Simply SharePoint
SharePoint is everywhere — but good guidance for real users? Not so much. I’m Liza Tinker: consultant, trainer, and the one teams call when things get messy.
This podcast is your go-to for real talk, real solutions, and a whole lot of clarity — minus the jargon. Whether you're managing sites, cleaning up document chaos, or just trying to make things work, you’ll find practical tips and insight from the creator of Fix the Mess™, the training series helping real people get SharePoint under control.
Simply SharePoint
Microsoft 365 Copilot Can Only See What You Can See. But What If You Can See Too Much?
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Microsoft 365 Copilot is rolling out across organizations worldwide, promising unprecedented productivity gains. Yet there’s a hidden danger many companies aren’t prepared for. Years of casual SharePoint sharing have created exposure risks that AI is about to amplify in ways you may never have imagined.
In this episode, I unpack the critical difference between SharePoint’s “Share” and “Copy Link” buttons—a simple misunderstanding that’s creating massive security risks as AI enters the workplace. You’ll hear how oversharing has led to data breaches, competitive intelligence leaks, and compliance violations, and what you can do to avoid them.
You’ll learn why most users unknowingly expose sensitive data with every “Copy Link” click, the three ways Copilot amplifies oversharing risks—including “ghost files” and permission inheritance traps—real stories of organizations that discovered hidden exposure through AI-generated reports, a simple three-question test to guide every sharing decision, and a clear step-by-step action plan to prepare for Copilot deployment.
The key takeaway is simple: organizations that clean up their sharing practices now will unlock AI’s full potential safely. Those that don’t will spend their time dealing with data breaches instead of enjoying productivity gains.
Don’t let convenience turn into a security nightmare. This episode could save your organization from an AI-amplified data disaster.
Resources mentioned include the free Copilot Security Quick-Start Guide (for newsletter subscribers), the SharePoint sharing audit checklist, and advanced governance strategies for AI readiness.
This episode is perfect for IT professionals, business leaders, compliance officers, and anyone using Microsoft 365 for collaboration.
Microsoft Copilot can only see what you can see. But what if you can see too much? That question got a lot of reactions on LinkedIn this week, and for good reason. It's keeping IT leaders awake at night and should be on every business leader's radar. I'm Liza Tinker, and today we're diving deep into a problem that most organizations don't even know they have until it's too late. So here's what happened. I posted that question on LinkedIn. And within hours, my inbox had... And within hours, my... And within hours, my inbox had many messages from IT professionals, a few business leaders, and some consultants all saying the same thing. This is exactly what we're worried about, but we don't know how to fix it. So today, I'm going to break down exactly what this means, why it matters more than ever, with AI entering our workplaces, and most importantly, what you can do about it starting today. The problem, real stories from the field. When I started looking into this, I came across some really eye-opening scenarios. These aren't far-fetched. They're the kinds of situations that crop up in real organizations all the time. And honestly, I think many of you will recognize how easily these could happen in your own workplaces. Story one, the accidental database exposure. In one reported case, a marketing manager was pulling together a presentation for an external partner meeting. To make life easier, she clicked copy link in SharePoint. Simple enough, right? But that link had the default setting of anyone with a link can view. But that link had the default setting of anyone with a link can view. Within hours, their entire customer database was exposed outside the organization. So the potential financial impact of that? Well, that's significant. Story two, the ghost files problem. Researchers have highlighted situations where old documents, like merger discussions, pricing strategies and personnel plans, resurface in AI generator reports. These files were supposed to be archived. They lingered in SharePoint with wide access permissions. Suddenly, sensitive information from years ago was popping up in current decision-making conversations. Story three, the department crossover. This is a classic example. A finance team member was added to a marketing SharePoint group for a one-off project. Fast forward a few months, and that person was still getting access to campaign data, customer acquisition costs, and competitive insights. All of it was appearing in their financial analysis reports, not because they needed it, but because no one ever removed them from the group. The unsettling part, in many of these scenarios, organisations only become aware of the oversharing once AI tools have... Once AI tools started surfacing the forgotten or misplaced data. And here's the real kicker. So often it all starts with the same small oversight. Not fully understanding the difference between using share and using copy link in SharePoint. The two button problem. Let me ask you something. Right now, pause this episode. Right now, pause this episode. Open SharePoint and look at any document. You'll see two options, share and copy link. Before today, did you know there was a meaningful difference between them? If you answered no, you're not alone. In my experience, about 90% of users think these buttons do the same thing. They don't, and that misunderstanding is creating massive security