Author: Andy Miller

Microsoft Slows Updates

Posted on by Andy Miller

Microsoft has listened to corporate SaaS Windows 10 clients and slowed down the rate of patches and updates that it is sending out, thereby giving company admins more time to catch up.

What’s The Problem?

For many enterprise / corporate customers, two feature upgrades for Windows 10 a year is proving too much to keep up with, resulting in many admins now saying that they’ve barely got the time to deal with one upgrade before another one comes along, thereby leading to the temptation to skip every other update.

Those tasked with managing the updates also say that the updates themselves often create more bugs and problems, and that having to spend time managing these additional problems actually distracts and diverts resources away from the focus of the business, thereby creating an opportunity cost that is too high. Many companies also resent having to fit-in with Microsoft’s schedule rather than their own.

Illustrated By Survey

The feelings of 1,100 company admins about the Windows 10 upgrade schedule are illustrated by the results of a survey conducted by Susan Bradley, who moderates the PatchManagement.org mailing list. The results show that 78% of those charged with carrying out servicing Windows for their firms said that Windows 10’s feature upgrades should be issued no more than once a year.

Only 11% of those surveyed said that they would prefer a twice-a-year release, and only 1% wanted more frequent upgrades than that.

What’s Been Happening?

Currently, the feature upgrades take place twice a year. This hasn’t always been the case, with four being envisioned but two being released in 2015, one upgrade (1607) being issued in 2016, and then a formal announcement by Microsoft that there would be a twice-yearly upgrade schedule. This meant that there were two in 2017, (1703 in April and 1709 October), and there’s been one (1803) in April this year, with another one scheduled for October.

Also, Microsoft has changed the extending of its support from 18 months to 24 months for Windows 10 Enterprise and Windows 10 Education, and then moved it back to 18 months again in April. This has caused problems for some customers with their patching schedule.

What Now?

It appears that Microsoft has listened to its customers and to the results of the survey, and Microsoft will now be taking some of the pressure off by offering companies 30 months (two and a half years). This new, extended deadline will apply to Enterprise and Education editions of the Windows 10 OS and applies only to the Autumn/Fall release. The Spring update will stay at 18 months e.g. after Redstone 5 next month, this will be supported until Spring 2022.

However, for the 19U1 update six months later, it will only have 18 months support (until autumn 2021). In essence, this means that customers can now upgrade at least every two years, with six months to play with if necessary between updates. Home and Professional editions will continue an 18-month cycle.

Support For Windows 7 – For A Price

Microsoft has also listened to the fact that 40% of the world’s computers, mostly in corporate environments, are still running Windows 7. Even though it was initially thought that it would reach end of life (EOL) on 14th January 2020, Microsoft has announced that it will carry on supporting Windows 7 for users willing to pay.

What Does This Mean For Your Business?

Businesses have been telling Microsoft for the last two years that they have been struggling to keep up with the schedule of feature updates / upgrades that Microsoft has set, so it is good news that the tech giant appears to be listening to its customers by giving them a longer grace period. This latest move from Microsoft will also mean that many enterprise customers will not need to consider opting for LTSB i.e. receiving only security and hotfixes, and no new features for ten years.

It is also good news for many companies that have not yet made the upgrade to Windows 10 and are still running Windows 7 that they will at least have the prospect of extended support, even though (as may be expected) they will have to pay for it.

Microsoft Tests Pop-Up Warnings About Other Browsers

Posted on by Andy Miller

Microsoft has made the news again by appearing to flex its market muscle by testing pop-up warnings in Windows 10 that are triggered when users start to install rival Chrome or Firefox web browsers.

What Happens?

It’s been reported that when a user tries to install another, non-Microsoft browser on a computer running Windows 10, pop-up warnings are issued that remind the user that they already have Microsoft’s Edge browser installed, and that Edge is a “faster, safer” browser for the Windows 10 operating system..

