Data Compliance When Using MS Copilot

You’ve read the articles about how incredible Copilot is at boosting productivity and efficiency, and now everyone in your organisation is clambering for it. Some of them have tried it, others are keen to, and it makes sense that everyone wants a go.

In Microsoft’s recent Future of Work Report, they found in a Teams Meeting Study, participants with access to Copilot found the task to be 58% less draining than participants without access, and among enterprise Copilot users, 72% agreed that Copilot helped them spend less mental effort on mundane or repetitive tasks.
 
Meanwhile, 80% of executives think automation like AI can be applied to any business decision, but only 18% of organisations believe they are digitally thriving. So, what about the practicalities of implementing Copilot? Most of the people I talk to lack the confidence about what the next steps are and how to roll out Copilot successfully – and securely - across their organisation.
 
There are lots of different AI versions, from Dynamics, Salesforce, Azure, and Service Now to name a few. These new AI tools help you mine data, summarise information, and work smarter. You can also build your own AI tools with Open AI to then use specific company data in the best way for your company.
 
We expect certain things to come out when we use Copilot or similar AI tools. For example, we expect deeper and more relevant search results, and personalised, relevant, and actionable responses. We also expect tenant, group, and user protections, and AI-assisted creativity, productivity, and automation. The key to success is helping users understand how to use data properly – which all starts with policy, governance, and classification to know what you have, then training and follow-through for user adoption.
 
So, let’s dive deeper into how you can be better prepared to implement AI tools and make them work well for your organisation.  

Data Quality

Making sure the data that AI trawls for information is of a high quality, relevant, and not out of date is critical to success. You need to understand first how the AI tools use data and the potential consequences of using old or wrong data.

AI is only as good at the information you put into it and the questions you ask it.
 
First, you will need to gain visibility of all your data sources and start to assess their quality and what can be discarded, what needs updating, and what can be kept. For example, there is no point in AI trawling through PowerPoints to create a new one if the figures in the previous ones are out of date, or through customer ordering information that’s old as it will produce inaccurate data for you.
 
On average, globally, every human creates at least 1.7 MB of data every second, so it’s no wonder 47% of digital workers struggle to find the information needed to effectively perform their jobs. We waste so much time looking for what we need, so, we must all ensure that we only keep what is up-to-date, of use, and relevant. Your company data policies should address these issues.
 
IT teams will need to assess the quality of your data across functions and with various departments in the business. Potentially, many businesses will need to spend considerable time assessing and ‘cleaning up’ their data before they can start using AI effectively.   
 
Organisations should also be aware of ‘dark data’ – the data that is not necessarily immediately visible to an employee or department, but which is still accessible by AI. It could be data that has come across with a migration but is often out of date. Some organisations will have a policy to delete all data that is five or ten years old. Putting in place the right permissions and reviewing your data constantly will be critical to the successful adoption of AI.
 
By working out what data is relevant and strengthening your data quality you will improve your AI results. A data assessment will allow you to ultimately make good decisions on what content to keep, remove, or archive.

Storage

While reviewing your data it’s important to match your storage capabilities and platforms with your data needs to ensure you are not wasting money on storage, but also that you can scale up if needed to allow for the extra compute that running AI requires.
 
It’s also important to ensure you know where your data is stored in M365 and other databases, how they interconnect, what data you need from them, and whether they have the right security in place. For example, archived data can be stored outside Microsoft 365 and Copilot can’t access it, but it can be brought back online should people request it.
 
Within this companies need to ask whether they are using and storing their data in the right way to meet regulatory obligations. All this needs to be set out in an AI strategy document. By having a clear AI strategy in place adoption will become much easier. Without it, the wrong permissions could be granted to employees, and potentially cause a data leak and result in catastrophic damage and fines from regulatory bodies.
 
Data privacy, Compliance & Security
 
Organisations need the right data privacy controls - internally and externally if sharing content. Understanding your regulatory obligations and meeting all GDPR legislations require extra vigilance with Copilot. It will ‘farm’ information from a variety of different sources and databases so it’s key that anyone accessing data has the right permissions in place to meet all your regulatory obligations.
 
Think about the sensitivity of data and consider which data sets need to be locked down and what compliance needs you have as an organisation. For example, identify sensitive data, external users, and links and how items are shared internally. All information can be given a ‘category’ of risk and identified by audience, then IT admin can run assessments and work out to prevent oversharing of sensitive data.
 
