Too Much Information by Invero™

Generative AI is driven by the massive amounts of data that the large language models can leverage to produce useful responses. What would happen if the data available to these models included information that was not intended to be exposed beyond authorized users?

Tools such as Copilot for Microsoft 365 now expose all data from your M365 tenant to the power of Generative AI. There are safeguards in place to respect permissions and data governance rules enforced by Purview, but the challenge for most companies is not having the appropriate controls in place and not knowing if users at any point in time might have unintentionally shared sensitive data in SharePoint or Teams sites/folders/files with the entire company.

There is an industry term for this called “oversharing.” Too Much Information, or TMI for short, is software that will identify all data across your entire tenant that has been overshared, even if that sharing was done more than 10 years ago. Not only will we tell you what data has been overshared, TMI also has the option to do remediation to remove all overshared links and replace them with the smaller set of intended end users who were supposed to have access to the data.

Read our FAQ to learn more, or sign up for a demo.

Sign-up for Demo

Does this sound like something you need so that you can confidently deploy Copilot without risking exposure of sensitive data? Learn more about TMI with a free, no obligation demo.

What If …

What if data unintentionally shared with your entire organization happens to include sensitive information that you do not want, or from a regulatory compliance perspective, absolutely cannot risk having it exposed to everyone in your organization? Data such as:

  • Confidential company financial information
  • Personally identifiable information (PII)
  • Credit card numbers
  • Social Insurance Numbers / Social Security Numbers
  • Confidential Customer information
  • Trade secrets
  • Intellectual property

What would you (or your bosses boss) do if it was found out that someone came across sensitive information by entering a simple prompt into Copilot for M365? Could there potentially be some negative consequences? If so, why not mitigate that risk by conducting a scan with TMI?


Is This Really a Problem?

Yes, and here is why. SharePoint and Teams are extremely powerful collaboration tools that help enable people to get access to data that their peers are working on. Access to this data is usually controlled through groups at the site level to prevent unauthorized access to data in those sites.

The problem arises when an individual user needs to share a file or folder within a protected site with someone who is not part of the group or does not currently have access to the site. What do they do then? Usually they will click the “Share” button within their Office application or directly within SharePoint and Teams, giving them the option of how widely to share the item(s) that they want to share. Without the appropriate safeguards in place, if the user has selected “People in <Organization>” then even if they type in specific names for who they want the link to be sent to, under the hood SharePoint will create a unique group with access to that data that now makes this data accessible to the entire organization.

This is not a new problem, in fact it has probably been around as a feature in SharePoint since before Office 365. However, the likelihood that the data would be found by everyone in the organization was extremely low because they would need to have the link to the data, or they would need to be able to navigate to the file(s)/folder(s), which couldn’t happen in protected sites because they wouldn’t have permissions at the higher site level unless they were in the authorized groups. The only way people would find this data is if they knew what to search for using standard SharePoint search, but the risk was very low.

With the advent of Copilot for Microsoft 365, this all changes. The way that Copilot accesses all of the data in the tenant through Microsoft Graph enables it to potentially surface data that was previously obscured. Copilot respects permissions, but because the link and group that is created under the hood is available to the entire organization, the risk of people finding this data is significantly increased in the context of Copilot for Microsoft 365.

What data do you have that could potentially be exposed to the entire company through Copilot? TMI can tell you. Is it worth taking a risk of deploying Copilot without knowing your risks first?

Can I Solve This Problem With Built-in SharePoint Tools?

Not today, the tools are somewhat limited in their capabilities. Microsoft does have some reporting capabilities built into Purview and the SharePoint Administration portals, but at this time this can only report on oversharing that has occurred within the previous 30 days. What happens if 31 days or 8 years ago, someone unintentionally overshared a file that contains all employees personal and payroll information and that data now gets surfaced in a response from Copilot? With the current tools, you wouldn’t know that this file was overshared, so you would not know that you would need to address the issue until someone reported getting sensitive data through Copilot … assuming they reported this finding when it occurs.

How Does TMI Work?

TMI gets installed as an Enterprise Application within your M365 tenant for the duration of the scanning and remediation. During the scan, here is what the application is doing:

  • Inventorying all SharePoint and Teams sites across your tenant
  • Scan each site and analyze permissions on every folder, file and list item
  • Record all instances of oversharing for reporting on the dashboard once complete
  • Data is presented in an interactive dashboard report to analyze the risk and determine remediation steps
  • Remediation can be done manually, or as an add-on to TMI we can do the remediation for you.

That’s it!

If you have any questions or concerns about granting these permissions, please contact our team to discuss it further.

TMI Pricing

TMI is priced on a simple flat fee pricing model with an option to buy a scan only license, or you can bundle scan with remediation for a reduced price.

What Data does TMI Collect and Store? And for How Long?

TMI only collects the bare minimum of metadata about objects in SharePoint and Teams to be able to report on (and eventually remediate) where oversharing has occurred. We do not collect data on any object that is not overshared, this metadata is ignored and not stored anywhere. Data is only retained for a maximum of 30 days after completing the scan and for the purpose of generating the dashboard reports. All data and reports are automatically deleted after 30 days, unless special arrangements are made with Invero Support.

Want to Learn More About TMI?

Use the form below to schedule a demo or to learn more about Invero’s Too Much Information software that can help you to ensure your oversharing problem is taken care of.