Large Vendors Are Not Held Accountable Enough For Security Breaches: Opinion

Microsoft, recently, was little more than puppy smacked by a U.S. cybersecurity agency for a major breach

Samara Lynn
clock • 2 min read
Large Vendors Are Not Held Accountable Enough For Security Breaches: Opinion

While hard statistics are difficult to verify, suffice it to say that just like America's workers are powered on a certain brand of coffee and donuts, most of the corporate knowledge worker world is powered by some Microsoft technology. One statistic says Microsoft 365 is used by over 1 million companies worldwide. Another states Windows runs on 1.6 billion active devices as of 2022.

Whatever the actual numbers are, you can't argue that Microsoft products have remained entrenched in business networks for over the past three decades. Which is why when there is a security issue with any of the company's products, that becomes big news and attracts the attention of regulators and reporters. 

Kyle Alspach, a senior editor from our sister site CRN.com, wrote about the findings of the U.S. Cyber Safety Review Board (CSRB) after a Microsoft cloud email breach impacted several federal agencies. In its report, the CRSB said the breach "was preventable and should never have occurred" and that "The Board believes that these and other security-related efforts should be overseen directly and closely by Microsoft's CEO and its Board of Directors, and that all senior leaders should be held accountable for implementing all necessary changes with utmost urgency."

The CSRB didn't impose any punishment—its words were more like a public puppy smack (and please don't smack your pets, it's just a colloquial phrase).

Alspach also reported that the CSRB compared Microsoft's security with that of other major cloud providers. It concluded that other cloud providers—namely, Google and AWS—"maintained security controls that Microsoft did not."

That's kind of a shot from the CSRB but hardly anything resulting in any pecuniary or other repercussions for Microsoft. 

Microsoft did respond to the findings, however, telling CRN that it has "mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes and enforce security benchmarks."

Put Microsoft aside. We see the same situation played out with other huge enterprises. AT&T just suffered a breach that potentially exposed 73 million AT&T customers' personal information. In 2021, the data of over 7 million customers was stolen from T-Mobile. Alspach also has a great roundup of the biggest security breaches that happened in 2023, and you can read them here.

If vendors are selling IT decision-makers their wares based on how secure their products are, and then suffer security breaches, how can IT leaders feel confident about purchasing those products? 

Is there enough accountability from the government? It seems not. Imagine if you had your life savings in a bank and the bank was somewhat lackadaisical in locking the door to the vault your money was stashed in. Congress would likely be on that bank like a hammer. 

Is there enough oversight from our government when these breaches happen? Should there be more penalties? I would love to know your thoughts: Share them on the MES IT Leadership Network or email me at [email protected]

 

You may also like
Protect AI Releases 'Bug Bounty' Report On May Vulnerabilities

Security

The vulnerabilities involve tools used to build AI apps

clock 05-20-2024 • 5 min read
Breach Exposes 73M AT&T Customers' Personal Info

Security

Includes Social Security numbers, passcodes and contact details

clock 04-02-2024 • 3 min read

More on Column

Access Point: Weekly News Roundup For IT Executives – May 24, 2024

Access Point: Weekly News Roundup For IT Executives – May 24, 2024

Access Point is a weekly roundup of major tech news for IT executives on the go. This edition covers May 20-May 24.

Samara Lynn
clock 05-24-2024 • 2 min read
Recruiting Neurodiverse Talent Isn't As Difficult As You Think

Recruiting Neurodiverse Talent Isn't As Difficult As You Think

And it will help you retain skilled and experienced employees of all kinds

Penny Horwood
clock 05-21-2024 • 7 min read
Access Point: Weekly News Roundup For IT Executives – May 17, 2024

Access Point: Weekly News Roundup For IT Executives – May 17, 2024

Access Point is a weekly roundup of major tech news for IT executives on the go. This edition covers May 13-May 17.

Samara Lynn
clock 05-17-2024 • 2 min read