Security

Microsoft Prepares for GDPR and Builds for Security at Scale

It’s a mad, data-thieving world, and Microsoft is trying to safeguard corporate data by asking the right questions and developing creative answers.

Ann Longmore-Etheridge

Ann is the managing editor of BizTech magazine. Prior to working on BizTech, she spent more than two decades as a journalist at Security Management magazine writing about issues such as cybersecurity, physical security, terrorism, hacking, and new technology.

Unlike Las Vegas, what happens in Europe won’t necessarily stay in Europe.

On May 25, 2018, the European General Data Protection Regulation will go into effect, and companies not in compliance could potentially be hit with litigation and heavy fines. This week in Orlando at Microsoft Envision (the counterpart to Microsoft Ignite), Brad Smith, Microsoft’s president and chief legal officer, said that while GDPR will increase privacy for the people of Europe, the regulation’s impact will be felt worldwide.

“If you have customers in Europe, this matters to you,” Smith explained. “If you have ever heard of Europe, this matters to you.”

At Microsoft, GDPR compliance has been a focus for several years. More than 300 engineers are devoted to making sure that the data privacy architecture is strong enough to meet the regulation. Equally important, GDPR compliance must be correctly documented. But while GDPR is of major importance to the entire tech industry, Smith added, “there can be no privacy without security. Companies can work all day creating the documentation of compliance and then, at night, have someone get in and steal all the data.”

Microsoft’s goal is to integrate security at scale, said Smith. The company has started by engineering a secure platform, but it is also trying to establish effective working relationships with partners and will prod the U.S. and other governments to enact stronger corporate policies.

Teaching People Not to Get Phished

The unfortunate truth is that 90 percent of all security attacks start through phishing.

“Every company has at least one employee who will click on anything. Part of what the security challenge involves is protecting people from themselves,” Smith said.

Microsoft’s strategy is to infuse applications like Office 365 with intelligence-based monitoring so that, for example, when “your employees sign in to your network, we’re able to detect if it is from a device they have never used before, or if the login is originating in a country from where they have never previously accessed your network — that, together with multifactor authentication, will be built in to all our services,” he said.

For example, “We have deployed in Office 365 the kind of controls that will recognize a Social Security number in a Word document, even if the words ‘Social Security’ are nowhere in it, and automatically protect that data so that it can’t be readily emailed to someone else.”

Office 365 also has beefed up phishing protection by increasing scrutiny on incoming emails and sending warnings to users not to click on links that will take them to unwise destinations.

Microsoft Is Deep in the Security Trenches

Microsoft’s data centers around the world receive information from more than a trillion data points every day, as well as more than 400 billion monthly emails, that help identify new malware threats as they appear, said Smith. There are now more than 3,500 security professionals working at Microsoft to combat attacks in a threat intelligence center where data is analyzed, a cyberdefense center so that warnings can be issued to customers about these threats and a digital crime unit that works with law enforcement agencies.

When attacks, breaches and other cybercrimes occur, the victims often prefer not to help authorities bring the perpetrators to justice, but choose instead to keep their heads down. Microsoft wants to change that. “If we all remain silent and we all fail to act, then we collectively sentence ourselves to a permanent state of watching the problem get worse and worse,” Smith said.

Security is a team sport that everyone in the business needs to play together and where prevention is celebrated, he added: “We’re now fighting weapons that can be stored on a thumb drive, but that can destroy computers around the world.”

WannaCry, for example, attacked hospitals, which means the hack literally put people’s lives at risk. For this reason, Microsoft advocates a Digital Geneva Convention to bring the tech companies of the world together to “commit 100 percent to playing defense and zero percent to playing offense, and to pledge to help every customer everywhere, every time.”

5 Security Questions Every Small Business Should Ask

Small businesses may find it particularly challenging to address cybersecurity because they often lack the budget and in-house expertise of larger organizations. Microsoft President Brad Smith suggested that SMBs ask these questions:

1. Have we enabled multifactor authentication? If so, who can grant exceptions to these rules, and how many exceptions have been granted?

2. What is our practice for updating and patching systems? How frequently do we update our computers to take advantage of new security tools?

3. What do we have in our network that would be most interesting to a criminal? How do we manage access to the portions of the network where this information lives?

4. Do we whitelist applications that have gone through a security review? If an employee downloads an application, how do they do it? Can they bring in other things with it?

5. Are we monitoring the health of the devices our employees bring to work? Do we scan the devices to determine if there is malware on them?

Read more articles from BizTech coverage of Microsoft Ignite 2017 here.

peterhowell/Getty Images