Exchange under attack again as insurance weighs in on costs

It seems Monday mornings are for the security woes.   Let’s cover all the news here.

The big headline – there’s another Exchange bug, and it’s being exploited in the wild. There’s also no patch as of this broadcast.   There’s mitigation, and Microsoft says the exploitation of “ProxyNotShell” is limited.   

In that context, Protocol has a piece about identity – because, as CEO of Okta Todd McKinnon observes, “all attacks become identity-based attacks.”   “If you can get identity right, you’re protecting yourself from all attacks, at some level,” McKinnon said. “And the inverse is also true: If you get it wrong, you’re opening yourself up to all kinds of attacks.”

Quoting Protocol:  “ The adoption of an identity threat detection tool is worth considering, as is technology for helping to secure the use of unmanaged applications, or “shadow IT,” experts said. And more robust forms of authentication than the humble password can also go a long way.”

And while referencing both Microsoft and identity-based attacks, Microsoft CVP and CISO Bret Arsenault revealed last week that a Microsoft analysis shows a 60% increase in password-based attacks.   Password attacks went from 600 per second last year to 920 in 2022.  And in another blog post, the company warned that hackers are using open source software and bogus social media accounts to dupe software engineers and IT support staff with fake job offers that, in reality, lead to malware attacks.

All in all, small businesses are seriously underestimating the cost and recovery time – and the analysis comes from the insurance industry.   A new Nationwide Agency Forward survey revealed that 40 percent of small business owners believe a cyberattack costs less than $1,000 and that 60 percent expect it to take less than 90 days to recover from an attack. However, Nationwide data confirms that attacks can cost businesses between $15,000-$25,000 and take an average of 279 days to recover. 

Why do we care?

Well, a few takeaways.  If your email is in the cloud, this Exchange problem isn’t your problem.  Microsoft 365 customers can sit back and relax.     Why, oh, why would you take this risk on yourself?  

Identity solutions is a space to consider – I quipped recently that email’s lack of identity should be a precursor for it to be replaced, just like AM radio and standard-def TVs.    That’s still true – although the actionable opportunity for providers is to ensure your customers have a robust identity solution and push that as far as possible, including physical keys.

Because, as the insurance data says, the costs of attack are so much higher than customers believe.