Will potential security vulnerabilities hinder the progress of Microsoft’s Copilot?

Information accessibility: The primary issue with Copilot for Microsoft 365

Numerous potentially critical security concerns surrounding Copilot stem from the level of authorization granted to the genAI tool for accessing corporate data, and how this authorization could potentially be exploited by malicious actors, or individuals within an organization.

In a blog entry, Ivan Fioravanti, one of the co-founders and Chief Technology Officer of CoreView, a company specializing in configuring and securing Microsoft 365 management, points out that upon implementation of Copilot for Microsoft 365, the tool inherits the same data access permissions framework already established for Microsoft 365. According to him, this framework is intended to ensure that only authorized personnel have the ability to handle sensitive information.

Nevertheless, there exist security vulnerabilities that organizations might overlook. Fioravanti cautions that risky default Copilot configuration settings may be activated. These settings could provide Copilot with access to confidential data in the absence of adequate protective measures. Default configurations might permit Copilot to interact with third-party plugins and retrieve web content, thereby introducing new avenues for potential cyber attacks.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts