“There is no such thing as ‘secure’ when it comes to cybersecurity.”
“The odds in cybersecurity are impossible — those defending have to get it right 100% of the time and those attacking only need one lucky shot.”
These are a few of the sayings that I have used throughout the years when trying to set realistic expectations for companies when it comes to cybersecurity. Because we can’t obtain perfection — i.e., a guarantee of “secure” — we have to strive for reasonableness which leads to another of my favorite sayings: “Reasonable cybersecurity is a process, it is not a definition.” There are many reasons why it is a process, which go beyond the scope of this quick post, but you are probably wondering what does all of this have to do with Microsoft anyway, right?
Well, in case you did not know this, Microsoft makes the computer operating systems that make all of this computer stuff “go.” Microsoft quite possibly knows more about computers — especially Windows-based computers — and how to secure them — than anyone else on the whole freaking planet. Think about that. Microsoft. Hackers (purportedly the same state-sponsored ones that hit SolarWinds) just successfully scored on what may be the most dominant defense anywhere — Microsoft. (Microsoft ‘senior leadership’ emails accessed by Russian SolarWinds hackers)
Now, do you want to know what the really crazy part of all of this is?
When the regulators and the plaintiff’s attorneys bring their cases against Microsoft, can you guess what they are going to say? This is what they are going to say (because this is what they say in every case):
- Microsoft failed to properly secure and safeguard its network.
- Microsoft maintained its network in a negligent manner.
- The risk to sensitive personal information on its network was a known risk and that Microsoft failed to take appropriate protective measures to protect against that risk.
I have another favorite saying for companies: “In today’s environment, every company has substantial cyber risk and every company needs cyber insurance. Period.” (2 Critical Cyber Insurance Issues All Companies Must Consider Now, Before an Incident!)
Your company is similar to even Microsoft in one regard: you both have cyber risk.
But there is another where your company may not be quite so similar: Microsoft probably has cyber insurance but, even if it didn’t, it could afford to defend against and pay the consequences of the legal actions it will face — can your company?
2024.04.03 UPDATE: Microsoft Faulted for ‘Inadequate’ Cyber Practices in Report
2024.03.11 UPDATE: Russian Hackers Are Weaponizing Stolen Microsoft Passwords
2024.01.16 UPDATE: Hewlett Packard Enterprise (HPE) Suffers Breach, Persistent Access by Russia-Sponsored Hackers
Good advice! Thanks for writing Shawn.
Great advice!! Thanks for writing this Shawn.
Thank you!