Back in January 2021, Microsoft announced that its software, especially the software that runs some Microsoft Exchange servers, had been hacked by a criminal group sponsored by the Chinese government. Furthermore, the company said, everyone using the software is vulnerable until it is patched.
All over the world, organizations of all sizes, including small businesses, are trying to upload patches and find out they’ve been hacked. Despite their efforts, some were still trapped; At least 200 ransomware attacks were attributed to the hack, with some businesses losing millions when they paid criminals.
The hack helped highlight the vulnerability of 32 million small businesses, many of which cannot afford to hire cybersecurity firms and typically rely on security features built into software and hardware companies, giants like Google, Microsoft and Apple. Although the company has advanced and the problem is not new, there are still vulnerabilities, especially in email and other software programs, including operating systems, that were designed before the occurrence of cybercrime and cyberespionage today.
“(Society) is asking small businesses to fight the state, organized criminal groups and 16-year-olds in their basements,” said Rotem Iram, co-founder of cyber insurer At-Bay. “Paid technology stacks continue to fail, and stacks are irresponsible.”
Iram, a former Israeli intelligence officer, said big software companies need to create better programs to stop attackers before they reach small and medium-sized businesses.
“Yes, standards are important,” said Brian Krebs, who runs the cybersecurity website KrebsOnSecurity. “Defaults are important because few users change their default settings, beyond their passwords.”
Every time a large software company has changed its default settings or made a blanket change with cyber security in mind, he points out, cyber crime has fallen dramatically.
“When browser makers started adding warnings to websites that didn’t use SSL certificates, we saw mass adoption of HTTPS:// on most websites in a short period of time,” Krebs said.
Microsoft has a certain power in some markets where it has a very large market share, including corporate email. Email, though an old technology, is still used in many ransomware and phishing attacks that are initiated by people clicking on links or downloading software. Microsoft dominates the enterprise email/word processing market, with more than 86% market share, according to technology research firm Gartner. Google has almost 13%.
In the past, Microsoft has made changes including enabling automatic updates for the operating system, shipping built-in antivirus products and enabling firewalls by default. “But it took years for Microsoft to see the business case for doing this, and the security case for users,” Krebs said.
Email ‘old age’ is a problem
Many of the problems with today’s technology stack stem from the fact that some parts of it were developed before cybercriminals became a problem. “Email is an ossified product,” said Mallory Knodel, chief technology officer of the Center for Democracy & Technology, a nonpartisan group that promotes digital rights. Some donors are large technology companies.
Instead of building standard security features for basic software, the large companies that dominate the space have generally left the cybersecurity market for security layers, which has led to huge growth in new categories of companies, such as CrowdStrike and Mandiant, recently acquired by Alphabet.
But Knodel said adding more controls or filters to email, in particular, could raise digital privacy concerns. “I can see people saying, ‘I don’t want Google to read my email.'”
In complex products, he added, new security measures can be counterproductive. “With layers of security, there can be tradeoffs and some can be used at cross purposes.”
“Microsoft takes email security very seriously,” Girish Chander, head of Microsoft Defender for Office, said in a statement to CNBC. He said the company’s strategy to combat email attacks is built on three principles: research product innovation, combating attackers by eliminating attack networks and focusing on helping organizations improve user posture and resilience.
Every month, Microsoft Defender for Office 365 detects and blocks nearly 40 million emails containing Business Email Compromise, or BEC, blocks 100 million emails with malicious credential phishing links and detects and thwarts thousands of user-compromising activities.
The company’s data shows the number of attacks carried out every day, worldwide, as well as how giant tech companies are also cyber security players. Google’s acquisition of Mandiant is valued at $5.4 billion. Microsoft is a supplier of software, and a seller of services to protect it, through Microsoft Defender for Office.
Attacks and cyber insurance premiums are on the rise
Iram, who founded At-Bay in 2016, said he was willing to take the heat for criticism of Microsoft — including calls he said he received from Microsoft in response to public criticism of the company. (Through its venture arm, Microsoft is also an investor in At-Bay).
He points to 18 years of Microsoft changing default settings in Microsoft Excel — like email, other programs that have remained unchanged for years — to ward off attackers. Microsoft’s hacks led to lawsuits against At-Bay, which has 25,000 policies in place, more often than Google, that include some protections against scammers that Microsoft doesn’t, Iram said, including a big red flag that warns you about opening or sending emails to people outside your network.
