US: Microsoft Deprioritized Enterprise Cybersecurity, Culture Needs an Overhaul


Digital transformation is no longer just a business strategy — it’s an operating model that nearly the entire global business world is running on. And the realities of today’s digital landscape are changing the calculus around cybersecurity and engineering resources for firms, be they mid-size domestic businesses or sprawling multinationals.

This, as the U.S. Cyber Safety Review Board (CSRB), a group housed inside the Cybersecurity and Infrastructure Security Agency (CISA), late Tuesday (April 2) published a scathing letter lambasting Microsoft for its “inadequate” cybersecurity strategies in the face of several high-profile breaches.

Per the letter, the CSRB report “identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” added Department of Homeland Security (DHS) Under Secretary of Policy and CSRB Chair Robert Silvers in a statement. “It is imperative that cloud service providers prioritize security and build it in by design.”

After all, the impact and frequency of cybersecurity breaches are only increasing as bad actors seek out new vulnerabilities in organizational infrastructures, exploiting weaknesses to gain unauthorized access.

Microsoft did not immediately reply to PYMNTS’ request for comment.

Read moreAttack Vectors 2024: Scaling Effective Cyber Hygiene Throughout Your Business

The Online Threat Landscape Continues to Expand and Industrialize

Just this Wednesday (April 3), The New York Times reported that a 38-year-old software engineer who lives in San Francisco and works at Microsoft may have just “saved the internet” after finding a back door hidden in a piece of software that is part of the Linux operating system that was likely the prelude to a major cyber-attack meant to destabilize almost all modern digital infrastructure.

“With his curiosity and craftsmanship, [Andres] was able to help us all. Security is a team sport, and this is the culture we need everywhere,” tweeted Microsoft CEO Satya Nadella on X in response to the news.

The Microsoft breaches — and proactive defenses — serve as critical lessons for businesses operating in the digital age. They not only highlight the sophistication and persistence of cyber adversaries but also the interconnected nature of cybersecurity risks, emphasizing the need for businesses to adopt a proactive and comprehensive approach to cybersecurity, encompassing not just technological solutions but also employee training, incident response planning, and even collaboration with government and industry partners.

“It is essentially an adversarial game; criminals are out to make money, and the financial community needs to curtail that activity. What’s different now is that both sides are armed with some really impressive technology,” Michael Shearer, chief solutions officer at Hawk AI, told PYMNTS. “On the automation side, it’s all about data. It’s all about organizing and connecting your data together, understanding the signals that you have so you can build a richer context and make better decisions. But you’ve got to have that information there, and you’ve got to connect it together. That’s step one.”

See alsoCriminals Target Big Ticket Transactions in Commercial Banking Fraud Surge

How to Improve Security and Build Resilience in the Digital Age

In its report, the CSRB laid out a specific set of recommended actions for businesses looking to avoid the “cascade of errors” by Microsoft that saw the tech giant’s defenses breached.

The board urged cloud service providers to implement modern control mechanisms and baseline practices informed by rigorous threat models to mitigate system-level compromises. They should establish minimum standards for default audit logging to aid in intrusion detection and prevention without additional charges, while also adopting emerging digital identity standards to counter prevalent threat vectors.

In addition, the report encouraged transparency measures among providers, including incident and vulnerability disclosure practices, to facilitate information sharing with customers, stakeholders and government agencies. Furthermore, improved victim notification processes are needed to support information dissemination for investigating and recovering from cybersecurity incidents.

“After-action reports will help you understand what your business continuity plan was and where it failed … If you haven’t stayed up on your hygiene, that will come out in the report. That’s why running red team exercises or simulated events is so important,” Matanda Doss, executive director and lead information security manager for commercial banking at JPMorgan, told PYMNTS in December.

And research by PYMNTS Intelligence has shown financial institutions use a range of tools to prevent fraud, with financial institutions across the board saying they rely on a mixture of in-house fraud prevention systems, third-party resources and new technologies to safeguard their institutions and customers.

Last September, when PYMNTS Intelligence put together the 2023 “The State of Fraud and Financial Crime in the U.S.,” 66% of banking executives said they were using AI and ML to fight fraud, which was up from 34% in 2022.