Microsoft has announced a new tactic to ensure it gets buy-in from business leaders on transforming its security culture after several high-profile security blunders exposed a cavalier approach to its cyber posture.
Executive bonuses will now be tied to their departments’ security performance and reviewed by an independent cyber board before they are paid out each year, according to Brad Smith, vice chair and president of Microsoft.
Smith revealed the planned adjustment to the company’s executive pay structure via written testimony ahead of his hearing in front of the US house committee last week.
The hearing saw the Microsoft president testify on a series of ‘cyber security shortfalls’ highlighted in a report into the company’s “lax corporate culture” in light of the 2023 Summer Exchange Intrusion.
The attack saw a state-backed Chinese threat collective known as Storm-0558 access the mailboxes of 22 organizations and 500 individuals, some of whom were senior US government officials including Secretary of State for Commerce Gina Raimondo.
The Department of Homeland Security issued a report based on an independent review of Microsoft’s conduct during the incident by the Cyber Safety Review Board, which found the company’s security strategy was lacking. The review noted it was still unable to provide details on exactly how the breach occurred almost a year later.
This has led to the promise of significant culture changes geared towards security, one of which is the decision to tie executive bonuses to their security performance.
According to Smith’s submission, one-third of the ‘individual performance’ portion of their bonuses in the new financial year will be tied to a review of their cyber security work by the board’s compensation committee, which will take into account the opinion of an unidentified independent third-party.
String of security failures force Microsoft to show it is making changes
The 2023 Summer Exchange Intrusion is not the only incident attracting all the wrong attention for Microsoft in recent years.
The report from the Cyber Safety Review Board also noted Microsoft suffered another attack in January 2024 that gave a nation-state affiliated threat group, Midnight Blizzard, access to corporate accounts in a password spraying attack.
The recent announcement and subsequent delay of its Recall feature, that uses AI to continually screenshot the device so users can search back through their activities after security concerns, is just another example of the company missing the mark when it comes to cyber security, some industry experts have claimed.
Microsoft was forced to roll back the capability and reassure users it would no longer be part of the official launch of its anticipated Copilot+ PC range, saying it would conduct further testing on the product before rolling it out.
RELATED WHITEPAPER
Going back slightly further, a former Microsoft security architect has blown the whistle saying the firm chose to ignore early warnings about the flaw attackers exploited to deploy the SolarWinds attack that disrupted thousands of organizations in 2020.
The strongest accusations were made against a number of product leaders at the company, who the whistleblower accused of prioritizing minimizing business fallout over cyber resilience when they were made aware of a critical security vulnerability.
The tech giant will hope by hitting executives where it hurts if they fail to pull their weight in the company-wide push, will tighten some of the loose ends that have been hurting its security posture over the last few years.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapersNews While not malicious, the bots can overwhelm web applications in a way similar to bad actors
-
Does speech recognition have a future in business tech?Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFANews Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
