Microsoft is ripping businesses off with expensive premiums on its most secure enterprise solutions, effectively holding them to ransom in exchange for getting the best possible protection, which isn’t always guaranteed.
This is the view of Richard Firth, CEO of software development firm MIP Holdings, who labelled Microsoft’s products as the largest vulnerability for cybercrime attacks on businesses.
“The vulnerabilities in various Microsoft products are the biggest source of cyberattacks worldwide,” Firth stated.
“Approximately 1.5 billion people use Windows operating systems every day, and the number of reported Microsoft vulnerabilities has risen a whopping 181% in the last five years.”
“In 2020 alone, 1,268 Microsoft vulnerabilities were discovered,” he added.
Firth said that many companies believe if they kept their Windows versions updated, they would be fully secure.
However, this was not the case, as many Windows security flaws don’t get patched.
“Several Microsoft issues may or may not receive a patch, and some are configuration issues that can’t be patched,” Firth stated.
Firth said that Microsoft offers a “secure version” of its products at an additional cost — likely referring to Office 365 E5 and Microsoft 365 E5, both of which include advanced security features with the subscription.
In MIP Holdings’ case, upgrading to the version of the Microsoft product they need with advanced security features would take the costs per employee from $20 to $57 per month.
“While many companies might see this as an investment in security, the fact that the secure version costs almost three times as much as the ‘normal’ version raises questions,” Firth stated.
On top of this, Firth said there was no guarantee that this version could keep out attackers.
“There isn’t a single product on the market that can do that — so additional tools will still be required,” he said.
“On GitHub, there is an entire ‘won’t fix’ list of security issues that Microsoft has either not yet patched, won’t patch, or are issues that need manual adjustment to fix.”
Firth said these factors led him to question whether Microsoft’s own secure solutions was any different from ransomware.
“Microsoft is charging almost triple for a product that will still require additional investment to secure, effectively taking advantage of their poor networking tooling to make extra money,” he stated.
Firth explained the problem was exacerbated by many businesses adopting a “Microsoft everything” strategy, with the company’s software being used throughout their architecture.
“Think about the ease by which a vulnerability can be spread throughout the organisation,” he said.
“This will increase the scope of a cyber-attack in the future, as cybercriminals continue to focus on the most widely used platform in the world.”
Firth explained that most vulnerabilities were found in Microsoft Exchange Servers, although all of the company’s products are being targeted by attackers.
“Checkpoint Research, for example, recently found four security vulnerabilities that affect products in the Microsoft Office suite, including Excel and Office online.”
“Rooted from legacy code, the vulnerabilities create the potential for an attacker to execute code on targets via malicious Office documents, such as Word, Excel and Outlook.”
Firth warned that cyberattacks would have a bigger impact on businesses and their customers in the future, highlighting the long-tail costs of a data breach that can extend for months to years.
“These costs include lost data, business disruption, revenue losses from system downtime, notification costs, fines associated with government regulations designed to deal with breaches of ’Protection of Personal Information’ or even damage to a brand’s reputation,” he explained.
He said companies that hold sensitive data or personally identifiable information are common targets for hackers and already invest heavily in security.
“Why should they pay extra for a secure version of the tools that their businesses use daily? Shouldn’t the secure version be the standard version?” Firth asked.