risks. The share button, your security command center. When the share button first appeared in SharePoint many versions ago, I have to admit, I truly hated it. I never really understood how to use it and was so used to managing the permissions on my sites and training others how to manage them that I never really thought about using it. But with our world being so much more about collaboration, it is the main way many people use SharePoint and manage it. their permissions and it is used all the time to share. I personally liked the day when you had access to what you needed and were in the right group and everything was designed around that but anyway I digress. So think of the share button as your mission control for file access. When you click it you get a comprehensive dialogue that gives you granular control. Firstly, you can specify exactly who gets access by entering their email addresses. You can set precise permissions. I'm going to go back a bit. When the share button first appeared in SharePoint many versions ago, I have to admit, I hated it. It never really stood out to me as a, I have to admit, I hated it. I never really understood how to use it and was so used to managing permissions on my sites and training others how to manage those permissions that I never really used it. But now that our world is being so much more about collaboration and we have Microsoft Teams everywhere uses share. So let's think everyone uses share. Think of the share button as your mission control for file access. Let's cut all that before and start here. The share button, your security command center. Think of the share button as your mission control for as your mission control for file access. When you click it, you get a comprehensive dialog box that gives you granular control. You can specify exactly who gets access by entering their email addresses. You can set precise permissions. View only. or full edit access. You can block downloads for sensitive information. You can set expiration dates so access automatically gets revoked. And you can send a formal email invitation that creates an audit trail. This is intentional, controlled sharing. It's what you should use when security and precision matter. The copy link track, which I call convenience at a cost. Copy link, on the other hand, is all about speed. One click and you have a shareable link. But here's what most people don't realize. It automatically applies your organization's default permission settings. And here's where it gets dangerous. If your organization's default is set to anyone with a link can view, which is surprisingly common, that link can be by anyone, anywhere in the world, without any authentication. Let me give you a real example of how this plays out. I heard about a law firm where an associate was sharing a case summary with a colleague. They clicked copy link and pasted it into a Teams chat. Seemed innocent enough, but that firm's default setting was people in your organisation with the link can view. Suddenly, confidential client information was accessible to every employee in the firm, including the receptionist and the IT staff. The associate had no idea. They thought they were just sharing with their colleague. The default settings trap. Here's what makes this even more insidious. Here's what makes it more insidious. Here's what makes it even more interesting. The default settings trap. Most organizations have never consciously chosen their default sharing settings. They're using whatever Microsoft set as the default when they first set up their tenant, which might have been years ago under completely different circumstances. I've seen organizations where the default is anyone with a link because someone checked that box during initial setup, thinking it would make collaboration easier. Now, years later, thousands of vials are potentially exposed and nobody remembers making that decision. Enter Copilot, the amplification effect. Now, you might be thinking, okay, so we have some oversharing issues. We can clean those up. But here's why this has become urgent. Microsoft 365 Copilot. Copilot operates on a simple principle. It can access everything that you can access. If you have permission to view a file, Copilot can use that file and its responses. And unlike humans, who might stumble across overshared files occasionally, Copilot is actively and constantly scanning everything you have access to. So let me break this down. So let me break down the three ways Copilot amplifies oversharing risks. Risk one, data aggregation. Copilot doesn't just look at one file at a time. It connects dots across your entire digital workspace. So when you ask it to help create a quarterly business review, it might pull data from SharePoint, OneDrive, Teams, and your email to create a comprehensive response. Now here's a real scenario. You ask Copilot to help with a client presentation. Unknown to you, you have access to confidential merger discussions through a broadly shared SharePoint folder. Copilot pulls financial projections from those confidential documents and includes them in your routine client presentation. You had no idea you even had access to that merger data, but Copilot found it and used it. memory it doesn't forget about old files the way humans do so those outdated contracts old strategic plans and archived personal decisions and archived personnel decisions if they're still accessible copilot will find them and potentially use them I worked with a company where employees are getting outdated pricing information in their proposals because Copilot was pulling from old contracts that should have been archived but were still sitting in SharePoint with broad access permissions. Risk three, permission inheritance amplification. This is the most subtle but potentially most damaging risk. Over time, most