Just A Test

Microsoft has been quick to point out that the pop-up warnings are just a test among a small number of specific users. According to Microsoft, the warnings were only tested with a group of users who are part of its “Insiders” initiative, and that the warnings didn’t stop any software being installed.

The tests are part of the lead-up to Microsoft’s Windows 10 October Update.

Browser Trouble In The Past

Microsoft is no stranger to landing itself in hot water of over competition issues with its browser.

For example, way back in 1998, when competing browsers included Netscape Navigator, Microsoft was questioned by US regulators (with Bill gates being forced to testify) over its bundling of Internet Explorer in Windows in a staggering 95% of Intel-compatible PCs.

Also, after receiving a record-breaking fine of nearly 900 million Euros by the EC for charging “unreasonable” royalty fees for matters relating to disclosing documentation allowing non-Microsoft servers to work Windows computers and services, Microsoft was again punished in 2013. This time the European Commission slapped a 561 million euro fine on Microsoft for failing to comply with the Commission’s ruling that it had to allow users to more easily choose a preferred web browser.

Not The Most Popular

These days Microsoft’s Edge is a long way behind Chrome, Firefox and Safari in terms of browser market share, so it’s perhaps understandable that Microsoft is looking for different ways to compete and boost its share.

Google’s Chrome browser now has a massive 65.2% share of the browser market, and while this share rose 5.9 percentage points over the last year, Microsoft’s IE and Edge have seen falls in use in recent months.

What Does This Mean For Your Business?

Browser wars have been raging for years, and for business users, it’s simply a case of finding one that’s stable, secure, and offers plenty of useful features e.g. Chrome 69 looks set to offer extra-protection in generating strong passwords.

Microsoft is finding itself in a very awkward spot as regards the popularity of its browsers as requiring users to upgrade to the latest version of IE has effectively killed the still-popular IE8, IE9 and IE 10, and has sent the browser into 74% decline. With the need to move customers to Windows 10, IE has become a legacy product that now receives security updates only. Edge, the big hope as users migrate to Windows 10 has, so far, not been able to claw share back, probably because IE and Edge now only account for around 17% of the browsers that run on Windows (Net Applications figures). It remains to be seen how Microsoft is able to boost the popularity of Edge in the short term against such strong competition as Chrome.

New Chrome 69 Creates Better Passwords, Among Other Features

Posted on by Andy Miller

Chrome 69, the latest version of the Google browser which is now 10 years old, has a number of value-adding new features, including the ability to automatically generate strong passwords.

Improved Password Manager

This latest version of Chrome has an improved password manager that is perhaps more fitting of the browser that is favoured by 60% of browser users, many of whom still rely upon using very weak passwords. For example, the most commonly used passwords in 2017 were reported to be 123456, password, 12345678 and qwerty.

The updated password manger in Chrome 69 hopes to make serious inroads into this most simple of human errors by recommending strong passwords when users sign up for websites or update settings. The Chrome 69 password manager will suggest passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it will be able to add these. Users will be able to manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 will then store the password on a laptop or phone so that users don’t have to write it down or try and remember it (as long as they are using the same device).

Other Features

Other new and improved features of Chrome 69 include:

Faster and more accurate form-filling: Google says that because information such as passwords, addresses and credit card numbers are saved in a user’s Google account and can be accessed directly from the from the Chrome toolbar, Chrome can make it much easier and faster to fill-out online checkout forms.

Combined search and address bar (improvements): In Chrome 69, users will have a combined search and address bar (the Omnibox), which shows the answers directly in the address bar without users having to open a new tab, thereby making it more convenient. Also, if there are several tabs open across three browser windows, for example, a search in the Omnibox will tell users if that website’s already open and will allow navigation straight to it with “Switch to tab”. Google says that users will soon also be able to search files from your Google Drive directly in the Omnibox too.

CSS Snap: This feature allows developers to create smoother browsing experiences. It does this by telling the browser where to stop after each scrolling operation, and is particularly useful for displaying carousels and paginated sections to guide users to the next slide or section.

