Interview: Microsoft’s Mary Jo Schrade on how businesses can thwart cybersecurity challenges

Jan 7, 2023

While the last two years of the pandemic have accelerated the adoption of digital technologies globally, it has also brought forth a new host of cybersecurity issues. Reports of ransomware attacks, data thefts, phishing attempts, etc, have showcased how vulnerable companies and users are to these threats. The most recent spate of high-profile attacks was reported in March this year, carried out by the Lapsus$ group, which managed to infiltrate the network systems of several top companies, from Nvidia to Samsung to Microsoft.

So what are the best digital practices that enterprises can adopt to keep themselves secure in today’s times? Mary Jo Schrade, Assistant General Counsel and Regional Lead at the Microsoft Digital Crimes Unit Asia spoke to about the issues related to the cybersecurity domain and best practices on staying safe. Edited excerpts from the interview:

Q) What are the key challenges that enterprises are facing in the post-Covid world?

MJ: The pandemic accelerated the move to allowing remote work. IT departments are now required to not just manage their own infrastructure, but also other things. For example, if you are accessing your work email on your cell phone, and it is not managed by them, then that’s a risk. Even something as simple as the router that you use at home can present a risk to your company if you don’t update the firmware in the router when the updates are available. Or if you don’t change the access password that might have initially such as 1234 to a more secure one. You then create vulnerabilities in your home when you’re accessing your employer’s network.

There are just multiple complexities that companies have to deal with today. Even though bigger enterprises have a larger staff to handle these issues, still, the complexity has just grown so much that it’s very difficult to manage. And small businesses and medium businesses have an even more challenging time when they don’t have their own staff to deal with these issues.

Q) We’ve heard a lot about ransomware being used against organisations with attackers stealing data and often wiping it clean. Can you elaborate on the scale of these issues and how can companies defend themselves?

MJ: We’ve seen an increase in the number of attacks and the size and sophistication of the attacks. This remote work has basically opened more entry points for attackers. Sometimes these incidents have gone on for an extended period of time before the company becomes aware that someone has infiltrated their systems.

We’re seeing people engage in supply chain attacks where they go to a vendor of a company and leverage the fact that they might not be as strongly protected as the main company.

Microsoft, Microsoft cybersecurity, Microsoft Lapsus$ attacks Mary Jo Schrade, Assistant General Counsel and Regional Lead at the Microsoft Digital Crimes Unit Asia. (Image via Microsoft)

But what is fundamental — regardless of the types of attacks — is that companies put in place multi-factor authentication for their business and for everybody in their business. You only allow what is called ‘least privileged access’. What it means is that if you as an employee want access to your employer’s data, each time that’s evaluated individually.

You make sure that everyone uses multi-factor authentication, and that you use it in ways that are the most trustworthy. For example, you may have heard about criminals using SIM swapping from people’s cell phones as a way to basically engage in multi-factor authentication on behalf of the target. If you use different types of multi-factor authentication, and there are lots of options, including facial recognition, layering of information, such as your location, and other factors, you could really have an effective way to protect yourself.

The criminals are better, but the ways of protecting ourselves are better too, and they’re very effective.

Q) So what exactly does it mean when you say multi-factor authentication and why does it have an edge over say the traditional two-factor authentication?

MJ: Two-factor authentication on a phone can protect but it also can be circumvented by SIM swapping. For example, a cybercriminal gets the number changed over to their phone by misleading the help desk at a cell phone company or something like that.

But if you have other factors in place, including the location of the computer that’s trying to connect, it can be solved on multi factor authentication. Also, look at any other anomalies in terms of the device itself and how the device presents itself on your system. And sometimes it’s why when you have a new device, you might find it hard at first to access some of the sites you normally access because they don’t trust your device.

It’s those layering of security modes that are ultimately impactful and protecting. So Windows Hello that we use where it’s a Facial Recognition thing. If you have that in addition to something else in addition to the phone or to the device, the health of the device, those things can also be used in order to have multiple factors of authentication.

Q) In the context of the Lapsus$ attacks, there were reports that they used inside help to break into some of the networks. So what are the learnings for organisations in such scenarios?

MJ: You’re right, they did get credentials apparently through either vendors or otherwise that they were advertising. That would be a good example of where they might be able to circumvent multi-factor authentication through a cooperating person.

Again least privileged access would be what will protect you because you wouldn’t allow everybody to have access to everything. And that way, it would be very hard for them to come in through an insider threat and then move around across your network because the individual who was cooperating with them would not have that access.

Q) How does moving to the cloud help protect businesses better?

MJ: One reason for the move to the cloud is the protection that it provides. And that’s especially key for small businesses. If you can’t have your own staff, at least if you move to the cloud, you’re sort of outsourcing a big part of what your staff would do by the cloud protecting you and looking for anomalies and flagging things.

India has a lot of small and medium-sized businesses, and this can be their way of trying to deal with all these challenges when they themselves are not experts. So they are moving to the cloud to allow them to have the protections of a company that’s looking at billions of these signals. For instance, at Microsoft, we’re looking at signals that are being interpreted through machine learning and AI and have 8500 security people just working on cybersecurity.

What we’re starting to see is that people who have kept their systems on-premises realise that they are more at risk because they don’t have those automatic updates that are coming through, etc.

Q) There have also been reports of hackers accessing source code for products, including for some at Microsoft as in the recent Lapsus$ attacks. How serious of a risk does that pose?

MJ: In this case that they had access to our source code, there was one vendor account that was apparently compromised. And you can imagine what the source code must look like? It is millions of lines of code. Each product has its own source code. And so if someone were to get access to source code that alone doesn’t allow them to do anything to compromise.

Microsoft recognises that we can’t rely on the secrecy of source code as being the way we protect our customers. The reality is that even if you did have access to a company’s source code for a particular piece of product, the company would know what you had and they would make the changes necessary to remove any gained advantage.

I also don’t think that this is something that is going to be as impactful to people as putting in place multi factor authentication and protecting your business by being in the cloud. Those are the things that people should be thinking most about. Educate your employees about threats, put in place multi factor authentication, etc. Nothing else will matter as long as you stick with the principles and you do your updates and patches in a timely way.

Related Posts