Microsoft admits to failing big time in cybersecurity, says it is working to make drastic changes

Microsoft has had a challenging year when we look at cybersecurity and the nature of beaches it had to suffer. The tech giant has been grappling with a series of significant security breaches involving some of its most important and widely used products.

Now the company has admitted to falling short in its cybersecurity efforts, as evidenced by several high-profile incidents. Among these breaches, Russian state-sponsored hackers managed to steal sensitive US government emails by compromising Microsoft’s corporate email accounts.

In another alarming event, a Chinese state-sponsored group breached Microsoft Exchange Online mailboxes, including those belonging to key figures such as Commerce Secretary Gina Raimondo, US Ambassador to China R. Nicholas Burns, and Congressman Don Bacon.

More from Tech

How ChatGPT is becoming everyone’s BFF and why that’s dangerous America ready for self-driving cars, but it has a legal problem

In response to these security lapses, Microsoft has declared that security is now its top priority. To back up this claim, the company has released an update on its Secure Future Initiative (SFI), a programme launched in November 2023 aimed at significantly enhancing Microsoft’s cybersecurity defences.

The SFI progress report outlines the steps Microsoft is taking to “prioritise security above all else.” These include substantial updates to governance, new programmes for upskilling employees, and rigorous security reviews. The company is focusing on addressing its core pillars of cybersecurity, reflecting a commitment to fundamental changes in its approach to protecting user data and systems.

Over the past year, Microsoft has bolstered its governance framework by establishing a Cybersecurity Governance Council. This council, composed of Deputy Chief Information Security Officers (CISOs), regularly reviews all cybersecurity matters, including risk management, compliance, and defence strategies.

Impact Shorts

More Shorts

America ready for self-driving cars, but it has a legal problem

Alibaba, Baidu begin using own AI chips as China shifts away from US tech amid Nvidia row

To ensure accountability, Microsoft has also tied executive compensation to security performance, creating a strong incentive for leaders to focus on preventing errors and improving security outcomes. Additionally, the company has introduced a Security Skilling Academy, designed to equip employees with the latest cybersecurity skills and knowledge.

In terms of specific cybersecurity measures, Microsoft has concentrated on six key pillars. These include enhancing identity and secret protection by improving token management and phishing resistance within its access management solution, Microsoft Entra ID. The company has also streamlined app lifecycle management and reduced the attack surface by removing inactive tenants, thereby improving tenant and production protection.

Network security has been strengthened by isolating certain virtual networks with backend connectivity, reducing the potential for lateral movement by attackers.

Furthermore, Microsoft has implemented stricter Admin Rules for Azure Storage, SQL, Cosmos DB, and Key Vault to assist customers in securing their data. The Secure Future Initiative has also seen 85 per cent of Microsoft’s production build pipelines for commercial cloud services come under centralized governance.

Personal Access Tokens have been limited to a seven-day lifespan, and the software development cycle has been enhanced with additional security checks. The number of elevated roles with access to engineering systems has been reduced, further safeguarding critical infrastructure.

To improve threat detection and monitoring, Microsoft has introduced standardized security audit logs and centralized log management, now covering 99 per cent of network devices. The company has also committed to enhancing transparency and reducing the time needed to address common vulnerabilities and exposures (CVEs) across its cloud infrastructure. This includes updating processes and establishing the Customer Security Management Office to better communicate with customers during security incidents.

Despite these efforts, Microsoft acknowledges that the work is far from complete. Charlie Bell, Executive Vice President of Microsoft Security, emphasized that cyber threats are continually evolving, and Microsoft must evolve in tandem. The company is fostering a culture of continuous learning and improvement, aiming to make security not just a feature, but the foundation of its operations going forward.