While hard statistics are difficult to verify, suffice it to say that just like America's workers are powered on a certain brand of coffee and donuts, most of the corporate knowledge worker world is powered by some Microsoft technology. One statistic says Microsoft 365 is used by over 1 million companies worldwide. Another states Windows runs on 1.6 billion active devices as of 2022.
Whatever the actual numbers are, you can't argue that Microsoft products have remained entrenched in business networks for over the past three decades. Which is why when there is a security issue with any of the company's products, that becomes big news and attracts the attention of regulators and reporters.
Kyle Alspach, a senior editor from our sister site CRN.com, wrote about the findings of the U.S. Cyber Safety Review Board (CSRB) after a Microsoft cloud email breach impacted several federal agencies. In its report, the CRSB said the breach "was preventable and should never have occurred" and that "The Board believes that these and other security-related efforts should be overseen directly and closely by Microsoft's CEO and its Board of Directors, and that all senior leaders should be held accountable for implementing all necessary changes with utmost urgency."
The CSRB didn't impose any punishment—its words were more like a public puppy smack (and please don't smack your pets, it's just a colloquial phrase).
Alspach also reported that the CSRB compared Microsoft's security with that of other major cloud providers. It concluded that other cloud providers—namely, Google and AWS—"maintained security controls that Microsoft did not."
That's kind of a shot from the CSRB but hardly anything resulting in any pecuniary or other repercussions for Microsoft.
Microsoft did respond to the findings, however, telling CRN that it has "mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes and enforce security benchmarks."
Put Microsoft aside. We see the same situation played out with other huge enterprises. AT&T just suffered a breach that potentially exposed 73 million AT&T customers' personal information. In 2021, the data of over 7 million customers was stolen from T-Mobile. Alspach also has a great roundup of the biggest security breaches that happened in 2023, and you can read them here.
If vendors are selling IT decision-makers their wares based on how secure their products are, and then suffer security breaches, how can IT leaders feel confident about purchasing those products?
Is there enough accountability from the government? It seems not. Imagine if you had your life savings in a bank and the bank was somewhat lackadaisical in locking the door to the vault your money was stashed in. Congress would likely be on that bank like a hammer.
Is there enough oversight from our government when these breaches happen? Should there be more penalties? I would love to know your thoughts: Share them on the MES IT Leadership Network or email me at [email protected].
