Copilot Readiness: More Ways to Fix Oversharing in Microsoft 365

In earlier articles of this Copilot Readiness series, I introduced the issue of oversharing files in Microsoft 365 and discussed strategies to address it as part of your Copilot preparation efforts.

This article continues with a few more ways to reduce the risk of oversharing confidential information that you should be aware of.

Oversharing Fix #4: Use Sensitivity Labels and Policies

Sensitivity labels and policies are a powerful tool you can use to combat oversharing and increase the overall security of your files, email and much more.  

Why Does This Matter?

The out-of-the-box security configurations in M365 may not be enough for teams or environments that work with sensitive material (i.e. legal contracts).  

This terrific article by Tony Redmond breaks labels down into two buckets: Protection and Container Management.  

• Protection refers to your files, emails and meetings. You can restrict who can view content, who can share, prevent copying, prevent print-screening, add extra encryption, and watermark documents.

• Container Management largely refers to Microsoft Teams, M365 groups and SharePoint sites. Publishing labels to groups and sites allow you to restrict guest access and even sharing.

While many of these tools may have been designed for organizations that are heavily regulated (finance, healthcare, legal, etc.), they can also be applied to small organizations that also need to ensure their most sensitive data is protected.

What Needs to be Done?

1. Plan out your labels. Identify what specifically needs additional protection and document it.
2. Create the labels. Build them in your M365 tenant as per your documentation.
3. Publish labels to policies. Publishing to files and/or containers can take approx. 24 hours to roll out.

Rolling out and managing sensitivity labels is not a small job. It requires careful planning and oversight to strike the right balance of security and usability. 

For example, applying extra encryption to content may sound like a no-brainer of an idea on paper, but in reality it will add extra loading time to your content and a handful of other considerations that may have a negative impact to the end-user experience and their productivity.

Additionally, if you want to use sensitivity labels at the container level, you will need to enable that functionalityfirst.

Overall, start with a well-documented plan and implement it slowly so you can monitor the impact to your end-users. 

Planning out your sensitivity labels ahead of time can help ensure they're configured correctly out of the gate.

How Does this Help?

Bringing this back to oversharing, sensitivity labels can be configured to restrict sharing. 

For example, on a normal private SharePoint team site, group members can use share links to collaborate with people who are not members of the group or site. With sensitivity labels, you can prevent share links from being used this way on your most sensitive content.

Since we know that content that is out of reach to an end-user is also out of reach of their copilot queries, you can rest easier knowing that your most confidential materials are secure from a cleverly-worded prompt.

Oversharing Fix #5: Remove Content from Copilot and Search

Let's say you have a SharePoint site that is strictly for archiving workspace data, and you don't want users accidentally referencing that old data. It's possible to exclude those sites from all search and Copilot queries, including one coming soon called "Restricted Search in SharePoint".

Earlier in March, Microsoft announced Restricted Search in SharePoint (RSS) as a tool you can use to limit the scope of org-wide search AND Copilot for (up to) 100 SharePoint sites. As of writing this article, RSS is targeted to be released in April (2024).

Implementing Restricted Search in SharePoint (RSS) in tenants with "Copilot for Microsoft 365" will add a banner informing end-users that the search scope is restricted.

End-user view of Copilot for Microsoft 365. A banner is shown notifying the user that Copilot is restricted from accessing certain SharePoint sites. (source: Microsoft)

Why Does This Matter?

1. Improves accuracy and relevancy of org-wide search and Copilot by removing sites that shouldn't be referenced in user queries.
2. Reduce the chances of users accidentally (or intentionally) discovering information and data that they shouldn't.

Limiting what SharePoint sites' Copilot can search not only increases the accuracy and relevancy of the information returned to your users, but also helps ensure certain sites always remain out of scope.  

Users will still be able to use Copilot across OneDrive, Outlook and any of the sites that you've approved.

What Needs to be Done?

Implementing RSS will require an M365 global admin familiar with PowerShell. Microsoft hasn't yet published the scripts necessary to do this, but we'll update this article when they do. 

In the meantime, if you don't plan to use RSS in your environment, you can still exclude sites from org-wide search and Copilot using existing PowerShell scripts and/or the SharePoint user interface. To learn more, check out this blog post that outlines three methods to accomplish this.

The "Search and Offline Availability" page in SharePoint site settings.  Image includes numbered steps showing how to remove a site from M365 search results.

As a starting point, create a list of your SharePoint sites and identify which ones should be included or excluded from org-wide search and copilot.

How Does this Help?

Using RSS, you can ensure this site (and any others) remains out of scope for org-wide search and Copilot. 

Additionally, you can use RSS as a tool to slowly roll out Copilot functionality to users as you work to clean-up old sites, data and tighten governance across the board.

Oversharing Fix #6: Inform and Educate Your Staff on Sharing Best Practices Regularly

Why Does This Matter?

Because we're human and we forget things despite our best efforts. All of the labels and security configurations in the world will only get you so far if you don't communicate with your users or train them. 

Additionally, be prepared to inform your users about these systems regularly, otherwise, people will forget and likely revert to old behaviors.

What Needs to be Done?

1. Create clear and concise documentation that staff can use for onboarding and reference

2. Create (or implement into existing) annual training that informs and reminds staff about your procedures and best practices

3. Promote best practices year-round

When it comes to best practices, it's rarely ever enough to tell people how to perform a task just once. 

In my own experience delivering software training, people need to be shown and reminded how to do something quiet often. Sometimes it's because they do a task so infrequently, they don't remember the steps. Other times, they've been with the company for so long that they've developed their own ways of doing things and have little interest in learning something different.

How Does this Help?

Changing people's behaviors isn't something that can be done overnight. That's why 'Change Management' exists as a business function - because habits die hard.  

Training people the first time lets them know that there is a process to follow. Reminding them at least once a year, tells them that it's important to the company.

Closing Thoughts

Addressing oversharing in Microsoft 365 is crucial for maintaining the security and integrity of your sensitive data. Implementing sensitivity labels, using tools like Restricted Search in SharePoint, and educating your staff on best practices are all key steps in safeguarding your information.

By taking proactive measures and staying informed, you can create a more secure environment for your organization.

Check out the other articles planned to help you prepare for Copilot or reach out to an expert for more information!