Microsoft Copilot (Microsoft 365): Select some text, and instantly get helpful options from Copilot

🚨 The Signal: Copilot now offers in-line, contextual actions on selected text within documents. This increases the risk of inadvertent data exposure and oversharing, as users can quickly manipulate and generate content without full awareness of its sensitivity.

The Impact

All users are affected, increasing the risk of sensitive information being inadvertently processed or shared by Copilot.

• End users: Increased risk of accidental disclosure of sensitive data through Copilot's text manipulation.
• Security teams: New challenge in monitoring and preventing data exfiltration via Copilot's enhanced capabilities.
• Data owners: Potential for sensitive information to be processed or summarised by Copilot without explicit consent or classification.
• Compliance officers: Difficulty in demonstrating adherence to data handling policies with easier content generation.

The Action

1. Review and reinforce Microsoft Purview Data Loss Prevention (DLP) policies to detect and prevent sensitive information from being processed by Copilot.
2. Update user training and awareness programs to educate on responsible Copilot use, especially regarding sensitive data and contextual actions.
3. Monitor Microsoft Purview Audit logs for Copilot activities, focusing on content generation and modification events.
4. Evaluate Microsoft 365 sensitivity labels and auto-labeling policies to ensure sensitive content is appropriately classified before Copilot interaction.
5. Consider implementing Copilot access controls or content filters if specific data types or user groups require restricted Copilot functionality.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps