of actions to enable Copilot, serve to harden your M365 environment as well as improve the quality of responses and increase maturity of information management. 10-steps during the pilot 1 Coach staff about the shift in approach to findability, their responsibilities towards acceptable use and the continual need for good permissions management. Start with the pilot cohort in order to refine your approach and messaging. Business 2 Review the security and governance of systems which are connected to and discoverable from within your M365 environment e.g. aligning identities in services connected to Microsoft Search. Technical 3 Identify and archive content that offers little value in terms of knowledge management and discovery. Microsoft Syntex Archiving may assist with this. Business 4 Implement Microsoft Purview Information Protection using its classification controls, integrated content labelling and corresponding data loss prevention policies to provide just enough access. Establish policies for security and compliance. Technical 5 Establish continual auditing and report for SharePoint Sites and Teams at the container level and automate the maintenance of their security. Technical 6 Continue to routinely review links and groups used to grant permissions. Microsoft Syntex Advanced SharePoint Management may assist with the reviews of potential oversharing, implementation of Site Access Reviews and the restriction of links to specific groups. Technical 7 Establish Microsoft Purview Information Barriers around key segments e.g. HR or Finance and Teams. In doing so establish a default setting for all locations e.g. Owner moderated. Technical 8 Review external access controls together with who and which domains have access. Technical 9 Implement Conditional access for SharePoint and OneDrive Technical 10 Consider investment in a Role Based Access Control solution to enforce role and group based security in order strengthen governance around both end user and administrator access. Technical Whilst you are piloting, you can make a start on these items. Take away Whatever your approach will be, do some information security housekeeping first and get comfortable with the new findability construct. Copilot for Microsoft 365 will undoubtedly expose the cracks and you do not want to be sunk by a link, or prompt…

Excellent insights. Thanks for sharing.

Hello. What is the reasoning behind the term 'findability construct'? I do not find any references or info on this term.

Simon Denton

MVP

Feb 20, 2024

Getting ready for Microsoft Copilot from an Information Security perspective

I work for one of the early adopters of Copilot for M365. Last year we went through the process of getting comfortable with the change in the findability construct caused by Copilot. Whilst Copilot respects permissions, organisational fears emerged that Copilot would make it easier for staff to discover cracks in our information security. There were leadership fears that Copilot would be used for nefarious acts or increase insider risk.

As part of the process, I drafted a 10-step process for piloting and deploying Copilot from an information security perspective. I developed the process from the perspective of the leaders who I was interacting with. I used their concerns as the guide and I shared it publicly in October.
As Microsoft have subsequently made it easier for organisations to deploy Copilot, I thought it would be useful to repost my process in the Tech Community so that others may gain value from it.

Undoubtedly, Microsoft Copilot and generative AI will transform the way we work. However, it also poses some information security challenges and risks that need to be addressed and mitigated. With the Copilot now generally available, there will be many who will be gearing up to pilot the service ahead of an organisation wide investment and rollout.

In this post I share my thoughts about piloting Copilot from an Information Security perspective. I hope it will be useful for others who are interested in the same topic. I look forward to hearing about your experiences of information security with Copilot.

Aim

To be comfortable with the current state of sharing
Increase organisational maturity in permissions management and the governance of information

Objectives

Reduce risks of oversharing through the correct application of wide scope permission groups and links
Conduct a review of current permissions strategy and policy, updating as necessary
Audit the current state of sharing
Instil the right behaviours through a culture of information security and readiness for generative AI
Identify longer running activities which can run in parallel to a pilot thereby shortening the runway
Identify and exclude superfluous content
Improve governance and auditing
Implement additional tooling to better manage sharing
Add additional layers of protection, reporting and alerting

Why

Copilot will expose the cracks that already exist in your approach to permissions management through a change in the findability construct.
Microsoft assume that organisations have already reached a high level of maturity e.g. through the application of labelling and classification which is not always the reality.
Failing to communicate the importance of the active management of permissions and reporting of oversharing will undoubtably lead to information security incidents which places the organisation at risk.

How

As a prerequisite, performing a risk assessment that covers items such as:

Privacy and data protection
Responsible use of AI
Intellectual property and copyright
Client or commercial contractual considerations
Data licensing when using including content from connected services

will provide the foundations for the information security requirements to be delivered.

Pre-pilot

These steps do not incur additional costs apart from time as they take advantage of existing E5 licensing needed to use Copilot (though if you want to demonstrate Copilot in action then it will cost you a license…). They are a mixture of technical (IT led with the Business as the Stakeholder) and business activities (e.g. business led communications with IT’s help). They should shorten the runway to Copilot as not everyone will have set up DLP etc. and should defer the need for heavy lifting to once the pilot is underway. The key point to remember is that you are probably already in a good place but Copilot will expose the cracks that already exist and people need to get comfortable with the current state. There is no specific order in which the activities have to be performed and pick the options that matter to you.

