“They’re incredibly good at collecting data over time, gathering and gathering more and more momentum and then figuring out how to keep parlaying that into more and more success,” Bell said. “It’s very difficult to defend against.”

The onslaught, according to Bell, prompted executives to say: “Well, let’s step back for a moment.”

The result, announced in November, is the Secure Future Initiative, a companywide security reboot that executives say will better position Microsoft to combat current threats as well as future ones that may be turbocharged by artificial intelligence. The effort is being led by Bret Arsenault, a vice president and chief cybersecurity advisor, who served as Microsoft’s chief information security officer for 14 years. Asked why the company didn’t address the cyber issues sooner, he said the emergence of AI and current hacking trends were among the reasons for a more comprehensive security review.

“There’s certain sort of watershed moments or changes in the environment that make you rethink how you want to go do it,” he said, later adding that company officials are “energized and focused” on executing the initiative’s commitments, “which align to much of what the government is calling for.”

Microsoft says it will use AI and automation to make software safer, as well as rely more on programming languages deemed more secure. The company says it’s beefing up security protocols to make it harder for hackers to use stolen credentials or access tools to pilfer data. And it vows to respond to security vulnerabilities more rapidly, including mitigating cloud-based problems 50% faster.

It’s a daunting task given Microsoft’s size and the complexity of its product portfolio. The company offers Windows, Office, Exchange email and other products via the cloud, but continues to provide them to customers with their own servers. In the latter instance, Microsoft offers “patches” for flaws in so-called legacy systems and relies on customers to install them and maintain security protocols. Customers don’t always follow through, and efforts to end support for outdated programs like Windows XP or Windows 7 created an uproar because many were embedded in ATMs, hospital hardware and other critical systems.

“You have a whole bunch of things out there that have to be cleaned up,” Bell said. “And that’s growing over time.”

Microsoft is accelerating efforts to remove old or unused accounts as well as applications that are no longer supported by software updates or meet new security standards. So far, the company has removed more than 1.7 million identities tied to aged or unused accounts and 730,000 apps that were out of date or not meeting security standards, though it wasn’t clear how many identities and apps overall might fit that description.

Microsoft is also beefing up its use of multifactor authentication, automatically enforcing it for more than 1 million accounts within the company, including those used for development, testing, demos and production, Arsenault said.

The company now requires a video call between managers and employees or vendors who are creating digital IDs and is issuing short-lived credentials to new workers or vendors — steps designed to make it harder for attackers to impersonate someone or steal their ID. Even users with high-level administrator privileges can no longer turn off multifactor authentication when creating new accounts, Arsenault said.

...continued

©2024 Bloomberg L.P. Visit bloomberg.com. Distributed by Tribune Content Agency, LLC.