organizations develop what I call permission sprawl. People get added to SharePoint groups for specific projects but never get removed. They inherit access to folders and sites they don't need. Before Copilot this was mostly harmless. I mean sure they technically had access to the files they shouldn't but they probably never looked for them. Now Copilot is actively surfacing that information. I've seen finance team members getting marketing campaign data in in their budget analysis, HR professionals getting engineering specifications in their policy reviews and sales teams getting confidential legal advice in their client communications, all because of forgotten group memberships and inherited permissions. These are real examples. The proactive discovery problem. Here's what makes this different from traditional security issues. Copilot doesn't wait for you to go looking for information. It proactively suggests content based on what you have access to. So you might discover sensitive information you didn't know you had access to, not because you went searching for it, but because Copilot helpfully included it in a response. This is why that LinkedIn post resonated so strongly. People are realizing that their casual approach to sharing over the years has created a ticking time bomb that AI is about to detonate. The solution, your action plan. Okay, so we've identified the problem. Now let's talk solutions. The good news is that this is entirely fixable, but it requires intentional action. So step one, the immediate audit, which you can do this week. First, you need to understand your current exposure. So here's what to do. Go to SharePoint and check what sites you have access to. Look for sites you don't recognise or shouldn't need access to. Check your OneDrive for files shared with anyone with the link. And review your SharePoint group memberships. Some of the red flags to look out for are, say, access to HR, legal or executive sites where you're not in those departments. Files shared with people in your organisation that contain sensitive data and old project sites you're still a member of. Step two, clean up your sharing and do that this month. Review your last 20 files in SharePoint and OneDrive. Change any, anyone with the link shares to specific people. Add expiration dates to external sharing links and remove yourself from SharePoint groups you no longer need. And here's a quick tip. In SharePoint, click manage access on any file to see exactly who can access it. In OneDrive, go to shared to see all your sharing activity. Step three, implement the three question test, which is something that you can do ongoing. Before you share any file, ask yourself three questions. One, who exactly needs this? Use specific people, not broad groups. Two, what should they do with it? View, comment or edit. Choose the minimum needed. Three, how long do they need access? Set an expiration date, especially for external users. If you can't answer all three questions clearly, use the share button instead of copy link. Step four, fix your defaults. And for that, you're going to have to work with IT. This is crucial. Work with a team to review and update your organization's default sharing settings. Change the default from anyone or people in your organization to specific people. Enable automatic expiration dates for external sharing and turn on sharing notifications so you know when files are shared. Step five, prepare for Copilot. If your organization is planning to deploy Copilot, consider enabling restricted SharePoint search mode. This lets you control exactly which SharePoint sites Copilot can access, essentially creating a safe list of approved content. You can also implement data classification. So you can apply confidential labels to sensitive documents. You can use internal labels for company only content and enable automatic labelling for financial and HR files. And enable automatic labelling for financial and HR files. Your next steps. Here's the reality. The organizations that clean up their sharing practices now will unlock co-pilots full potential safely. Those that don't will spend their time dealing with data breaches instead of productivity gains. This isn't just about compliance or security. It's about competitive advantage. AI powered productivity is coming whether you're ready or not. The question is whether you'll be able to use it safely and effectively. I've created a guide that goes deeper into these strategies. It's called the Copilot Security Quick Start Guide, and it includes a step-by-step checklist you can use to audit and secure your SharePoint environment before AI amplifies your oversharing risks. The guide covers the top three Copilot risks in detail, gives you a complete action plan, and includes advanced protection strategies like PowerShell commands, for restricted SharePoint search mode. You can get it free by subscribing to my newsletter. You can get it free by subscribing to my newsletter at simplysharepoint.com. If you are a subscriber already, it'll be coming out in this week's newsletter. The question is, are you comfortable with everything you can see? Remember.
UNKNOWNOkay.
SPEAKER_00You can get it free by subscribing to my newsletter. You can get it free by subscribing to my newsletter at simplysharepoint.com. Or if you're already a subscriber, it will come out in this week's newsletter. It's exclusively for subscribers because this information is too important to leave buried in a blog post somewhere. So remember, Microsoft 365 Copilot can only see what you can see. The question is, Are you comfortable with everything you can see? Don't let convenience become a security nightmare. Get the guide, implement the strategies and prepare your organisation for the age of AI. Thanks for listening and I'll see you in the next episode.