Important things to think about, before implementing Copilot for Microsoft 365

In today's blog post I want to take up a hot topic which is Copilot for M365. Copilot is a great and powerful AI tool that helps people become more efficient in everyday life, but what should you think about before implementing Copilot in your environment? Many people talks about data security and access, but is this enough? No, absolutely not. Most people are know the fact that Copilot has access to everything that a user account has access to. This can become a dream for an attacker.....then it is even easier for them to extract the information they may be looking for with help from Copilot.

Zero trust is the way to go... and this is more important now than before!

With Zero trust, you ensure that every user, device, and resource requests is allowed.

Microsoft has created a guide that helps companies get up to a minimum level before implementing Copilot in their company.

Copilot for M365: https://learn.microsoft.com/en-us/security/zero-trust/copilots/zero-trust-microsoft-365-copilot

Copilot for Security: https://learn.microsoft.com/en-us/security/zero-trust/copilots/zero-trust-microsoft-copilot-for-security

Identities

First of all, it is important to secure all user accounts. Make sure that everyone has MFA and that you have a strategy that you don't give too many privileged accesses. Use Privileged Identity Management and phishing resistant MFA methods on privileged accounts. Now that passkeys have arrived, it is a good idea to use this on normal user accounts. This is both simple and safe. You don't have to use a password and it's almost impossible to steal. There are of course many security holes in all systems, but it is better to use something that is updated and maintained, than to sit with old-fashioned authentication methods such as SMS.

Endpoints

On top of that, gain control over all your endpoints and demand that the endpoint is enrolled and compliant with company rules, use new operating systems, encrypt them and create good patching routines. It is also important to use Defender for Endpoint to ensure that you protect all endpoints and receive notifications about threats and vulnerabilities. Ideally, you should also use Microsoft Sentinel and have a SOC agreement to monitor and respond to threats and attacks. Having control over devices is not only important for maintaining security and having control, but it is also important to be able to more easily manage both devices and the applications.

Applications

Get control over all business applications on your devices, create App protection policies and ensure that these are secured. Also make sure to have good application patch routines. Use Defender for Cloud apps to gain insight into Shadow IT in your environment and can block thousands of 3 party applications.. Defender for Cloud Apps interacts well with Defender for Endpoint, Purview and Conditional Access. Conditional Access is a key piece here. It ensures that the Zero trust principle is achieved.

Data

When you have come so far that you have gained control over user accounts and endpoints, as well as applications, it is time to move on to gaining control over data in the environment. This is where Purview comes in. Purview is a great tool when it comes to data security and classification. This is not only important for Copilot, but it is also important to actually get rid of old files that you no longer need and that are taking up space.

Start with mapping sensitive information in your environment and then look for it. Whether there are files in the cloud or on-premises- Purview fix this. Set sensitivity labels and create Data Loss Prevention rules on your files and in applications based on your company needs and regulations. Purview have also a cool tool in Compliance Manager , which can help companies get compliant with different regulations such as ISO2xxxx or NIS2 on your tenant. Remember. Just on your tenant. Not for hole organization. E5 customers can use up to 5 assessments for free. Don't forget retention policies on files that you either want to delete after a certain amount of time or, that you want to avoid being deleted. In this phase, it is important that the entire company contributes, from the cleaning lady to the executive directors.

Also, review your sharing policies and settings in Sharepoint, Onedrive and Teams to ensure that everything is as it should be.

Backup

Ensure you have backup of your tenant / servers and check that backup restore is working correctly. Remember, Microsoft is NOT responsible for your data.

Licenses

When it comes to licenses, it is definitely recommended that you have E5 licenses. This is because E5 includes all important services both when it comes to security, but also compliance. You can also use E3 as well, but it's recommended to buy E5 security + E5 compliance add-ons.

I hope this was a useful read and that it will help you with your Copilot journey.