Put The www. Back!

There was some controversy and protests from some Chrome users over the way that, in order to take account of the limited space on mobile screens, and for greater security (to stop confusion with phishing URLs), version 69 of Chrome has been made to no longer show the www. part of a URL (and the m. on mobiles) in the address bar. It is worth mentioning at this point that Apple’s Safari also hides URL characters. Some critics of Google’s move to this system have said that it could confuse users into thinking that they’re at the wrong website.

Other Criticism

Some more cynical / informed commentators have suggested that the change in URL display is actually more to do with AMP system and AMP cache which benefits the advertising side of Google’s business.

What Does This Mean For Your Business?

The changes in Chrome 69 that encourage and facilitate the use of much stronger passwords may be a little overdue, but it has to be good news for the security of all Chrome users. The speedier form-filling will also be a time-saver in an age where many people now carry out many of their daily transactions online and on mobile devices.

Even though stronger passwords are a good thing, security has now moved on again from those, because they have been found to be less secure than biometrics and other access methods.

The new Chrome 69 has been released, but so has the beta version of Chrome 70, and it remains to be seen how security is upgraded yet again in subsequent versions as cyber-crime threats become more wide-ranging and sophisticated.

Resurrecting An Old Android Phone Is Easier Than You Think

Posted on by Andy Miller

Many of us have an old Android phone somewhere in the house, doing nothing. Rather than leaving it there to add no value to your life and work, you may find that it’s much easier than you think to resurrect it.

Look Beyond The Launch

Even though your phone may have been the greatest and the fastest when it was launched, the passage of time doesn’t necessarily mean that it has become obsolete.

Performance issues can, of course, be exaggerated by age and resource limitations, but there are some steps you can take to clean-up your old android phone and bring it back into active service. These steps could include:

  • Freeing -up storage space. Begin this process by backing up the media that you have on the phone. This can be done by opening Google photos, selecting “Settings,” “Back up & sync” and activating the toggle that appears. This will allow you to back up your photos and images to the cloud. Get Google’s free Files Go app, open it, grant the app permission to access your phone’s storage, and from here you will be given suggestions for freeing-up space on your device. For example, this can include removing junk and duplicate files, removing downloaded files and large files, and deleting the photos and videos (now that you have back-up copies).
  • Getting rid of unused apps. This is a good move on any phone anyway as a way to improve security. In the case of refreshing your phone, the Files Go app can show you which apps are unused and therefore suitable to uninstall. You can also regain more phone resources by clearing out your app clutter. For apps that came pre-installed (and can’t be uninstalled), look for a button to disable those apps.
  • Using ‘lite’ app alternatives. Using ‘lite’ versions of the apps that you’d still like to have on the old phone e.g. Facebook, Google Maps and Skype lite, can mean that you get plenty of basic functionality, but take up less phone resources.
  • Reducing background activity / check-ins by certain apps. This can make the phone run faster, and can reduce monthly bills.
  • Making sure your apps are up to date. Checking-in with Play Store and making sure you have the newest (lite) versions of apps on your old phone can prevent many of the problems caused by less optimized older versions.
  • Making sure the home screen is up to date and not slowing things down. You may want to use a third-party launcher e.g. the free Lawnchair Launcher.
  • Keeping the software animations to a minimum. This will involve accessing the system settings ‘Drawing’ section, but could help towards speeding your old android phone up.
  • Trying a ‘factory reset’. This can make the phone run faster. Again, this is likely to involve accessing the ‘System’ section (after making sure everything important is backed-up).
  • Adding new, efficiency-enhancing apps.

What Does This Mean For Your Business?

A succession of updated models, the need (or, being convinced by marketing of the need) to constantly upgrade to the next best model, along with a throwaway society means that there is so much wastage when it comes to devices, especially mobile phone handsets. This is why many businesses have seized the opportunity of refurbishing and re-selling them e.g. smartfonestore.com, Second-hand Phones.Com, envirofone.com and more.

There’s no doubt that smart-phones have become an important part of our lives with 78% of all adults now owning one, and with each of us checking our phone once every 12 minutes on average during our waking hours (Ofcom). Web browsing and using chat and other apps (WhatsApp and Facebook Messenger) are now equally as important as actually being able to make a call, so as long as your re-conditioned / resurrected phone has the storage space, speed, and available resources to accommodate modern apps (lite versions), you could be saving yourself money and making life easier for yourself by bringing it back into use.

Tech Tip – Lockdown Your Wi-Fi

Posted on by Andy Miller

If you’re using Windows 10 and you want to make sure you’re not exposed to the security risks posed by insecure wireless networks, there is a quick and easy way you can protect your Wi-Fi connectivity. Here’s how:

Go to Settings.

Go to Network & Internet > Wi-Fi

Make sure that the ‘Connect to suggested open hotspots’ option is disabled, unless you connect through a virtual private network or VPN service.

Find Out What ‘Deep Fakes’ Are and Why They’re A Threat

Posted on by Andy Miller

Deep fakes are digitally manipulated videos that have been created using deep learning technology to make the subject of the video (often a famous person) say anything the video maker wants them to say, even incorporating the style and facial expressions of another person.

Example

An example here is a video that demonstrates the technique, and features a fake video of Barack Obama saying things that he would never normally (publicly) say. Example : https://www.youtube.com/watch?v=AmUC4m6w1wo

Improving Fast

The technique, which had its less than auspicious first uses in pornography, where porn actors were made to look and sound like famous people, has much improved and become arguably more convincing as deep learning and AI have led to more seamless and convincing results.

Style Transfer

The development of the technology used in deep fake videos has improved to the point where even a person’s style can be superimposed and incorporated. An example of this can be seen in videos created by researchers at Carnegie Mellon University, who have been able to use artificial intelligence technology to transfer the facial expressions of one person in a video to another.

See this example on YouTube: https://www.youtube.com/watch?v=ehD3C60i6lw where John Oliver is made to reflect the style of Stephen Colbert, a daffodil is made to bloom (time lapse) the same way as a hibiscus, and Barack Obama is given the same facial expressions and style as Dr Martin Luther King and President Donald Trump.

What’s The Danger?

The danger, according to US lawmakers and intelligence organisations, is that videos could be made by adversarial nation states and used as another tool in disinformation campaigns. For example, at key moments, politicians and other influential figures could be made to appear to make false and /or inflammatory statements that could be believed by less politically aware recipients. In short, these videos could be used to influence opinions e.g. at election-time, and could afford a foreign power a way to interfere that relies upon human error – the same thing that many successful cyber attacks have relied upon.

What Does This Mean For Your Business?

With the US Midterm elections on the way, with allegations of Russian interference and possible collusion still hanging over President Trump’s head, and with some evidence that Facebook was used by a foreign power to try an influence the last US election result, it is understandable that the US government is worried about any tools that could be used to interfere in their democratic process. This is one of the reasons why Microsoft has seized 6 phishing domains that allegedly belong to Russian government hackers, and has introduced a pilot AccountGuard secure email service for election candidates.

If the technology behind deep fake videos keeps improving, it is possible to see it being used as another tool in other types of cyber-crime.

There is, of course, an upside and some ways that deep fake technology can be used in a positive way. For example, deep fake could be used to help film-makers to reduce costs and speed up work, make humorous videos and advertisements, and even help in corporate training.

UK Government Guilty of Mass Surveillance Human Rights Breach

Posted on by Andy Miller

The European Court of Human Rights in Strasbourg has found the UK government guilty of violating the right to privacy of citizens under the European convention because the safeguards within the government’s system for bulk interception of communications were not strong enough to provide guarantees against abuse.

The Case

The case which led to the verdict, was brought against the UK government by 14 human rights groups, journalism organisations, and privacy organisations such as Amnesty International, Big Brother Watch and Liberty in the wake of the 2013 revelations by Edward Snowden, specifically that GCHQ was secretly intercepting communications traffic via fibre-optic undersea cables.

In essence, although the court, which voted by a majority of five to two votes against the UK government, accepted that police and intelligence agencies need covert surveillance powers to tackle threats, those threats do not justify spying on every citizen without adequate protections.

Three Main Points

The ruling against the UK government in this case centred on three points – firstly the regime for bulk interception of communications (under section 8(4) of RIPA), secondly the system for collection communications data (under Chapter II of RIPA), and finally the intelligence sharing programme.

The UK government was found to breach the convention on the first 2 points, but the ECHR didn’t find a legal problem with GCHQ’s regime for sharing sensitive digital intelligence with foreign governments. Also, the court decided that bulk interception with tighter safeguards was permissible.

Key Points

Some of the key points highlighted by the rulings against the UK government, in this case, are that:

  • Bulk interception is not unlawful in itself, but the oversight of that apparatus was not up to scratch in this case.
  • The system governing the bulk interception of communications is not capable of keeping interference to what is strictly necessary for a democratic society.
  • There was concern that the government could examine the who, when and where of a communication, apparently without restriction i.e. problems with safeguards around ‘related data’. The worry is that related communications data is capable of painting an intimate picture of a person e.g. through mapping social networks, location tracking and insights into who they interacted with.
  • There had been a violation of Article 10 relating to the right to freedom of expression for two of the parties (journalists), because of the lack of sufficient safeguards in respect of confidential journalist material.

Privacy Groups Triumphant

Privacy groups were clearly very pleased with the outcome. For example, the Director of Big Brother Watch is reported as saying that the judgement was a step towards protecting millions of law-abiding citizens from unjustified intrusion.

What Does This Mean For Your Business?

Like the courts, we are all aware that we face threats of terrorism, online sexual abuse and other crimes, and that advancements in technology have made it easier for terrorists and criminals to evade detection, and that surveillance is likely to be a useful technique to help protect us all, our families and our businesses.

However, we should have a right to privacy, particularly if we feel strongly that there is no reason for the government to be collecting and sharing information about us that, with the addition of related data, could identify us not just to the government but to any other parties who come into contact with that data.

The reality of 2018 is that we now live in a country where in addition to CCTV surveillance, we have the right to surveillance set in law. The UK ‘Snooper’s Charter’ / Investigatory Powers Act became law in November 2016 and was designed to extend the reach of state surveillance in Britain. The Charter requires web and phone companies (by law) to store everyone’s web browsing histories for 12 months, and also to give the police, security services and official agencies unprecedented access to that data. The Charter also means that security services and police can hack into computers and phones and collect communications data in bulk, and that judges can sign off police requests to view journalists’ call and web records.

Although businesses and many citizens prefer to operate in a safe and predictable environment, and trust governments to operate surveillance just for this purpose and with the right safeguards in place, many are not prepared to blindly accept the situation. Many people and businesses (communications companies, social media, and web companies) are uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state.

This latest ruling against the government won’t stop bulk surveillance or the sharing of data with intelligence partners, but many see it as a blow against a law that makes them uneasy in a time when GDPR is supposed to have given us power over what happens to our data.

ICO Highlights Prevalence of GDPR Myths

Posted on by Andy Miller

The Information Commissioner’s Office (ICO) has reported taking 500+ calls per week reporting GDPR data breaches, but one-third of the calls appear to be based on myths and misunderstandings or over-reporting about GDPR matters.

Update After Freedom of Information Request

The update by the ICO about how things appear to be going just three months after the introduction of GDPR came shortly after a Freedom of Information (FOI) by law firm EMW yielded figures that showed that the number of complaints between 25th May and 3rd July 2018 rose to 6,281 versus 2,417 during the same period in 2017.

Over-Reporting

A key problem highlighted by the ICO is that many companies feel that in order to achieve compliance and avoid being penalised, they have to be transparent to the degree that they “over-report” by reporting everything. Also, many of the reports are incomplete.

One common misconception highlighted by the ICO that is leading to unnecessary calls is that instead of reporting suspected data breaches to the ICO within 72 hours ‘from the point of discovery’, many companies appear to believe that the mandatory reporting period is 72 ‘working’ hours.

Fine Fears Unfounded

Another key point that the ICO was keen to make was that even though there have been some high profile cases that have involved big companies receiving big fines since the introduction of GDPR, many thousands of incidents are closed each year without financial penalty but with advice, guidance and reassurance offered instead. Another point that the ICO would like to make known is that the real norm of the work they do is simply audits, advisory visits and guidance sessions.

In fact, ICO Deputy Commissioner James Dipple-Johnstone has been quoted as saying that businesses that take their data protection responsibilities seriously “have nothing to fear from an ICO inspection or investigation”.

Cyber Crime Reports

The ICO has said that almost half of the calls that it received weekly involve some cyber element, and around one-third of calls relate to phishing attacks.

Phishing attacks are still such a popular method of cyber-crime because many companies have been focusing on malware detection and may not have trained and educated their staff about the risks, how to spot phishing attacks, and what to do about them.

What Does This Mean For Your Business?

Of course, organisations need to take their data protection responsibilities seriously to protect customers and the company itself, but part of dealing with that responsibility correctly is being clear on what GDPR actually requires a company to do; how and when. This is why GDPR requires (via mandatory appointment under Article 37) organisations / companies to have a data protection officer (DPO) i.e. someone tasked with the responsibility and security leadership role to oversee data protection strategy and implementation, and to ensure proper compliance with GDPR requirements. Part of the responsibilities of a DPO are to educate the company and train employees about GDPR and how it applies to them and their work. A DPO is required to have expert knowledge of data protection law and practices, and having a person on hand to consult about GDPR matters would be a good way to prevent unnecessary calls and complaints being made to the ICO, and to prevent unnecessary concerns, misunderstandings and mistaken beliefs prevailing within the company that could lead to other problems.

Only 32% of Emails Clean Enough To ‘Make It’

Posted on by Andy Miller

A bi-annual study by FireEye has found that less than a third of over half a billion emails analysed were considered clean enough not to be blocked from entering our inboxes.

Phishing Problem Evident

The study found that even though 9 out of 10 emails that are blocked by email security / anti-virus didn’t actually contain malware, 81% of the blocked emails were phishing attacks. This figure is double that of the previous 6 months.

Webroot’s Quarterly Threat Trends Report data, for example, shows that 1.39 million new phishing sites are created each month, and that this figure was even as high as 2.3 million in May last year. It is likely that phishing attacks have increased so much because organisations have been focusing too much of their security efforts on detecting malware. Also, human error is likely to be a weak link in any company, and phishing has proven to be very successful, sometimes delivering results in a second wave as well as the first attack. For example, in the wake of the TSB bank system meltdown, phishing attacks on TSB customers increased by 843% in May compared with April.

A recent KnowBe4 study involved sending phishing test emails to 6 million people, and the study found that recipients were most likely to click on phishing emails when they promised money or threatened the loss of money. This highlights a classic human weakness that always provides hope to cyber-criminals, and the same criminals know that the most effective templates for phishing are the ones that cause a knee-jerk reaction in the recipient i.e. the alarming or urgent nature of the subject makes the recipient react without thinking.

Increase In Malicious Intent Emails

The FireEye study also highlighted the fact that there has been an increase over the last 6 months in the emails sent to us that have malicious intent. For example, the latest study showed that one in every 101 emails had malicious intent, whereas this figure was one in every 131 in the previous 6 months.

