Microsoft Enhances Internal Cybersecurity Management and Training Programs
Microsoft Corp. has announced milestones in its multiyear Secure Future Initiative (SFI), a comprehensive security transformation effort aimed at embedding durable, automated, and phishing-resistant security at cloud scale. Launched in late 2023, the SFI involves around 34,000 engineers across 14 product divisions, supporting over 20,000 cloud services on 1.2 million Azure subscriptions [1][2].
The core objective of SFI is to achieve durable security at scale, not just shipping security fixes but ensuring these fixes are automatically enforced by the platform without requiring constant manual intervention from engineers. One concrete progress example is Microsoft's move to block legacy authentication protocols, which are often exploited in phishing attacks [1].
Microsoft has achieved a 92% adoption rate of phishing-resistant multifactor authentication among employee productivity accounts. Additionally, employee performance reviews are now linked to the adoption of security standards, fostering a security-first mindset among employees [3].
The SFI also aims to strengthen product development, threat detection, and corporate governance. Out of 28 objectives outlined in the SFI plan, Microsoft is near completion on five and has made significant progress on 11 [3]. A secure-by-design toolkit has been rolled out to 22,000 employees involved in product development [3].
The initiative has also made progress in addressing cloud vulnerabilities. Microsoft now has a 73% success rate in addressing cloud vulnerabilities within a reduced time-to-mitigate window, although the new time frame is not specified [3]. Over 6.3 million legacy tenants have been removed, with more than 550,000 removed since September 2024 [3].
The SFI was initiated after a China-linked threat group hacked into the Microsoft Exchange Online environments of at least 22 customers, resulting in the exfiltration of emails from top Microsoft executives and the theft of credentials from U.S. federal agencies [4]. The company has invested in holistic governance structures to address cybersecurity risk [3].
However, the initiative has not been without criticism. A 2024 report by the Cyber Safety Review Board condemned Microsoft for prioritizing speed to market and "cool" product features over secure development practices [4]. The report also criticised Microsoft for a separate attack by Midnight Blizzard, a Russia-backed threat group, which launched a password-spray attack against the company in 2023 [4].
In a blog post, Charlie Bell, executive vice president, security at Microsoft, wrote about the progress made by the SFI, emphasising the initiative's commitment to building resilient systems that proactively apply fixes and maintain security standards over time [1]. The SFI continues to make strides in its ongoing efforts to improve platform security.
References: [1] Microsoft Tech Community. (2023). Securing the Future: A New Era of Security at Microsoft.
Cybersecurity measures have been implemented to strengthen financial transactions with the adoption of phishing-resistant multifactor authentication among Microsoft employee productivity accounts. The Secure Future Initiative (SFI) also aims to advance technology by fostering a secure-by-design mindset among employees involved in product development.
