Even a $1.7 trillion market capitalisation doesn’t buy immunity from hacking. Tens of thousands of organisations’ email systems have been compromised by flaws in Microsoft’s software, the company and U.S. government officials revealed last week. It’s the second massive global cybersecurity problem in just a few months.
Small-and medium-sized businesses, local governments, police departments and airports are among those whose email may have been breached. The hackers are linked to the Chinese government, according to Microsoft. Software fixes take time to roll out, and the ultimate count of victims could be far higher.
Big companies largely escaped because they more often use fully cloud-based email services. It’s Outlook accounts hosted on local servers that were affected. Cloud services should always be protected by the latest cybersecurity tools. That’s a recommendation for the cloud, potentially turning a technological embarrassment into a business benefit for Microsoft.
So-called “on-premises” setups are a weak link. A serious hack attributed to a Russian group and revealed in December, involving networking software provided by Texas-based SolarWinds, started in private systems, according to Senate testimony last month from Brad Smith, a senior Microsoft executive. The attack was detected only when hackers moved to the cloud.
Smaller, less wealthy organisations don’t necessarily have the latest hardware, software, cybersecurity tools and people in place. Baseline “cyber hygiene” is lacking even in sensitive federal agencies, Smith said. Investing in better, more up-to-date technology and processes could reduce the risk. So too could moving vulnerable services to the cloud, though even that is not infallible.
Another requirement, as Smith noted, is to share information rapidly as soon as an attack is identified. This remains an imperfect process, especially between America’s public and private sectors. Washington could do more both to incentivise and to enforce collaboration. Speaking of D.C., an effective response to cyberattacks backed by foreign governments – whether via sanctions or other means – remains elusive.
Part of the burden should also fall on software providers. The $5 billion SolarWinds’ valuation remains more than 30% below where it stood before its software’s vulnerabilities were revealed. Microsoft won’t take that kind of hit. But lawmakers may not give boss Satya Nadella a pass. And if customers and investors vote with their wallets, it’s a message that’s hard to ignore.