If you’ve used ChatGPT, you know how powerful and helpful it can be. For the security conscious enterprise, however, there are some red flags.
Large corporations like JP Morgan Chase and Verizon are blocking employees from accessing the popular AI chatbot. Even Microsoft, one of Open AI’s largest investors, temporarily restricted access to ChatGPT recently.
This is interesting news, especially considering Microsoft is rolling out its own AI chatbot for the enterprise called Copilot. It’s already available for Windows users, with enterprise rollouts not far behind.Like ChatGPT, Copilot can be a wonderful tool, but it introduces some notable risks for the enterprise.
Imagine having a personal AI assistant tucked into every Microsoft 365 app you use – from Word and Excel to Teams and Outlook. The purpose of Copilot is to strip away the tedious bits of an employee’s workday so they can be more productive and creative than ever.
What differentiates Copilot from other AI tools like ChatGPT is its ability to deep dive into your organization’s Microsoft 365 content. Think of Copilot as having a 24/7 virtual assistant who can quickly and efficiently remember every bit of your work and whip up a summary, spreadsheet or document quickly and efficiently.
The potential for Copilot is endless; the expected productivity surge may exceed that of ChatGPT. Simply open a new Word doc, tell Copilot to draft a client proposal using elements from your notes and past presentations, and you’ve got a complete proposal in seconds.
Copilot can even summarize Teams meetings, keeping track of the key points and to-dos. It can also be your email wingman in Outlook, helping you sort through your inbox. In Excel, it becomes your data analyst.
How does Copilot work?
If you’ve been using Microsoft products long enough, you’ll remember Clippy. Copilot is as easy as Clippy, but much less annoying and with much better results.
With Copilot, the process is very simple and works like ChatGPT:
In theory, Copilot is a dream come true. But there are security risks that must be addressed. While Microsoft does its best to keep security in mind with its product, data security teams need to know this: Copilot essentially has the keys to the kingdom. It can access all the sensitive data you can, which – to be honest – is sometimes more than it should.
Plus, Copilot can do more than fetch data; it can create new sensitive data quickly and in large quantity.
The big issue here is overly permissive data access, which happens in organizations far more often than you think.
Here at Concentric AI, we publish a Data Risk report twice a year based on our comprehensive findings. Using advanced AI capabilities, Concentric AI processed over 500 million unstructured data records and files from companies in the technology, financial, energy and healthcare sectors. This report underscores the risk to unstructured data in the real world by categorizing the data, evaluating business criticality, and accurately assessing risk.
Our most recent report analyzed over 550 million data records and found that 16% of an organization’s business-critical data is overshared. That adds up to a lot of data: on average, organizations have 802 thousand files at risk due to oversharing.
Let’s explore some other staggering statistics:
Let’s assume Copilot becomes as embraced by the enterprise as many expect. In that case, companies must approach its use like any other application: walking a tightrope between productivity and restricting access to employees who need it to do their work. Remember the rush to get employees going with access to work remotely during the pandemic? It was a massive challenge to set permissions and security settings promptly.
The good news is Copilot will only work with your M365 tenant data and won’t be able to access other companies’ data. Plus, your data doesn’t train the AI for other companies to leverage.
However — there are several issues:
Here’s what Microsoft says about access rights in its Copilot data security documentation: “It’s important that you’re using the permission models available in Microsoft 365 services, such as SharePoint, to help ensure the right users or groups have the right access to the right content within your organization.”
When it comes to permissions in the ideal world, zero trust is always best, where, like in the CIA, access to information is on a need-to-know basis. Microsoft suggests using M365’s permission models to keep things locked down, but in reality, most setups are far from that ideal.
As for the labels and classification methods that companies rely on to keep data protected, they can get messy, and AI-generated data will only make it messier. With so much data to manage, organizations should not expect their employees to be perfect stewards of data risk. We know it’s hard enough for security teams.
To best manage any type of data risk, sensitive information — from financial data to PII/PHI/PCI to intellectual property to confidential business information —needs to be identified, classified and remediated if at risk. Remember, sensitive data can be stored in the cloud, on premises, structured or unstructured data.
While most classification methods are better than having none at all, most paths to classification — like end-user, centralized and metadata-driven — can be time-consuming, ineffective and full of unnecessary obstacles.
As difficult as this sounds, organizations need to have a clear understanding of data risk before fully deploying Copilot.
That’s where Concentric AI comes in.
Concentric AI leverages sophisticated natural language processing capabilities to accurately and autonomously categorize data output from Copilot into categories that include privacy-sensitive data, intellectual property, financial information, legal agreements, human resources files, sales strategies, partnership plans and other business-critical information.
Concentric AI can analyze the output from Copilot to discover sensitive information – from financial data to PII/PCI/PHI — and label the data accordingly to ensure that only authorized personnel have access to it.
This also ensures that employees don’t have to worry about labeling the output, resulting in better security.
Once that data has been identified and classified, Concentric AI can autonomously identify risk from inappropriate permissioning, risky sharing, unauthorized access, wrong location etc.
Remediation actions, such as changing entitlements, adjusting access controls, or preventing the data from being shared, can also be taken centrally to fix issues and prevent data loss.
Best of all, Concentric AI can help you address Copilot’s security risks without having to write a single rule.
To sum up, with Concentric AI, your organization can effectively manage generative AI output data:
Concentric AI is easy to deploy — sign up in ten minutes and see value in days.
Book a demo today.
Organizations face a trifecta of challenges when it comes to protecting data: massive cloud migration, the rise of remote and...
When we think about data protection and security, it seems evident that it would apply to every industry and business...
As digital transformation and cloud migration become more commonplace in all industries, the amount of data businesses must store, process...
Note: this article has been updated as of 12/2/2023 As more organizations adopt remote or hybrid work arrangements, cloud infrastructure...
Artificial intelligence (AI) has achieved remarkable advancements over the last few years, with examples like ChatGPT dominating recent headlines. Large...
The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized set of policies and procedures designed to...