This blog was co-written with Sjoerd Schudde.
More and more organizations want to discover the power of Microsoft 365 Copilot. However, one of the biggest challenges is maintaining control over the organization’s and users’ data during this discovery phase. In this blog article, we’ll explain how you can get started with Microsoft 365 Copilot in a responsible way. We’ll walk you through the step-by-step process, from controlling current access to information to strengthening your information security and management with Microsoft Purview.
Copilot for Microsoft 365 is the smart AI assistant that will help employees and organizations work smarter in the coming years. With Copilot, you can complete more tasks in less time. Think, for example, of conversation reports that are automatically summarized, so that the most important points and agreements are immediately clear. By taking over repetitive tasks, Copilot helps companies to be more productive; You can find the information you need faster without having to switch between different screens and applications.
What sets Microsoft 365 Copilot apart from other generative AI tools is that you’re always in control of your data. This means that you decide which data you index for use in Copilot. This means that you have to arrange access to information properly. Because if everyone in your organization has access to all information, it can also be used in Copilot. That’s why it’s good to think about how you stay in control of the data you use in Microsoft 365 Copilot.
In this article, we’ll tell you how to ensure that everyone can experiment safely with Microsoft 365 Copilot and how you, as an employee and organization, always keep control of your data.
1. Know where your data is
Before you start using Microsoft 365 Copilot, it’s wise to know where your data resides. It’s essential to check what files and information are stored in OneDrive, Teams, SharePoint Online, or Exchange, as these are the locations indexed by Copilot. By mapping this out properly, you ensure that Copilot can function optimally and generate the most relevant and accurate results. Take a moment to check where your data resides so you can get started with the powerful capabilities of Microsoft 365 Copilot without worry. Keep in mind that users may also have access to certain information that you may want to exclude from using Microsoft 365 Copilot. Sometimes it’s good to completely exclude certain environments or documents for all users.
2. Give end users insight into their data
Explain to your users how they can control access to documents for themselves and groups. To do this, you can use Access Reviews, a standard feature in Microsoft 365. This allows users to see exactly what their current data environment looks like and what permissions they have. For example, you can check in advance whether all permissions are correct in a pilot group. The advantage of this is that it is a user-friendly tool, which does not require IT to be involved.
How does Access Reviews work? All reviewers receive a request by e-mail and then enter an environment where they can review access within a SharePoint, Teams or OneDrive environment based on recommendations. The reviewer then indicates which users no longer need access to certain folders or files and the reason for this. After that, changes are made automatically or the findings are checked by a second reviewer.
3. Additional Enhancements for More Control
If you’re well underway with the pilot group, you can gradually use Microsoft Purview to tighten up the information security and information management around Copilot. Purview offers different functionalities depending on the license you have within Microsoft 365. This allows you to monitor interactions with Copilot and help meet risk and compliance requirements.
Information Security
When using Microsoft 365 Copilot, always start from the zero-trust principle. The principle consists of three guidelines:
- Give users access only to the information they actually need, to do their day-to-day work and when they need it.
- Minimize impact and access to data, and use analytics to gain insights, detect threats, and defend against bad actors.
- Make sure that users always have to or can identify themselves in multiple ways based on identity, location, device status, etc. Because your data may be in order, but if a user’s login details are out in the open, your environment is still insecure.
In addition to these principles, you can also use Data Loss Prevention to minimize the risk of data loss. This solution helps you formulate policies within Microsoft 365 that specify the use of sensitive information. For example, predefined rules have already been laid down for medical, financial and privacy-sensitive data on the basis of applicable laws and regulations. In addition, you can add your own rules about other types of sensitive data, to proactively protect your data.
Information management
In addition to security, Microsoft Purview also offers several ways to manage your information securely and efficiently within Microsoft 365. For example, sensitivity labels allow you to classify and protect your documents and emails at the file level. This means that the classification (and encryption) is in the file’s metadata. These labels ensure that new documents are automatically given the same security classification as the source file when used by Copilot for Microsoft 365. For example, if you ask Copilot to create a new document based on a labeled document, the new document will inherit the same sensitivity label. This helps to maintain consistent security and compliance.
Copilot activity is logged as events in Auditing, revealing how and when users interact with Copilot, which files they access, and which applications are used. Documents with sensitivity labels are also displayed in these logs, which helps track security and compliance incidents.
With Communication & Compliance, you can analyze prompts and responses from Copilot to detect unwanted or risky interactions or the sharing of sensitive information. This allows you to see an overview of what’s been detected and quickly add your own policies and keywords to tailor the analysis to your specific needs. With Content Search, you can also search user prompts and answers. This provides an easy way to analyze data related to Copilot. For more comprehensive compliance, eDiscovery can be used, which can export or freeze data related to Copilot so that you can reproduce how information was created after the fact.
You can also apply a retention policy within Microsoft Purview to data generated by Copilot. This means that user prompts and replies are subject to the same retention rules as other company data. This helps comply with legal and regulatory requirements and ensures that information is retained or deleted for the required period of time.
Finally, there is the AI Hub: a tool that gives you quick insight into the use of AI within your organization. If your organization doesn’t get started with Copilot, there’s a good chance your employees will start using other generative AI solutions. With the AI Hub, you can see exactly which other solutions are being used in your organization and even mitigate risks involved.
Finally
As you have read, Microsoft 365 offers many possibilities to properly organize your information security and management when using Copilot. This helps you stay in control of your data and meet all data protection and compliance requirements. Please note! Information security and management are not one-time processes. Microsoft 365 Copilot is developing very quickly, and as time goes on, it’s likely to be used more and more intensively. So continuously ensure that you remain in control of your data.
DominiqueHermans.com 