Microsoft 365 Copilot is transforming how CPA and tax firms operate, offering enhanced search and analysis capabilities that streamline workflows and improve efficiency. However, many firms rushing to deploy Copilot overlook a crucial aspect: data security and governance, particularly within SharePoint. Copilot itself is built with security in mind, featuring content filtering, prompt inspection, and malicious prompt blocking. However, it merely reveals the state of your existing security measures—specifically, how well your SharePoint data is protected.
If SharePoint data is not permissioned correctly, Copilot can unintentionally expose sensitive information. Many firms unknowingly grant broad access to SharePoint files by default, making it easy for employees to retrieve confidential data such as salary details, merger and acquisition plans, or even passwords. Before enabling Copilot, firms must prioritize securing their SharePoint environments to mitigate these risks.
The Importance of Restricted Access Controls (RAC)
Restricted Access Controls (RAC) are a critical component of SharePoint security, ensuring that only authorized users can access specific data. RAC is part of the SharePoint Advanced Management product and costs $3 per user per month—a worthwhile investment for firms handling sensitive financial and client data.
By enabling RAC, firms gain access to advanced reporting and governance features, allowing IT teams to restrict access at the site level. This means firms can assign permissions based on security groups or Microsoft 365 groups, ensuring that team members only access the data necessary for their roles. Without RAC, an employee could easily query Copilot and uncover data beyond their intended scope.
Steps to Secure SharePoint Before Deploying Copilot
- Purchase SharePoint Advanced Management – This includes RAC, which provides essential governance controls.
- Enable Site-Level Access Restrictions – Navigate to the SharePoint admin center and activate RAC to manage site access more effectively.
- Apply Security Controls – Assign access permissions to up to 10 security groups or Microsoft 365 groups to ensure only authorized personnel can view sensitive files.
- Create Department-Specific SharePoint Sites – For example, establish a SharePoint site exclusively for the finance department, granting access only to finance team members.
- Manage External Sharing – Review external sharing settings to prevent accidental data leaks. Organizations that migrate from local servers to SharePoint often neglect to configure external sharing properly, potentially exposing sensitive information to outside parties.
- Audit and Monitor Permissions Regularly – Conduct routine reviews to ensure that access controls remain aligned with organizational security policies.
The Risks of Deploying Copilot Without Governance Controls
Firms that enable Copilot without first securing SharePoint risk exposing sensitive data to unauthorized users. Employees may inadvertently access confidential information through Copilot queries, leading to potential compliance violations and reputational damage. In some cases, firms may feel forced to disable Copilot entirely to mitigate these risks—an unnecessary step if proper governance measures are in place.
Conclusion
Microsoft 365 Copilot is a powerful tool for CPA and tax firms, enhancing productivity and data accessibility. However, its effectiveness depends on the security foundation already in place. Before deploying Copilot, firms must implement Restricted Access Controls and establish robust SharePoint governance policies. By taking these proactive steps, organizations can fully leverage Copilot’s capabilities while maintaining the highest standards of data security and compliance.
At Barith, we understand the complexities of SharePoint security and governance. Our team of experts can assist in implementing the necessary SharePoint settings to ensure your Copilot deployment is as secure as possible. Contact us today to learn how we can help safeguard your firm’s data while maximizing Copilot’s potential.