Published June 2024

In the digital age, information governance is crucial for organisations to manage their data effectively. With the introduction of Copilot for Microsoft 365, the need for robust information governance becomes even more significant. While Copilot can enhance productivity and collaboration, it also can expose existing data protection risks associated with oversharing sensitive data.

What is oversharing?

In the context of Copilot for Microsoft 365, oversharing can happen inadvertently due to the ease of sharing documents and Copilot’s ability to access vast amounts of data. Oversharing may result in a range of issues like:

  • Accidental Data Exposure: Copilot’s learning algorithms may suggest content that is sensitive based on previous permissions granted or information shared by other users, potentially exposing confidential information.
  • Compliance Violations: Unintentional sharing of regulated data can lead to non-compliance with industry standards and legal frameworks.
  • Security Breaches: If Copilot’s suggestions are based on compromised data, it could lead to broader security implications within your business.

Planning a safe Copilot implementation

When planning to implement Copilot, it’s important to not only focus on the technological aspects but also on the strategic, operational, governance, and compliance-related dimensions. This includes clearly communicating and training employees on any changes to work practices. By doing so, you can ensure that your information is managed effectively, securely, and in alignment with your business objectives.

There are four key questions you need to consider:

  • What roles / employees would benefit from a Copilot license?
  • How can you ensure that Copilot only accesses the information it should have access to?
  • How can you ensure that end users only have access to information they are permitted to see (if you need a deep dive into SharePoint site permissions, check out this blog: SharePoint site permissions explained)
  • How can you ensure that the right governance and operating models are in place to effectively scale and mature the use of Copilot within your business? This includes the right lifecycle management is in place to reduce the chance of outdated or redundant information being surfaced to end users

While it can feel like a daunting task, there are some effective ways in which you can reduce the risk of oversharing within your organisation. Here are our top 7 tips for good information management practices before launching Copilot within your business:

  • Define clear policies and guidelines: Provide clear guidelines on what constitutes sensitive information and how to handle it within Copilot. Make sure these guidelines are easily accessible and understood by all employees.
  • Implement access controls: Use Microsoft 365’s built-in access controls to restrict who can view and edit information. Assign permissions based on the principle of least privilege.
  • Regular training: Conduct regular training sessions for employees to understand the importance of information governance, the risks of oversharing, and the capabilities of Copilot within the context of their role.
  • Monitor and audit: Regularly monitor the use of Copilot for Microsoft 365 and conduct audits to ensure compliance with information governance policies.
  • Use Data Loss Prevention (DLP) tools: Implement Auto labelling and DLP features with Microsoft Purview to automatically detect and prevent potential data breaches.
  • Secure AI interactions: When interacting with Copilot, ensure that sensitive information is not inputted into the system unless necessary and is appropriately secured.
  • Update and review: As Copilot continues to evolve, so too should the governance frameworks that support it, ensuring that information remains an asset rather than a liability. Continuously update information governance policies to adapt to new risks and review them regularly to ensure they remain effective.

Assess your risk

To help with assessing your risk of oversharing, there are several preparation steps we recommend, including a comprehensive pilot program to assess risk and better understand which roles within your organisation would benefit from using Copilot for Microsoft 365. Check out our Copilot page for more information on the steps you should take on your journey or read about how we recently helped the Victorian Department of Health and Department of Families, Housing, and Fairness to assess their Copilot risk.

If you need support with assessing the oversharing risk within your business, our team of Information Management experts are here to help. Get in touch today to find out more.

Case study: Empowering Victorian Health and Housing Departments with Copilot for Microsoft 365

The Department of Health Victoria (DH) & The Department of Families, Fairness & Housing (DFFH) are large government organisations that helps the community to stay healthy and safe and deliver a world class support that leads to better outcomes for all Victorians.

With the recent launch of Copilot for Microsoft 365, DH & DFFH wanted to explore how AI could help them improve their employee’s productivity, creativity, and skilling. In particular, the department was excited to learn more about the ability to provide contextual and personalised assistance to users across various M365 applications, such as Teams, Outlook, Word, PowerPoint, Excel, and Loop.    

Read the full case study