But cybersecurity experts say changing the default to a more secure setting could irritate customers and cause a backlash.
In response to questions from CNBC about Excel macros, Microsoft pointed to a blog post from February this year that wrote about making security changes to default settings. It temporarily rolled back the changes in response to user complaints.
At-Bay is one of the cyber insurance companies that is seeing the pressure on their business increase as the number of attacks increases. In the worst-case scenario, insurers warn that cybersecurity can become “uninsurable,” even compared to climate change and pandemics.
At-Bay has gross written premiums of $350 million on an annual basis, has raised $292 million and has a valuation of $1.35 billion, according to the company. Like others in the industry, At-Bay more than doubled its premiums last year as the number of data breaches and ransomware attacks increased. One of their selling points – like some other cyber insurance companies, such as Embroker and Coalition – is that the insurance comes with active risk monitoring.
In the past three to five years, several cybersecurity companies focused on the small business market, including Huntress and SolCyber, have launched, but they typically reach businesses with at least 10 employees. The small business universe is smaller than that; about 23 million countries of which 32 million small businesses have only one employee, the owner, although many also have regular contractors and thus, security concerns.
An FBI expert on cybersecurity recently told CNBC that the majority of victims of the billions of dollars lost to cyber attacks that the FBI is tracking in 2021 will be small businesses.
“Small businesses that encounter an attack like this don’t have the means (monetary or technological) to retaliate or absorb the costs,” said Jonas Edgeworth, Embroker’s CTO, by email.
How car safety can inform online safety regulations
Concerns extend beyond small businesses. In a highly networked society, a vulnerability in one company, even the smallest, can jump to another. In the case of the massive Microsoft Exchange breach, an NPR investigation concluded that Chinese hackers targeted US companies as part of an effort to collect data on American consumers, for unknown purposes.
As attacks become more common on small and medium-sized businesses that do not have the resources to protect or recover from attacks, government regulators may need to step in, Iram said.
He compared the current situation to a long, steady road that has gradually made cars safer, as insurance companies, manufacturers and the federal government change the norms that include safety features in these vehicles.
Imagine buying a car that’s unsafe, and the manufacturer says you have to download it and patch it yourself,” he said. “Now imagine there are 50 parts. And now you have to hire a full-time mechanic to maintain it. … That’s what we ask of small businesses.”
It’s an example that CISA director Jen Easterly also recently used in an interview with CNBC “Tech Check.”
“We get caught up in calling it cybersecurity, but it’s really a matter of cyber security, consumer safety,” Easterly said. “Technology companies that have spent decades making fundamentally insecure products and software should start making products that are secure by design and secure by default with built-in safety features,” he said. “You can think about it like automotive … It is what we need as consumers to demand from our technology … , thousands of flaws and defects, and normalize the fact that puts the burden of cyber security on consumers, who are least able to understand the threat.
Iram highlights three areas where technology exists to improve security, but is not standard.
- Require business software to have multi-factor authentication at login. Now, the federal government has moved to regulate entry into financial firms and critical infrastructure companies.
- Update your email software’s default settings. For example, automatically scans for wire transfer attacks, and automatically checks the reputation or history of sent emails.
- Force the vendor to fix the problem faster. With Microsoft Excel’s problems for 18 years being the cited example.
But among Iram’s own supporters, there is wariness about criticism of the tech giant. Shlomo Kramer, founder Check Point Software, and seed investors in AtBay as well as many other cybersecurity companies, are wary of investee attacks on Microsoft. “You have to buy from a company you trust,” he said. “A lot of international companies have to be trusted,” Kramer said.
The US government has so far taken a cautious approach – a spokesperson for the US Cybersecurity Infrastructure Agency said it does not regulate small business software, instead pointing to a blog post with guidance aimed at helping businesses large enough to have security program managers and IT leaders.
The National Institute of Standards & Technology has released a complex framework of what businesses should do, voluntarily, to protect themselves from cybercriminals. This requires encryption and login control, which can be a challenge for small businesses in industries with high turnover, such as retail, or with only a few employees, many of whom work remotely on their own computers.
“As a company, we continue to focus more on adapting to regulation than fighting it and finding ways to proactively meet higher expectations,” a Microsoft spokesperson said via email.