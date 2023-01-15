



Back in January 2021, Microsoft announced that its software, specifically the software running some Microsoft Exchange servers, had been hacked by a Chinese government-backed criminal group. Additionally, according to the company, everyone using the software was vulnerable until it was patched.

Around the world, organizations of all sizes, including small businesses, rushed to upload patches to see if they had been compromised. Despite efforts, some were still trapped. At least 200 ransomware attacks have been attributed to hacks, and some companies have lost millions of dollars in paying criminals.

Hacks helped highlight vulnerabilities in 32 million small businesses. Many of them cannot afford to hire a cybersecurity company and rely on the built-in security capabilities of software and hardware companies and giants such as Google, Microsoft and Apple. Companies have made progress and the problem is not new, but there are vulnerabilities in other software programs, especially email and other software programs, including operating systems, that were designed long before the current surge in cybercrime and cyberespionage. still exists.

“[Society]is asking small businesses to take on the state, organized criminal gangs, and 16-year-olds in their basements,” said one of the founders of startup cyber insurance company At-Bay. said Rotem Iram, “The tech stack they paid for keeps failing and the stack takes no responsibility.”

Iram, a former Israeli intelligence officer, says big software companies need to improve their out-of-the-box programs to fend off attackers before they reach small businesses. increase.

“Yes, defaults matter,” says Brian Krebs, who runs the cybersecurity website KrebsOnSecurity. “Defaults are important because few users will likely change default settings other than passwords.”

He points out that every time big software companies change their default settings or make sweeping changes with cybersecurity in mind, cybercrime has dropped significantly.

“When browser makers started adding warnings to websites that didn’t use SSL certificates, most websites quickly saw massive adoption of HTTPS://,” Krebs said. says.

Microsoft has special power in a few markets with huge market shares, such as enterprise email. Email is an old technology, but it’s still used in many ransomware and phishing attacks that start with someone clicking a link or downloading software. According to technology research firm Gartner, Microsoft dominates the enterprise email/word processing market, with more than 86% of the market share. Google is near 13% of him.

In the past, Microsoft has made changes such as enabling automatic operating system updates, shipping built-in antivirus products, and enabling the firewall by default. “But it took Microsoft years to understand the business case for doing this and the security case for users,” said Krebs.

Email’s “retirement” is a problem

Many of the problems with today’s technology stack stem from the fact that parts of it were developed long before cybercriminals had such problems. Mallory Knodel, chief technology officer of the Center for Democracy & Technology, a nonpartisan group promoting digital rights, said: Some of its donors are big technology companies.

Instead of building default security features into their basic software, the big companies that dominate the space have generally left it to the cybersecurity market to harden their security. As a result, new categories of companies such as CrowdStrike and Mandiant have grown significantly. Recently acquired by Alphabet.

But Knodel says adding controls and filters, especially to email, can raise concerns about digital privacy. “Some people say, ‘I don’t want Google to read my emails.'”

With complex products, new security measures can backfire, she added. “There are trade-offs in security layers, and some work beyond purpose,” she says.

Girish Chander, Head of Microsoft Defender for Office, said in a statement to CNBC: The company’s strategy for countering email attacks includes research-based product innovation, combating attackers by disrupting attack networks, and helping organizations improve posture and user resilience. He said it was based on his three principles of focusing on

Each month, Microsoft Defender for Office 365 detects and blocks nearly 40 million emails containing Business Email Compromise (BEC), blocks 100 million emails containing malicious credential phishing links, Detect and stop thousands of user compromise activities.

The company’s data highlights how many attacks are carried out every day around the world, and how big tech companies have become players in cybersecurity. Google’s acquisition of Mandiant was valued at $5.4 billion. Through Microsoft Defender for Office, Microsoft is both a software supplier and a seller of services that protect the software.

Attack and cyber insurance premiums are rising

Iram, who co-founded At-Bay in 2016, has said he doesn’t mind taking some vehemence with his criticism of Microsoft, including a phone call he received from Microsoft in response to public criticism of the company. . (Through its venture arm, Microsoft also has an investment in his At-Bay).

He pointed out that it took Microsoft 18 years to change the default settings in Microsoft Excel. Email is another program that has changed little over the years to repel attackers. Microsoft’s hacks lead to charges against his At-Bay, where he enforces 25,000 policies more often than Google, more than Google, and includes protections against fraudsters Microsoft doesn’t. he said Iram. people outside the network.

