After searing Cyber Safety Review Board report, Microsoft tells employees that security comes first

Microsoft sent employees a note telling them to prioritise security, calling it “job number one” after a harsh CSRB report in March

May 04, 2024 08:50 am | Updated 08:50 am IST

Microsoft committed to making its work secure by design, secure by default, and secure in operations [File]

Microsoft committed to making its work secure by design, secure by default, and secure in operations [File] | Photo Credit: REUTERS

Microsoft is telling its employees that security is “job number one” and will become the company’s “top priority,” with the direction coming after a Cyber Safety Review Board report strongly criticised Microsoft’s security operations over the Storm-0558 cloud breach.

In a blog post authored by Charlie Bell, Executive Vice President at Microsoft Security, the company acknowledged threats from the Storm-0558 cyberattack last year and the Midnight Blizzard attack it later reported in January, though it avoided directly mentioning what the board called its “failures.”

Microsoft committed to making its work secure by design, secure by default, and secure in operations when moving forward, and said its principles aligned with the federal board’s own security recommendations.

“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems,” said Microsoft chief Satya Nadella in a memo to employees, reported The Verge outlet.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

In the official blog post shared on its website, Microsoft said it would take steps to protect identities and secrets, protect tenants and isolate production systems, protect networks and engineering systems, monitor and detect threats, and accelerate response and remediation.

Microsoft also said it had so far removed 7,30,000 apps across production and corporate tenants that were out-of-lifecycle or not meeting current SFI standards.

The Cyber Safety Review Board report looked into the Storm-0558 hacking group associated with the Chinese regime, and the way it accessed the official email accounts of senior U.S. government officials.

“The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” said the CSRB report in March.

It added that Microsoft teams should deprioritise feature developments for cloud and product suites until “substantial security improvements” had been made, coming as a blow to the reputation of the tech giant known for its legacy systems as well as its recent advancements in generative AI.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.