Alongside this, it's important to clean up permissions and enforce policies. For example, removing shadow users who have access but haven’t used the data because they have moved department. Who has access to what and how people can set up project teams that have access to certain data sets can all be reviewed and given permissions from the IT team. For example, ‘leases’ can be put on workspaces to allow access to data sets for a certain period only. 
 
Once your data and environment are clean and secure you can then use AI and automation to manage and govern your data.

Adoption 

Training people how to use Copilot properly and understanding what prompts to use for it to come back with useful information is the final part of a successful rollout. With the latest management tools, the IT team can have a clear overview of the people who are licensed to use Copilot and how they are using it. If they are not making the most of it, do they need more training?
 
Employees must also understand the risks around AI-created information and how to ‘check’ its veracity.

For example, if employees are using Chat GPT across internal data are they asking the right questions to retrieve the best answers, and are they checking the data is recent and relevant?
 
In principle, your data should be up to date if you have started your journey with a data assessment so that your AI tools only have access to high-quality data. However, we all know data goes out of date very quickly, so all employees need to be aware through appropriate training not only how to use the tools, but also how to review and assess whether the information that it spits out is useable.

We still need to use our intelligence to assess whether AI has given us useful, useable information or not.
 
The right strategy, policies, and security combined with good training will enable your workforce to make the most of AI and its amazing capabilities.

Mike Bellido is Cloud Solution Architect at CSI Ltd

Image: Ideogram

You Might Also Read: 

Insights From An Early Adopter Of Microsoft 365 Copilot:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« The Dynamic Influence Of AI On Business Cybersecurity
What Will The NIS2 Directive Mean For Smaller Organisations? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Hodgson Russ

Hodgson Russ

Hodgson Russ is a US business law firm. Practice areas include Privacy, Data Breach & Cybersecurity.

Foundation Futuristic Technologies (FFT)

Foundation Futuristic Technologies (FFT)

FFT is a global leader in computer forensics and digital investigation solutions.

i-Sprint Innovations

i-Sprint Innovations

i-Sprint is a leader in Securing Identity and Transactions in the Cyber World for industries that are security sensitive.

Irish National Accreditation Board (INAB)

Irish National Accreditation Board (INAB)

INAB is the national accreditation body for Ireland. The directory of members provides details of organisations offering certification services for ISO 27001.

EOL IT Services

EOL IT Services

EOL IT Services is the UK’s most accredited provider of IT Asset Disposal (ITAD), Lifecycle Services and Data Destruction.

AnChain.AI

AnChain.AI

AnChain.AI's analytics platform proactively protects crypto assets by providing proprietary artificial intelligence, knowledge graphs, and threat intelligence on blockchain transactions.

Security BSides

Security BSides

Security BSides is the first grass roots, DIY, open security conference in the world!. BSides is a community-driven framework for building events for and by information security community members.

National Cyber Safety and Security Standards (NCSSS) - India

National Cyber Safety and Security Standards (NCSSS) - India

National Cyber Safety and Security Standards has been started with a great vision to safeguard India from the current threats in the cyber space.

Digitale Gründerinitiative Oberpfalz (DGO)

Digitale Gründerinitiative Oberpfalz (DGO)

Digital Founder Initiative Oberpfalz's goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

R-Tech

R-Tech

R-Tech GmbH manages the digital start-up initiative, whose goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

aFFirmFirst

aFFirmFirst

aFFirmFirst is a unique software solution offering a simple yet effective way for businesses to protect and control their online images and logo, as well as allowing one-click website verification.

Institute for Applied Network Security (IANS)

Institute for Applied Network Security (IANS)

For the security practitioner caught between rapidly evolving threats and demanding executives, IANS Research is a clear-headed resource for decision making and articulating risk.

Insurica

Insurica

INSURICA is a full-service insurance agency built upon a tradition of integrity, industry leadership, and excellence.

Northern Computer

Northern Computer

Northern Computer provides comprehensive IT solutions that streamline your operations and help you achieve your business goals.

ACDS (Advanced Cyber Defence Systems)

ACDS (Advanced Cyber Defence Systems)

ACDS was founded in the belief that cyber security can be done better. We’re combining emerging technologies and proven methods to bring a new approach to tackling the growing threat landscape.

Amnet Technology Solutions (Amnet Systems)

Amnet Technology Solutions (Amnet Systems)

Amnet Systems is a technology services organization that provides Managed IT, Cloud Computing, Cyber Security, Data Center and Audio Visual services since 1995.