Seek and you shall find: Risks highlighted by Copilot for M365

As organisations rush to adopt AI-powered tools like Microsoft’s Copilot for M365, many are overlooking important security implications, particularly in brownfield environments with extensive SharePoint estates. This presentation delves into the risks presented by Copilot's integration with SharePoint and offers practical strategies for mitigating these risks.

We'll begin by examining the core issue: Copilot accesses and processes data across your M365 environment, inheriting existing user permissions within SharePoint - a system notorious for its complex and often poorly maintained permission structures. In many organisations, users are granted excessive permissions due to the challenges of fine-tuning access controls in large, unstructured data environments. This has always been an issue, but the ability of Copilot to find, surface, and correlate information has made it more pressing to resolve.

Key focus areas of our discussion will include:

1. SharePoint permission complexity: Understanding the challenges of maintaining granular access controls in large, evolving SharePoint environments. Examples of issues and common incidents that have arisen in classic SharePoint environments.
2. AI-Assisted data retrieval capability: background on how Copilot uses Retrieval Augmented Generation (RAG) to deliver value in an enterprise context.
3. Exploring how Copilot's efficient data processing can lead to unintended data exposure, targeted information manipulation or data poisoning.
4. Data leakage risks: Analysing potential information leaks through Copilot's RAG and analysis/aggregation capabilities.
5. Mitigation strategies to reduce risks.
6. Strategies for adopting Copilot's benefits while maintaining data protection.

This presentation is targeted at people at organisations who have existing M365 environments and have adopted or plan to adopt Copilot for M365. We aim to highlight some insights into the often-overlooked aspects of Copilot adoption and leave attendees equipped with actionable strategies to secure their technology estates in the age of AI-assisted productivity tools.