But cybersecurity experts say changing the defaults to more secure settings can frustrate and backfire customers.

In response to a question from CNBC about Excel macros, Microsoft pointed to a blog post from February this year about making security changes the default setting. In response to user complaints, we have temporarily rolled back the changes.

At-Bay is one cyber insurer whose business is under increasing pressure as the number of attacks increases. In the worst case, insurers warn that cybersecurity could become “uninsurable” even compared to climate change and pandemics.

According to the company, At-Bay has annualized gross premiums written of $350 million, raised $292 million and a valuation of $1.35 billion. Like others in the industry, At-Bay has more than doubled its insurance premiums last year as the number of data breaches and ransomware attacks increased. Like a few other cyber insurance companies such as Embroker and Coalition, one of the company’s selling points is that its policies come with active risk monitoring.

Over the past 3-5 years, several cybersecurity companies have been launched, such as Huntress and SolCyber, that focus on the small business market, but typically reach companies with 10 or more employees. . The vast universe of small businesses is smaller than that. Of his 32 million small businesses in the country, about 23 million have only one owner, many of which employ legitimate contractors, a security concern. .

An FBI expert on cybersecurity recently told CNBC that small businesses will account for the majority of the billions of dollars lost in FBI-tracked cyberattacks in 2021.

Jonas Edgeworth, CTO of Embroker, said in an email.

How Car Safety Affects Online Security Regulations

The concerns are not limited to small businesses. In a highly networked society, vulnerabilities in one company, even the smallest, can spread to other companies. In the case of the massive Microsoft Exchange breach, NPR’s investigation concluded that Chinese hackers were targeting US companies for unknown purposes as part of an effort to collect data on US consumers.

Iram said government regulators may have to intervene as attacks on small businesses, which do not have the resources to defend against or recover from attacks, become more common. says.

He likened the current situation to a long and steady road to making cars progressively safer as insurance companies, manufacturers and the federal government change standards for safety features included in vehicles.

“Imagine if you bought a car that was not safe and the manufacturer said you had to download and patch it yourself,” he said. “Imagine you have 50 parts, and now you need to hire a full-time mechanic to maintain it….that’s what you want in a small business.”

Here’s an example that CISA director Jen Easterly used in a recent interview with CNBC’s “Tech Check.”

“We tend to get hung up on calling this cybersecurity, but it’s really about cyber safety, consumer safety,” Eastern Lee said. “Technology companies that have been creating fundamentally insecure products and software for decades now need to start creating products that are safe by design and safe by default with built-in safety features.” You can think of it in the same way: what consumers want from our technology is that.We accept that technology software and products come with dozens and hundreds of technologies. It has somehow normalized the fact that there are thousands of flaws and flaws that place the burden of cybersecurity on consumers who least understand the threat.”

Iram highlighted three areas where technology exists to improve security, but it’s not the default.

Require multi-factor identification from business software at sign-in. Now the federal government is moving to regulate sign-ins for financial firms and critical infrastructure companies. We’re updating the default settings for your email software. For example, it automatically scans for wire transfer attacks and automatically checks the reputation or history of outgoing emails. Force vendors to fix issues faster. As an example he gave, the problem with Microsoft Excel has persisted for his 18 years.

But among his own supporters, Ayram’s criticism of tech giants is wary. Shlomo Kramer, founder of Check Point Software and seed investor in AtBay and a number of other cybersecurity companies, is cautious about attacking his investments against Microsoft. “You should buy from a company you can trust,” he said. “A lot of international companies to trust,” Kramer said.

The U.S. government has taken a cautious approach so far, but a spokeswoman for the U.S. Cybersecurity Infrastructure Agency said it doesn’t regulate software for small businesses, instead appointing security program managers and security personnel pointed out a blog post containing guidance aimed at helping companies large enough to have IT leader.

The National Institutes of Standards & Technology has published a complex framework of what businesses should voluntarily do to protect themselves from cybercriminals. You want encryption and login controls, but this is only for small businesses in high turnover industries such as retail or just a small number of employees, many of whom are working remotely at their own computers It can be difficult for businesses.

A Microsoft spokesperson said in an email: “As a company, we continue to look for ways to proactively meet rising expectations, with a focus on adapting to regulation rather than competing with it.

