Back in January 2021, Microsoft announced that its software, specifically the software running some Microsoft Exchange servers, had been hacked by a criminal group sponsored by the Chinese government. Further, the company said, everyone using the software was vulnerable until it was patched.
All over the world, organizations of all sizes, including small businesses, scrambled to upload patches and to figure out if they’d been infiltrated. Despite the efforts, some were still ensnared; at least 200 ransomware attacks were attributed to the hack, with some businesses losing millions as they paid the criminals.
The hack helped to highlight the vulnerability of the 32 million small businesses, many of which can’t afford to hire cybersecurity companies and that mostly rely on the built-in security features of software and hardware companies, giants like Google, Microsoft and Apple. Though the companies have made progress and the problem isn’t new, there are still vulnerabilities, especially in email and other software programs, including operating systems, that were designed long before the current rash of cybercrime and cyberespionage.
“(Society) is asking small businesses to go against nations, organized criminal groups and 16-year-olds in their basement,” says Rotem Iram, one of the founders of startup cyber insurance company At-Bay. “The technology stack they pay for continues to fail them, and the stack takes no responsibility.”
Iram, a former Israeli intelligence officer, says big software companies ought to make their programs better out-of-the-box to fend off attackers before they reach small and medium-sized businesses.
“Yes, defaults matter,” says Brian Krebs, who runs the cybersecurity website KrebsOnSecurity. “Defaults matter because so few users ever change the default settings, beyond perhaps a password.”
Each time big software companies have changed default settings or made blanket changes with cybersecurity in mind, he points out, cybercrime fell measurably.
“When the browser makers started adding warnings to websites that didn’t use SSL certificates, we saw a mass adoption of HTTPS:// across most websites in no time,” Krebs said.
Microsoft has particular power in a handful of markets where it has enormous market share, including enterprise email. Email, though an old technology, is still used in many ransomware and phishing attacks that start by someone clicking on a link or downloading software. Microsoft dominates the enterprise email/word processing market, with more than 86% of market share, according to technology research firm Gartner. Google has nearly 13%.
In the past, Microsoft has made changes including enabling automatic updates for the operating system, shipping an antivirus product built-in and enabling the firewall by default. “But it took many years for Microsoft to see the business case for doing this, and the security case for their users,” Krebs said.
Email’s ‘old age’ is a problem
Many of the issues with today’s technology stack stem from the fact that some parts of it were developed long before cybercriminals became such a problem. “Email is an ossified product,” said Mallory Knodel, chief technology officer of the Center for Democracy & Technology, a nonpartisan group that promotes digital rights. Some of its donors are big technology companies.
Instead of building in default security features to basic software, the big companies that dominate the space have generally left it up to the cybersecurity market to layer on security, which has resulted in huge growth at a new category of companies, like CrowdStrike and Mandiant, recently acquired by Alphabet.
But Knodel says adding more controls or filters to email, in particular, might raise digital privacy concerns. “I can see people saying, ‘I don’t want Google reading my emails.”‘
In complex products, she added, new security measures can be counterproductive. “With layers of security, there can be tradeoffs and some can work at cross-purposes.”
“Microsoft takes email security very seriously,” said Girish Chander, head of Microsoft Defender for Office, in a statement to CNBC. He said the company’s strategy to combat email-borne attacks is built on three principles: research-informed product innovation, taking the fight to the attackers by taking down attack networks and focusing on helping organizations improve their posture and user resilience.
Each month, Microsoft Defender for Office 365 detects and blocks close to 40 million emails containing Business Email Compromise, or BEC, blocks 100 million emails with malicious credential phishing links and detects and thwarts thousands of user compromise activities.
The company’s data highlights how many attacks take place daily, worldwide, as well as the way the giant technology companies have also become players in cybersecurity. Google’s acquisition of Mandiant was priced at $5.4 billion. Microsoft is both the supplier of software, and the seller of services to protect it, through its Microsoft Defender for Office.
Attacks and cyber insurance premiums are increasing
Iram, who co-founded At-Bay in 2016, says he’s willing to take some heat for his criticism of Microsoft —including a phone call he says he received from Microsoft in response to his public criticism of the company. (Through its venture arm, Microsoft is also an investor in At-Bay).
He pointed to the 18 years it took for Microsoft to change a default setting in Microsoft Excel — like email, another program that’s remained largely unchanged for years — to repel attackers. Hacks of Microsoft result in claims to At-Bay, which has 25,000 policies in force, more often than Google, which includes some protections against scammers that Microsoft does not, Iram said, including a big red flag warning you about opening or sending emails to people outside your network.
