Microsoft 365 Copilot: Minimize Risk & Empower Innovation

Microsoft 365 Copilot is an AI-powered assistant that is built into the Microsoft 365 suite of applications including Word, Excel, PowerPoint, Outlook, and Teams to provide personalized, intelligent assistance and streamline workflows.

Copilot can understand and respond to questions and commands that are typed plainly into a chat window, enabling users to speak naturally to Copilot and work more efficiently.  Unlike other AI assistant tools (ChatGPT, Gemini, etc.), Copilot has access to everything you've ever worked on in Office 365, so it can quickly compile information from across multiple documents, Teams chats, presentations, and emails. 


A few Microsoft 365 Copilot use cases: 

  1. Copilot solves the "blank canvas" problem.  Writer's Block is a thing of the past – simply tell Copilot as much detail about your project as possible and ask it to draft a sample document.  Proofread the output and tweak it to your liking, or tell Copilot which portion of the output you aren't happy with and ask it to provide another option.  With a little back and forth with Copilot, you can quickly have a document you are excited to share with everyone.  Learn more about Copilot in Microsoft Word. 

  2. Within Teams Copilot can provide intelligent meeting recaps creating notes summarizing the key points of the meeting, overall action items, and your follow-up tasks.  Learn more about Copilot in Microsoft Teams. 

  3. Copilot can also rapidly build a PowerPoint presentation suggesting slide layouts, insert slide graphics, and generating speaker notes for you automatically.  Learn more about Copilot in Microsoft PowerPoint. 

  4. In Excel, Copilot can analyze data, provide insights, generate visualizations, and help with formula generation.  Learn more about Copilot in Excel. 

  5. Copilot in Outlook can help you triage your inbox, prioritize emails, summarize threads, and generate replies for you.  Learn more about Copilot in Outlook. 



How Microsoft 365 Copilot works: 

Microsoft Copilot Map

 Graphic: Microsoft


A licensed user will have a Copilot button in the ribbon menu at the top of all their Office applications.  To get started with Copilot they'll press the Copilot button and ask it to perform a task or answer questions. This process is referred to as a "Prompt."  Example prompts include: 

  • Summarize this document in 3 key points. 

  • Add a column to compare FY24 sales with FY23 sales. 
  • What are the goals and topics of the meeting? Format each section with a bolded heading, a bulleted list, and bolded names. 


Microsoft 365 Copilot will then gather data based on the user's Microsoft 365 permissions and submit the data and the prompt to Copilot to generate a response.  Copilot will then perform responsible AI checks to ensure security, compliance, and privacy policies are not violated before sending back a response to the user along with commands to the Microsoft 365 application to perform the requested action. 


What risks does Copilot bring to my business? 

When Microsoft 365 Copilot is first enabled in an Office 365 tenant it will immediately begin inventorying data from various sources like Teams chats, OneDrive, mailboxes, and SharePoint Document Libraries.  Copilot will respect any existing permissions and data boundaries that exist, but without a thorough understanding of how data moves through your organization and proper access controls Copilot will be able to surface sensitive information to your Microsoft 365 Copilot licensed users.   


It's important to note that Copilot can source answers to prompts from any data that the user has at least read access to in the organization.  Users who are licensed for Microsoft 365 Copilot pose an additional risk when their account becomes compromised, since a threat actor will now be empowered to simply ask Microsoft where your most valuable data resides and further ask Copilot to help them exfiltrate it.  It's critical that these users receive frequent security awareness training to recognize and thwart phishing attempts which can lead to account takeovers.  Other standard controls like phishing-resistant multifactor authentication, having a strong and unique Microsoft 365 password, and evaluating the user's device health prior to allowing access to the data should also be employed. 


Questions you should be asking to prepare for a Microsoft 365 Copilot pilot program or rollout include: 

  • Does any sensitive information (PII, PHI, SSN, routing numbers, etc.) move through email, Teams, OneDrive, or SharePoint?

  • Is OneDrive redirecting each user's Desktop, Documents, & Pictures for your organization?   

    • Users and IT teams alike love redirecting a user's most prized data to OneDrive because that data is always accessible in the Microsoft 365 portal for the user. When they need a new computer, it greatly speeds up the recovery and transfer process, because when that user signs into OneDrive it will download all their data to the new computer.  However, this means that almost every file a user works with will be stored in the Microsoft 365 ecosystem and available to Copilot. 
  • Where is your HR, Payroll, and Expense information stored? 

  • Where are the company financials located? 
  • What if any regulatory compliance considerations does your business need to adhere to?  HIPAA, CMMC, GLBA, etc.?

  • Do we do any business with countries in the European Union?  Is GDRP in play? 


How do you protect your data and empower your Copilot users? 

Microsoft expects you to classify your documents and data repositories with Sensitivity Labels to enforce Data Loss Prevention policies that apply encryption or prevent your data from leaking externally.  Sensitivity Labels also create a data boundary that Copilot must adhere to which prevents accidental sensitive data exposure.  Example Sensitivity Labels include: 

  • Personal - Used to classify information that is personal non-business related data.   
  • Public - This classification identifies information that is explicitly approved for public consumption. 
  • General - This label classifies information that is internal to the organization which is neither explicitly approved nor denied for public consumption. 
  • Confidential - Data classified confidential is protected sensitive data that is prohibited from being shared externally. 


Based on these example labels, Data Loss Prevention policies can be crafted to either grant access to the data, block access to the data, or enforce encryption when sharing externally. 


When starting with Microsoft 365 Copilot it's paramount to take the following actions: 

  1. Define what sensitive data is in your Microsoft 365 ecosystem and apply Sensitivity Labels to it to establish a data boundary.  

  2. Audit user permissions across SharePoint and Teams and clean them up as needed.  

  3. Establish a data lifecycle management policy for sensitive data if you do not have one, so that you are not hanging on to legacy sensitive data longer than is needed.  Consult legal counsel that specializes in your industry to ensure they can speak to any compliance needs. 


Licensing considerations: 

Copilot for Microsoft 365 is $30 per user per month, but Microsoft requires both an annual commitment and you must pay the full term upfront.  Presently, there is no way to demo or trial Microsoft 365 Copilot.  Copilot is an add-on plan, and you need one of the following licenses to be able to use Copilot: 

  • Microsoft 365 F1 
  • Microsoft 365 F3 
  • Microsoft 365 E3
  • Microsoft 365 E5 
  • Office 365 E1 (not recommended) 
  • Office 365 E3 (not recommended) 
  • Office 365 E5 (not recommended) 
  • Microsoft 365 A3 for faculty 
  • Microsoft 365 A5 for faculty 
  • Office 365 A3 for faculty (not recommended) 
  • Office 365 A5 for faculty (not recommended)
  • Microsoft 365 Business Basic (not recommended) 
  • Microsoft 365 Business Standard (not recommended) 
  • Microsoft 365 Business Premium 


While Microsoft will let almost any license level purchase and use Microsoft 365 Copilot only certain plans have the appropriate access to the security controls discussed above, and any plans that say not recommend lack the appropriate safeguards without additional add-on licensing and a higher bundled plan will be more affordable.  For organizations with less than 300 users, Business Premium is the minimum licensing that all users in the organization should have to ensure adequate protection.  If your company has more than 300 users, then Microsoft 365 E3 is the recommended plan. 


If you need assistance determining if Copilot is right for your organization, Five Nines can help. Contact us today to collaborate with one of our experts. 

Free Resource: AI in Cybersecurity