Microsoft is allegedly tying security efforts to the performance review of every employee.
The Verge reported that it had seen an internal memo from Microsoft’s Chief People Officer, Kathleen Hogan. In it, Hogan outlined that not producing substantial work focused on security could negatively impact every worker’s salary increases, promotions, and bonuses.
The Verge noted Hogan’s memo said:
Everyone at Microsoft will have security as a Core Priority. When faced with a tradeoff, the answer is clear and simple: security above all else(…) Our new Security Core Priority reinforces our commitment to security and holds us accountable for building secure products and services.”
The tech giant previously announced that it was linking the fulfilment of security goals with executive compensation in an expansion of its Secure Future Initiative (SFI), first announced last November. This further extension of that policy to every employee seemingly intends to underscore its commitment to “making security (its) top priority, above all else”.
Security and diversity are now at the forefront of Microsoft’s strategic pillars. Both are integral components of the internal performance review process known as “Connect”. Connect is designed to be utilised by all staff, including execs who are also accountable for delivering on specific security objectives.
Microsoft employees will now be mandated to demonstrate their contribution to enhancing security measures. For those in technical roles, for example, this reportedly involves embedding security considerations into the early stages of product development, adhering to established security protocols, and ensuring that products are secure by default for customers.
“Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards,” an internal Microsoft FAQ on its new policy allegedly wrote. “It goes beyond compliance, as we are asking employees to prioritise security in all the work that they do and hold themselves accountable by capturing their impact for it whenever they complete a Connect.”
Microsoft’s Security Struggles
Microsoft has come under fire in recent years for its perceived lax security infrastructure.
The digital world is still reeling from last month’s global IT outage, which was traced to a faulty update from cybersecurity firm CrowdStrike. Given that many Microsoft solutions were impacted, this incident initially panicked onlookers about a potential Microsoft-targeted mass cyberattack by bad actors before the cause could be confirmed as CrowdStrike’s own responsibility.
While Microsoft wasn’t to blame for the outage, it highlighted the world’s fragile dependence on many of its services at a time when bad actors’ attacks are becoming increasingly sophisticated.
However, there have been more alarming instances of Microsoft security attacks.
In October, compromised Skype accounts were hacked to spread the DarkGate malware, while Microsoft Teams was also targeted. In November, Russian hackers penetrated Microsoft’s defences, gaining access to the email accounts of several senior leadership team members and stealing source code. The breach went unnoticed by Microsoft for nearly two months, with the intrusion only being discovered in January.
In April, the US Cyber Safety Review Board (CSRB) asserted that Microsoft should have been better equipped to prevent Chinese hackers from breaching US government emails through its Microsoft Exchange Online software during the Storm-0558 cyberattack in July 2023.
In response, Microsoft has committed to implementing the CSRB’s recommendations and has detailed a comprehensive set of security principles and objectives. By linking leadership compensation and worker performance to the achievement of these security goals, Microsoft underscores its dedication to enhancing its cybersecurity measures.
Meanwhile, in July, Malwarebytes released a report that exposed a “malvertising campaign” to steal passwords from Microsoft Teams for Mac users.
Hackers have been enticing Mac users to download a fake version of Microsoft Teams, which is actually the Atomic Stealer malware designed to steal passwords from Apple keychains and web browsers. Users encountered these fraudulent Microsoft Teams download sites through a compromised Google ad account in Hong Kong, enabling the hackers’ links to appear at the top of search results for the video conferencing and collaboration software.
from UC Today https://ift.tt/5jfdzBi
0 Comments