But cybersecurity experts say changing defaults to more secure settings can irritate customers and result in a backlash.
In response to a question from CNBC about the Excel macros, Microsoft pointed to a blog post from February of this year where it wrote about making the security change a default setting. It temporarily rolled back the change in response to user complaints.
At-Bay is one of a number of cyber insurers that are seeing the pressures on their businesses increase as the number of attacks increases. In the worst case, insurers are warning that cybersecurity may become “uninsurable,” even compared to climate change and pandemics.
At-Bay has gross written premiums of $350 million on an annualized basis, has raised $292 million and has a $1.35 billion valuation, according to the company. Like others in the industry, At-Bay more than doubled its premiums last year as the number of data breaches and ransomware attacks increased. One of its selling points — like those of a handful of other cyber insurers, such as Embroker and Coalition — is that its insurance comes with active risk monitoring.
In the past three to five years, some cybersecurity companies focusing on the small business market, including Huntress and SolCyber, have launched, but they typically reach businesses with at least 10 employees. The vast universe of small businesses is smaller than that; about 23 million of the country’s 32 million small businesses have only one employee, the owner, though many may have regular contractors and thus, security concerns.
An FBI expert on cybersecurity recently told CNBC the vast majority of the victims in billions of dollars lost in cyberattacks tracked by the FBI in 2021 were small businesses.
“A small business encountering this kind of attack does not have the means (monetarily or technologically) to retaliate or absorb the cost,” said Jonas Edgeworth, the CTO of Embroker, by email.
How car safety can inform online security regulation
The concerns go beyond small businesses. In a highly networked society, vulnerabilities in one company, even the tiniest ones, can leap to another. In the case of the large Microsoft Exchange breach, an NPR investigation concluded that Chinese hackers were targeting U.S. companies as part of an effort to gather data on American consumers, for an unknown purpose.
As attacks become more common against small and medium-sized businesses that don’t have the resources to guard against or recover from attacks, government regulators may have to step in, Iram said.
He likened the current situation to the long and steady road that gradually made cars safer, as insurance companies, manufacturers and the federal government changed the norms for which safety features were included in the vehicles.
“Imagine if you bought a car that wasn’t safe, and the manufacturer said you should have downloaded it and patched it yourself,” he said. “Now imagine there are 50 parts. And now you need to hire a full-time mechanic to maintain it. … That’s what we’re asking small businesses to do.”
That’s an example that CISA director Jen Easterly also recently used in an interview with CNBC’s “Tech Check.”
“We get caught up in calling it cybersecurity, but it really is a matter of cyber safety, consumer safety,” Easterly said. “Technology companies who for decades have been creating products and software that are fundamentally insecure need to start creating products that are secure by design and secure by default with safety features baked in,” she said. “You can think about it like automotive. … That’s what we need as consumers to be demanding from our tech. … We’ve somehow normalized the fact that we’ve accepted that technology software and products come with dozens, hundreds, thousands of flaws and defects, and normalized the fact that places the burden of cyber safety on consumers, who are least able to understand the threat.”
Iram highlighted three areas where technology exists to increase security, but is not the default.
- Requiring business software to have multi-factor identification on sign-ins. Currently, the federal government has moved to regulate sign-ins in finance companies and critical infrastructure firms.
- Updating email software default settings. For example, automatically scan for wire transfer attacks, and automatically check the reputation or history of the sending email.
- Forcing vendors to fix problems more quickly. With the Microsoft Excel issue lingering for 18 years being an example he cited.
But among Iram’s own backers, there is wariness about his criticisms of the tech giants. Shlomo Kramer, the founder of Check Point Software, and a seed investor in AtBay as well as many other cybersecurity companies, is cautious about his investee’s attacks on Microsoft. “You should buy from companies you trust,” he said. “Many international companies you should trust,” Kramer said.
The U.S. government has so far taken a cautious approach – a spokeswoman for the U.S. Cybersecurity Infrastructure Agency said it doesn’t regulate small business software, instead pointing to a blog post with guidance aimed at helping businesses large enough to have a security program manager and an IT lead.
The National Institutes of Standards & Technology has issued a complex framework for what businesses should do, voluntarily, to protect themselves from cybercriminals. It calls for encryption and controlling logins, which likely would be challenging for a small business in an industry with high turnover, such as retail, or one with only a few employees, many of them working remotely on their own computers.
“As a company, we continue to be more focused on adapting to regulation than fighting against it and look for ways to proactively meet heightened expectations,” said a Microsoft spokesperson by email.