Data access: Copilot for Microsoft 365’s main problem
Many of the potentially serious security issues with Copilot start with what kind of access the genAI tool is given to corporate data, and how that access can be misused by hackers, or even by people within a company.
Ivan Fioravanti, co-founder and CTO for CoreView, which focuses on Microsoft 365 management configuration and security, notes in a blog post that when a company installs Copilot for Microsoft 365, it gets the same permissions model for data access already in place for Microsoft 365. That model, he says, is designed to ensure “only authorized users can interact with sensitive information.”
However, there are security gaps enterprises could easily miss. Fioravanti warns that risky Copilot configuration settings could be enabled by default. These settings can give Copilot “access to sensitive data without appropriate safeguards in place. Default settings could allow Copilot to interact with external plugins and access web content, introducing new attack surfaces.”