Improve end-user communication to avoid making the same mistakes over and over again

Engage with users in ways they understand, Microsoft security head advises as new Compliance Score tool monitors Office 365 information compliance

It may be a bridge too far to flag the arrival of a cybersecurity-focused version of Microsoft’s loathed ‘Clippy’ personal assistant, but Ann Johnson is nonetheless working hard to make cybersecurity best practices more accessible to everyday users.

As corporate vice president of Microsoft’s Security Compliance and Industry business unit, she is continually liaising with customers and partners – and collecting horror stories about the ways that poor security continues to create all kinds of problems.

Learnings from those incidents have long been translated into decisions around product design and new features – but Johnson, whose responsibilities include oversight of Microsoft’s cybersecurity efforts and its Detection and Response Team (DART), told CSO Australia that 80 percent of the cybersecurity incidents her analysts deal with are due to “the same types of things”.

“There are still too many exceptions,” she said, “and just way too much privilege” afforded to users who get and retain access well above what they need.”

Low takeup of multi-factor authentication (MFA) had compounded the exposure of companies to vulnerabilities, leaving them with often sparse defences to ransomware attacks that have rapidly reached plague proportions – particularly amongst local governments in the US, where misplaced clicks brought down four cities in December alone.

“I fundamentally believe these organisations are doing their best” to protect themselves, Johnson said, “but there is such a high level of technical debt in these organisations, and they  haven’t been well-funded and don’t have the assurance in their security programs. And bad actors know that.”

Many companies simply have no idea how exposed they are – something Microsoft has recently worked to address by giving its cloud-based Office 365 suite a formal Compliance Score utility (currently in preview) that helps monitor a company’s document and information usage with proactive evaluation of its level of protection.

The Compliance Score is mapped against specific compliance regimes including the government-mandated Information Security Manual (ISM), with capabilities up to PROTECTED level ensuring visibility and protection of even sensitive information.

Combined with contextual analysis drawn from a growing body of cloud-based incident data – Microsoft deals with up to 1.5 billion security events a day, Johnson said – to produce recommendations around what companies can do to improve their compliance.

The compliance risk assessment “gives them actionable insights so they actually know what to consider implementing within Office 365 to be more protected and more compliant,” Johnson said, “and to improve their security all up.”

“Mapping back to common controls, regulations and standards means they can take one action to satisfy multiple regulatory requirements and scale their compliance program.”

Hitting cybercrime’s ROI

Compliance Score is the latest step in Microsoft’s heavy ongoing investment “in trying to raise the cost to the attackers,” Johnson explained.

“We make it very difficult for them to get in by automating response, but also by making sure that time to detection is really fast so we can detect and block them before they do harm in the environment.”

“We find that the more we raise the cost to the attacker, they are less incented to go after certain entities.”

Yet building an effective ransomware response had introduced other complexities, such as the “advantage being taken” by cyber insurance companies – which have been blamed for perpetuating cybercriminals’ interest in ransomware because of the high ransom payments customer premiums have facilitated.

“It’s a complex topic,” she says, “and I think as a vendor and an industry the one thing we can do is to help our customers be much more proactive in how they are building defences against a common attack like ransomware.”

End users, of course, form an important part of those defences – and Microsoft has been steadily working to stream cybersecurity-related prompts into the everyday user experience.

Yet while cloud-based security intelligence and delivery provided the opportunity to engage with users around new threats as they are discovered, Microsoft was also treading carefully to avoid interrupting users at the wrong time.

So while Microsoft Defender will continue to prompt users around endpoint security and Outlook might raise a yellow flag warning a user that an email may be malicious, we’re not quite at the point where we’ll see Clippy popping up onscreen to warn a user that they’re trying to click on a malicious URL.

“You will see us to continue to improve the security posture of all the individual functionality that we bring to market,” Johnson said, “and how it interrelates and interactives with each of the other elements of the holistic platform.”

This needed to be wrapped in an accessible and engaging user experience, Johnson warned.

“I’m big about the language of cybersecurity becoming more simple so your average user can actually understand it,” she said, “and don’t think we are speaking to them about cybersecurity in some foreign tongue.”


Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies