The interest in Copilot for Microsoft 365 among Danish corporations continues to be massive – and with good reason. But the AI revolution also creates a major security problem: Most companies have huge amounts of unclassified data, which drastically increase the risk of data leakage when handled by AI.
Anna Barkvall
Director Strategic Programs
Global Portfolio Management
Orange Cyberdefense Group
Bastian B. Eibner
Sr. Tech Specialist | Office 365
Security & Compliance
Microsoft
The possibilities with generative AI are staggering, and employees of all sorts want access to Copilot for Microsoft 365, because it can boost their productivity to an unprecedented extent. The benefits are indisputable, but behind the excitement lurks a security problem that has gained momentum over many years and is now challenging the safe use of AI.
You may have heard IT people say that "safe use of AI requires more control of our data"? What do they mean by that? They probably mean that your data is not classified, and therefore an AI assistant cannot know when it finds and processes confidential and non-confidential data as they no label.
The truth is that almost all the data that flows around in Danish companies are unclassified. They have no formal security status. Until now the security assessment has been solely up to the users – and now AI is removing them out of the equation. Besides, AI can find more data much faster.
"Virtually all companies have a huge "back catalog" of unclassified data that has been piling up over many years. Besides that, most employees have access to data of all kinds – including highly confidential ones. This is nothing new, but before AI they had retrieve the data manually. This took time and created the opportunity to assess them as you went along. But that procedure is completely different when using AI", says Anna Barkvall, Director Strategic Programs Global Portfolio Management at Orange Cyberdefense.
Almost no organizations classify their data – not even the most confidential ones. So how can an AI assistant know which data should be treated more carefully than others?
Now, with quite ordinary free text, we can ask our AI assistant to search all data within our reach - even data we may not even know we have access to. A query could be: "Find all documents related to the restructuring of the organization and write a summary of 1000 words" or "Give me a summary of the most important decisions at the board's last Teams meeting."
We've never been able to do that before, nor could we put the data together in a myriad of ways without direct human intervention. Copilot can do that for us now, but how do we know if some of the data being used might be strictly confidential? That assessment has great significance for our use of them afterwards.
In this way, AI entails a much greater need to control where we store data, what classification they have, who can access them and how they are allowed to be used. According to Anna Barkvall, she has already seen several cases of strictly confidential data being shared with external recipients because an employee had found and processed it with AI.
"The problem stretches all the way back to when we started using PCs over 40 years ago. Before that, we were pretty good at classifying data. But with digitization it became much easier to collect, copy and distribute data as needed. Many organizations have tried to manage this by introducing data policies. But they require employees to know them and follow them – even when working under pressure. Trust is a good thing, but when it comes to protecting critical data, control tends to be better. Which is why we invest heavily in the security around Copilot", says Bastian B. Eibner, Senior Technical Specialist at Microsoft.
The case in a nutshell: Safe use of Copilot for Microsoft 365 requires effective data governance. But if you are faced with huge amounts of unclassified data, it can almost seem like an impossible task to classify them all. This is where security experts from Orange Cyberdefense enters the picture.
"There is no doubt that data governance will be a very important security issue in the coming years – also in relation to compliance with new security legislation. Our specialists typically start by carrying out assessments and creating the right road maps. Since most organizations are starting from scratch, it is often a good idea to roll out data classification gradually and gather experience along the way. For instance, by starting with departments that work with a lot of sensitive data – such as management, HR or R&D", explains Anna Barkvall.
AI-based assistance on secure data handling is going to make a huge difference. In fact, I think it will eliminate the majority of security incidents we see today.
With the right mix of data control, Managed Security Services and strategic data governance, Copilot can go from being a risk factor to being a strong contribution to security. Especially by helping users to make the right choices in their day-to-day work with the organization’s data.
"Imagine that Copilot not only finds and processes the data as you want, but also proactively advises you on how to avoid compromising data security. Without thinking about it you may try to store confidential data on an unprotected drive in the cloud? Or copy it to an unencrypted USB key? These things happen all the time, but based on the right data governance Copilot will be able to help avoid that. It's well known that user behavior plays a key role in the security posture of any organization. Therefore, there is no doubt that AI-based advice on secure data handling will make a huge difference. In fact, I believe it will eliminate most of the security incidents we see today", says Anna Barkvall.
We have already seen examples of serious breaches of data security because an AI found and processed confidential but unclassified data.
The need to implement AI typically derive from many parts of an organization, but IT will have to deal with the risks that come with it. It may feel like, yet another big task piled on top of all the others. But it can also be a great opportunity to achieve all the security benefits that a more efficient data governance also brings with it.
"Obviously, the creation of a more secure, classified data foundation is a major task. Only large organizations have the muscle to take it on themselves. But since data governance is now very closely connected to AI – which everyone wants – it is also a unique opportunity to ask the management for a larger security budget. If the task is financed and approached correctly, it will not only lead to a safer use of AI, but also significantly improve general security and ease of compliance with new legislation such as NIS2 and the AI Act", concludes Anna Barkvall.
As an official Microsoft partner and one of Europe's strongest providers of Managed Security Services, we can help your organization find the direct path to effective data classification and secure use of Copilot for Microsoft 365. For instance, by using Managed Workspace Protection, more security-oriented configuration of Copilot and implementation of Microsoft Purview for control, protection, automatic data classification and constant surveillance of your data flow.
Orange Cyberdefense is a leading European cyber security supplier and Managed Security Services Provider (MSSP), recognized by both Gartner, Forrester and IDC. Orange Cyberdefense has over 3,000 employees who provide cyber security advice, IT security solutions and services to over 8,700 customers in 160 countries. We have a global Threat Intelligence department and 250 analysts, spread over 18 SOCs, 14 CyberSOCs and 4 CERTs, who collect and analyze global data from over 500 information sources 24/7. In 2023, our global revenue was EUR 1,072 billion. Orange Cyberdefense Danmark A/S has approx. 60 employees. We have offices in Copenhagen and Aarhus, and our customers are both multinational companies, public organizations and authorities. Together with Orange Business, Orange Cyberdefense is part of the French telecommunications group Orange Group, which has over 137,000 employees, 296 million customers worldwide and a global turnover of EUR 44 billion in 2023.