Biggest Vulnerability

As FireEye noted after seeing the findings of their research, email is the most popular vector for cyber attacks, and it is this that makes email the biggest vulnerability for every organisation.

What Does This Mean For Your Business?

It is very worrying that we can only really trust less than one third of emails being sent to businesses as being ‘clean’ enough and free enough of obvious criminal intent to be allowed through to the company inbox. It is, of course, important to have effective anti-virus / anti-malware protection in place on email programs, but phishing emails are able to get past this kind of protection, along with other methods such as impersonation attacks like CEO fraud. Organisations, therefore, need to focus on making sure that staff are sufficiently trained and educated about the threats and the warning signs, and that there are clear procedures and lines of responsibility in place to be followed when emails relating to e.g. transfer of money (even to what appears to be the CEO) are concerned.

Cyber-criminals are getting bolder and more sophisticated, and companies need to ensure that there is no room for weak ‘human error’ links of the front line.

Microsoft Launches ‘AccountGuard’ Email Service For Election Candidates

Posted on by Andy Miller

A new kind of pilot secure email service called ‘AccountGuard’ has been launched by Microsoft, specifically for use by election candidates, and as one answer to the kind of interference that took place during the last US presidential election campaign.

Ready For The Midterm Elections

The new, free email service (which people must useOffice 365 to register for) is an off-shoot of Microsoft’s ‘Defending Democracy’ Program. This program was launched in April with the aim of protecting campaigns from hacking, through increased cyber resilience measures, enhanced account monitoring and incident response capabilities.

The AccountGuard pilot has been launched in time for the US Midterm elections which are the general elections held in November every four years, around the midpoint of a president’s four-year term of office.

Who Can Use AccountGuard?

Microsoft says that its AccountGuard service can be used by all current candidates for federal, state and local office in the United States and their campaigns; the campaign organisations of all sitting members of Congress, national and state party committees, any technology vendors who primarily serve campaigns and committees, and some non-profit organisations and non-governmental organizations. Microsoft AccountGuard is offered free of charge and is full service, coming with free email and phone support.

Three Core Offerings

AccountGuard has three core offerings. These are:

  1. Unified threat detection and notification across accounts. This means providing notification about any cyber threats in a unified way across both email systems run by organisations and the personal accounts of these organizations’ leaders and staff who opt in. This part of the service will only be available only for Microsoft services including Office 365, Outlook.com and Hotmail to begin with, and Microsoft says it will draw on the expertise of the Microsoft Threat Intelligence Center (MSTIC / MSTIC).
  2. Security guidance and ongoing education. Registering for Microsoft AccountGuard gives organisations best practice guidance and materials. These are in the form of off-the-shelf materials and in-depth live sessions.
  3. Early adopter opportunities. This means access to private previews of the kind of security features that are usually offered by Microsoft to large corporate and government account customers.

Similar To Google

Some commentators have highlighted similarities between the AccountGuard idea and Google’s Advanced Protection Program (APP), also launched this year, although APP is open to anyone, requires log in with hardware authentication keys, and locks out third-party app access.

What Does This Mean For Your Business?

When you think about it, what Microsoft appears to be admitting is that its everyday email programs are simply not secure enough to counter many of the threats that now look likely to come from other states when elections are underway. Microsoft’s other, non-political business customers who are also at risk from common cyber attacks e.g. phishing, may feel a little left out that they are apparently not being offered the same level of security.

Also, protecting democracy sounds like quite a grand aim for a service provider offering an email service. Microsoft does, however, accept that it can’t solve the threat to US democracy on its own and that it believes this will require technology companies, government, civil society, the academic community and researchers working together. Microsoft also acknowledges that AccountGuard is limited to protecting those using enterprise and consumer services, and that attacks can actually reach campaigns through a variety of other ways. Microsoft also appears to be hinting that it may be thinking of expanding AccountGuard to industry as well as government depending on how the pilot works.