Microsoft reveals plan to improve internal cybersecurity 

On May 3, 2024, Microsoft outlined the major points of its plan to improve cybersecurity practices, the “Secure Future Initiative” (SFI), launched internally in November 2023. The company recently dealt with several large-scale hacks that had serious strategic consequences. In the summer of 2023, an espionage campaign against the Exchange messaging service thus compromised the email inboxes of several senior US officials.

In April 2024, the Cyber Safety Review Board (CSRB), a government committee under the United States Department of Homeland Security, published a report of the incident. It maintains the attack was “avoidable”, and the result of an “inadequate corporate culture” in terms of cybersecurity. 

To fix this, the SFI will rely on three “principles” and six “pillars”. The three principles are

• cybersecurity by design for all products and services 
• default implementation of security safeguards, in all cases 
• ongoing improvement of security controls and monitoring 

To comply with these principles, the company plans on: 

• fully securing identities and access points 
• protecting Microsoft product source code from all intrusions 
• strengthening network protection 
• better identifying vulnerabilities in infrastructure and production services 
• enabling detailed identification of past and present intrusions
• reviewing mitigation and remedial measures, deemed deficient

“When faced with a choice between security and another priority, the answer is straightforward: go for security. In some cases, this means prioritizing security over other strategic options, such as the release of new features or providing uninterrupted support for existing systems,” explains Satya Nadella, CEO of Microsoft, in a memo to employees.