10-steps to pilot

1	Review the use ‘out of the box’ wide scope permission groups e.g. Everyone Except External Users. Remediate as needed. Using the Search Query Tool can help with this.	Technical
2	Consider hiding wide scope permission groups e.g. Everyone Except External Users to reduce risks around accidental misuse. Be mindful that the Microsoft may ‘helpfully’ add these groups in certain situations.	Technical
3	Review the Sharing links reports for SharePoint sites for “Anyone”, “People in the organisation” . Raise awareness of the side effects of “People in the organisation” and remediate links as needed.	Technical
4	Review the default settings for file and folder links in SharePoint and adjust as required. This will not fix links which already exist but it helps to reduce future oversharing.	Technical
5	Raise awareness of features like ‘Who can see‘ this in Delve, Search etc. to help staff identify and take action on overshared items.	Business
6	Get staff to perform a check of their personal content in OneDrive. Highlight the OneDrive sharing report to them.	Business
7	Remind SharePoint Site Owners and Team Owners that they are responsible for their content and highlight to them / remind them about the sharing reports, the impact of inheritance, how to handle sensitive document types. Ensure that the Site Owners are the recipients of access requests.	Business
8	Identify specific sites or libraries which would benefit from being excluded from search results and exclude as necessary. In doing so balance the impact this would have on site users.	Technical
9	Get VIPs comfortable with both the shift in the findability construct and what Copilot will decline to show (but search would). It helps if you show them Copilot in action*.	Business
10	Work with the Infosec team and perform some randomised search whack-a-mole tests to get a sense of what the remaining oversharing looks like and to simulate potential employee search patterns. Remediate as necessary.	Technical

You might not need to do everything in this list…

* If you have access to Copilot, use prompts like “how does my pay compare to my peers?”, “show me documents that contain the word passport”, “summarise the amount of personal information available to me” This will simulate the VIP fear associated with the change in the findability construct.

The goal of the above is to get comfortable with your current state, raise awareness of the risks of oversharing and perform fast fix remediations. Once completed, you should be able to identify and understand any gaps or risks in relation to Copilot’s capabilities and your estate.

During the pilot

The next set are the slow burning activities which will incur costs and may take a considerable amount of time to implement. The aim is for these activities to run in parallel to your Copilot pilot and some may extend beyond that point. Some of the activities are not specifically related to Copilot but they take advantage of actions to enable Copilot, serve to harden your M365 environment as well as improve the quality of responses and increase maturity of information management.

10-steps during the pilot

1	Coach staff about the shift in approach to findability, their responsibilities towards acceptable use and the continual need for good permissions management. Start with the pilot cohort in order to refine your approach and messaging.	Business
2	Review the security and governance of systems which are connected to and discoverable from within your M365 environment e.g. aligning identities in services connected to Microsoft Search.	Technical
3	Identify and archive content that offers little value in terms of knowledge management and discovery. Microsoft Syntex Archiving may assist with this.	Business
4	Implement Microsoft Purview Information Protection using its classification controls, integrated content labelling and corresponding data loss prevention policies to provide just enough access. Establish policies for security and compliance.	Technical
5	Establish continual auditing and report for SharePoint Sites and Teams at the container level and automate the maintenance of their security.	Technical
6	Continue to routinely review links and groups used to grant permissions. Microsoft Syntex Advanced SharePoint Management may assist with the reviews of potential oversharing, implementation of Site Access Reviews and the restriction of links to specific groups.	Technical
7	Establish Microsoft Purview Information Barriers around key segments e.g. HR or Finance and Teams. In doing so establish a default setting for all locations e.g. Owner moderated.	Technical
8	Review external access controls together with who and which domains have access.	Technical
9	Implement Conditional access for SharePoint and OneDrive	Technical
10	Consider investment in a Role Based Access Control solution to enforce role and group based security in order strengthen governance around both end user and administrator access.	Technical

Whilst you are piloting, you can make a start on these items.

Take away

Whatever your approach will be, do some information security housekeeping first and get comfortable with the new findability construct.

Copilot for Microsoft 365 will undoubtedly expose the cracks and you do not want to be sunk by a link, or prompt…

adoption

copilot for microsoft 365

Forum Discussion

Getting ready for Microsoft Copilot from an Information Security perspective

Aim

Objectives

Why