Microsoft disclosed in January that it had suffered a hack of executive emails by a Russian state-sponsored threat group. In the months since then, it has been subjected to an embarrassing cascade of additional discoveries and disclosures about the scope of the efforts by the attackers. It now appears that both customer information and Microsoft code has jeopardized, and possibly acquired, by the hackers. The company has come in for rebuke from the federal government for its lax security posture and failure to prevent ongoing issues.
Why It Matters
It's never good to anger customers by appearing laissez-faire in response to a security problem. Having to disclose ongoing problems puts a company in an especially bad position. For a supplier like Microsoft, whose products operate on devices and networks spanning much of the globe, this isn't likely to result in much loss of sales. These kinds of issues are more likely to create a lack of trust, and an ongoing drag on operations, for the supplier. Failing to correct a known problem can invite ongoing regulatory scrutiny, investigations, forced cooperation with regulators, audit requirements from customers, and similar kinds of hand-holding/babysitting measures designed to allow customers and regulators to assure themselves that the supplier environment and products remain secure.
Falling victim to an attack can happen to literally any company. Failing to address it and prevent recurrences, thoroughly and convincingly, can undermine customer and regulator confidence for a long time. For smaller companies than Microsoft, this translates directly to the bottom line in the form of cancelled contracts. Regardless of the impact on sales, failing to correct known issues creates a massive breach of trust that can result in ongoing requirements to prove that upgrades and improvements are working.